[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVBBZbi7WKVmUZ2PKMaoEuVAiv+B5B9_H9CcWzogbc44xg@mail.gmail.com>
Date: Tue, 25 Feb 2014 17:46:40 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: British Sky Broadcasting Corporation - Web App
vulnerabilities (XSS)
_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
Published Report: 25/02/2014
Credits: Advanced Information Security Corporation, USA
Severity: High/Critical (OWASP TOP 10)
Type: Web Application / DOM-based cross-site scripting attack.
Author: Nicholas Lemonias. (Information Security Expert)
Affected Domain
================
Domain: www.Sky.com <http://www.sky.com/>
Vendor Overview
=========================
British Sky Broadcasting Group plc. (commonly known as BSkyB; trading as
Sky) is a satellite broadcasting, broadband and telephone services company
headquartered in London, with operations in the United Kingdom (UK) and
Ireland.
Formed in 1990 by the equal merger of Sky Television and British
Satellite Broadcasting, BSkyB is the largest pay-tv broadcaster
in the UK and Ireland with over 10 million subscribers.
BSkyB is listed on the London Stock Exchange and is a constituent of the
FTSE 100 Index. It had a market capitalization of approximately £14.32
billion (US$23 billion) as of 30 September 2013 on the London Stock
Exchange. 21st Century Fox owns a 39.14 per cent controlling stake in the
company.
Description of the security realization
==============================
Visitors and users to BSkyB are directly impacted.
This problem results in the re-production and execution of third-party
heterogeneous code which defies user level trust, and thus affecting user
and product confidentiality, integrity and availability of information
(CIA); as per best security practise and standards in accord to (ISO 27001)
and (BS7799).
Proof-Of-Concept 1
==================
URL: www.Sky.com/ireland/error/invalidbasket/index.html?
invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b<http://www.sky.com/ireland/error/invalidbasket/index.html?invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b>
Responsible Disclosure Timeline
==========================
[+] 31 of January, 2013 - Contacted Vendor concerning the security
realisation.
[+] 3rd of February, 2013 - Contacted Vendor a second time. Vendor has not
replied.
[+] 10th of February, 2013 - Contacted Vendor a 3rd time. (No Feedback.)
[+] 25th of Feburary, 2013 - Public Disclosure.
Remediation / Consultation
=========================
The recommendations made to The British Sky Broadcasting Corporation is
therefore to consider encrypting the view state of the application.
Furthermore to implement a stronger Cross-Site Scripting protection.
Apparently XSS filtering is not properly applied, and met character
filtering allows data input over the HTTP protocol to inject third-party
untrusted code, in JavaScript, Active-X and Visual Basic Script. Please
note that malicious users could take advantage of such instances, as we
have seen in malware and virus propagation cases - with impact to systems
of political importance. Citing examples of Stux Net and Duqu.
My consultation to British Sky Broadcasting is therefore, to deploy an
immediate Security Risk assessment and thus to enumerate and revisit
upper-level security policies in accord to ISO 27001 and ISO 27002.
Please also review your ISMS and implement adequate security metrics.
Please also further check the SDLC of the vulnerable application and
subsidiary pages.
Cross Site Scripting attacks are present when a website allows the
injection of malicious data from a malicious user. The information is often
gathered in the form of a hyperlink. The affected hyperlink is
often disseminated either through email, social networking websites, forums
or other online sources. A malicious adversary could take advantage of this
vulnerability, for the mass exploitation of unsuspecting users, through
malware and virus propagation. The malicious user can use defects in the
encoding methods, so that the malicious payload is hindered.
Appendices
============================
A. Consider the filtering of met characters.
B. User server encoding of < and > to < and > in application output.
C. An XSS attack could embrace mass user and product attacks, phishing
and theft of confidential information such as credit cards, passwords,
and stored accounts. Furthermore the use and exploitation of XSS bugs
have been present in malware and worms such as Stuxnet and Duqu.
D. Filtering < and > and using appropriate encoding.
where ( and ) are also filtered and encoded to ( and ),
Example:
# and & should be converted to # (#) and & (&).
References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists