lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVBBZbi7WKVmUZ2PKMaoEuVAiv+B5B9_H9CcWzogbc44xg@mail.gmail.com>
Date: Tue, 25 Feb 2014 17:46:40 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: British Sky Broadcasting Corporation - Web App
	vulnerabilities (XSS)

     _____  .___  _________
  /  _  \ |   |/   _____/
 /  /_\  \|   |\_____  \
/    |    \   |/        \
\____|__  /___/_______  /
        \/            \/  Corporation

Published Report: 25/02/2014


Credits: Advanced Information Security Corporation, USA

Severity: High/Critical (OWASP TOP 10)

Type: Web Application / DOM-based cross-site scripting attack.


Author: Nicholas Lemonias. (Information Security Expert)

Affected Domain
================
Domain: www.Sky.com <http://www.sky.com/>


Vendor Overview

=========================
British Sky Broadcasting Group plc. (commonly known as BSkyB; trading as
Sky) is a satellite broadcasting, broadband and telephone services  company
headquartered in London, with operations in the United Kingdom (UK) and
Ireland.
  Formed in 1990 by the equal merger of Sky Television and British
Satellite Broadcasting, BSkyB is the largest pay-tv broadcaster
in the UK and Ireland with over 10 million subscribers.
BSkyB is listed on the London Stock Exchange and is a constituent of the
FTSE 100 Index.  It had a market capitalization of approximately £14.32
billion (US$23 billion) as of 30 September 2013 on the London Stock
Exchange. 21st Century Fox owns a 39.14 per cent controlling stake in the
company.


Description of the security realization
==============================
Visitors and users to BSkyB are directly impacted.
This problem results in the re-production and execution of third-party
heterogeneous code which defies user level trust, and thus affecting user
and product confidentiality, integrity and availability of information
(CIA); as per best security practise and standards in accord to (ISO 27001)
and (BS7799).


Proof-Of-Concept 1
==================
URL: www.Sky.com/ireland/error/invalidbasket/index.html?
invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b<http://www.sky.com/ireland/error/invalidbasket/index.html?invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b>


Responsible Disclosure Timeline
==========================
[+] 31 of January, 2013 -     Contacted Vendor concerning the security
realisation.

[+] 3rd of February, 2013 -  Contacted Vendor a second time. Vendor has not
replied.

[+] 10th of February, 2013 - Contacted Vendor a 3rd time. (No Feedback.)

[+] 25th of Feburary, 2013 - Public Disclosure.

Remediation / Consultation
=========================
The recommendations made to The British Sky Broadcasting Corporation is
therefore to consider encrypting the view state of the application.
Furthermore to implement a stronger Cross-Site Scripting protection.
Apparently XSS filtering is not properly applied, and met character
filtering allows data input over the HTTP protocol to inject third-party
untrusted code, in  JavaScript, Active-X and Visual Basic Script. Please
note that malicious users could take advantage of such instances, as we
have seen in malware and virus propagation cases - with impact to systems
of political importance. Citing examples of Stux Net and Duqu.

My consultation to British Sky Broadcasting is therefore, to deploy an
immediate Security Risk assessment and thus to enumerate and revisit
upper-level security policies in accord to ISO 27001 and ISO 27002.

 Please also review your ISMS and implement adequate security metrics.
Please also further check the SDLC of the vulnerable application and
subsidiary pages.

Cross Site Scripting attacks are present when a website allows the
injection of malicious data from a malicious user. The information is often
gathered in the form of a hyperlink. The affected hyperlink is
often disseminated either through email, social networking websites, forums
or other online sources. A malicious adversary could take advantage of this
vulnerability, for the mass exploitation of unsuspecting users, through
malware and virus propagation. The malicious user can use defects in the
encoding methods, so that the malicious payload is hindered.


Appendices
============================
A. Consider the filtering of met characters.
B. User server encoding of < and > to &lt; and &gt; in application output.
C. An XSS attack could embrace mass user and product attacks, phishing
and theft of confidential information such as credit cards, passwords,
and stored accounts. Furthermore the use and exploitation of XSS bugs
have been present in malware and worms such as Stuxnet and Duqu.
D. Filtering < and > and using appropriate encoding.
where ( and ) are also filtered and encoded to &#40; and &#41;,
Example:
# and & should be converted to &#35 (#) and &#38 (&).


References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP.  2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ