Crossing the Line for XSS
A group of white-hat hackers exposed XSS flaws in major Websites this past week, but that's the good news
September 29, 2006
1:30 PM -- A couple weeks ago, researchers were lamenting that cross-site scripting (XSS) wasn't getting any respect. It seemed to be the forgotten vulnerability, ignored among a sea of other flaws, even though it was easy enough for any script kiddie to exploit.
What a difference a couple of weeks makes. First, Mitre came out with the surprising news that XSS is now the No. 1 flaw -- not buffer overflow, the longtime darling of the hacker set. The revelation came amid analysis Mitre did on vulnerability data it gathered during 2005 and part of this year, based on CVE samples. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)
Then late last week, a group of white-hat hackers, Sla.ckers, casually began probing Websites for XSS vulnerabilities and posting proof-of-concept code on its message board, Sla.ckers.org. (See Hackers Reveal Vulnerable Websites.) It caught on fast, with hackers trying to one-up one another with higher-profile sites and others congratulating each other for some big catches, like Yahoo.
A week later, the companies mentioned in Sla.ckers posts read like a who's who of the Web -- Dell, Microsoft, Yahoo, Altavista, Apple, security standards organization ISC2, Verizon, T-Mobile, and CNN, to name a few. Dark Reading was even guilty of unknowingly harboring an XSS vulnerability on our story link about the Sla.cker message board posts. (See XSS Crossover.) Embarrassing? Sure. Eye-opening? You bet.
Nobody likes bad press, especially the press. But the good news is that Sla.ckers is a self-described group of researchers doing this "on the side," not some organized crime ring launching a massive XSS attack on the Web.
The Sla.ckers list had a few flaws of its own. A couple of the initial Websites posted on the message board, including F5's, were flawed with HTML injection vulnerabilities, not XSS, which initially caused some confusion. (See Two Vendors Deny XSS Flaws.) At least one company on the list, Acunetix, swears its site has no vulnerabilities whatsoever, even though the Sla.ckers stand by their original posts and have since posted additional Acunetix links with XSS vulns.
Tamara Borg, Acunetix's marketing manager, wonders if maybe the hackers had hit the company's honeypots, which are purposely riddled with vulnerabilities. But Sla.cker "maluc" says he's not talking about Acunetix's test site -- the vulnerabilities he posted were in their "forgot password" page for logging into the "real" Acunetix site, as well as in the registration page for setting up a user account.
There's no way to solve the dispute, because once a link is fixed, there's no sign of the initial problem. The bigger question here is more about -- you guessed it -- disclosure. Is it fair for Sla.ckers to publicly post these vulnerabilities before telling the potential victims? F5 says it first heard of its vulnerability when we contacted them about our story. We found out when someone brought it to our attention on our message board.
Sla.ckers say it's all about educating people on how they need to shore up these relatively simple fixes.
Sure, it's embarrassing, but consider it a gentle warning. The underlying message gleaned from these vulnerability posts is that XSS is the one to watch. You don't have to like how word got out that your site is XSS-weak, or that some of the Sla.ckers actually had some fun writing their proof-of-concept code to hack your site. But at least we're not finding out the hard way -- by actually getting hacked.
As Sla.cker "kyran" said yesterday, if a small group of well-meaning hackers found all these flaws in their spare time, you have to wonder what the bad guys are finding.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
F5 Networks Inc. (Nasdaq: FFIV)
You May Also Like