Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Hits Major Sites

Posted by ryuzaki0 on from the scriptdidy-doo-daa-scriptdidy-day dept.

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

8 of 161 comments (clear)

  1. The Cross Site Scripting FAQ by mrkitty · · Score: 5, Informative



    The Cross Site Scripting FAQ

    --
    Believe me, if I started murdering people, there would be none of you left.
    1. Re:The Cross Site Scripting FAQ by blowdart · · Score: 5, Informative
      No it doesn't. Cross site scripting works by adding a script tag to the source page. For example, imagine you have allowed scripts from slashdot because you can't use the new comments system without it.

      Now an evil hax0r manages to insert an XSS attack on slashdot what would happen is the attack would be embedded in a normal slashdot page, as a block. So the source would be from slashdot.org, and noscript would view it as being allowed.

    2. Re:The Cross Site Scripting FAQ by Schraegstrichpunkt · · Score: 2, Informative

      Look closer. This particular vulnerability doesn't use any special JavaScript or anything else; It's a simple redirect. The only way to fix it would be for Google to change something (such as by adding a referer check) in its preferences module, or for you to special-case this particular attack in your browser.

      --
      http://outcampaign.org/
    3. Re:The Cross Site Scripting FAQ by blowdart · · Score: 3, Informative

      I was talking generically; anyway the redirect is not an XSS attack at all.

  2. Scanners not able to find XSS by possible · · Score: 2, Informative

    The reason most vuln scanners can't find XSS vulns on modern sites is because of the increased amount of JavaScript and Flash (with ActionScript) that's in use. But some scanners can grok this stuff to varying degrees of completeness.

  3. Move on... by 955301 · · Score: 1, Informative


    So would it be technically possible at this point to move away from the web application and back to the client server app? Here's a path example:

    * Java Client
    * Servlet Interface for the client
    * Java webstart deployment
    * Java plugin on the clients

    For this path the questions would surround authenticating the client and the hassle of installing the java plugin.

    Rinse and repeat for the obligatory Microsoft solution.

    I've never been a fan of web applications and form given the simplicity of creating an SQL injection attack or XSS for that matter. At least if the client application was built for the specific application you expose yourself to less or more obscure security vulnerabilities by nature.

    --
    You are checking your backups, aren't you?
  4. Re:I don't get XSS by Yvanhoe · · Score: 3, Informative

    That's it. They allow users in forum to post links, and URL. URL can have a lot of strange characters in it, & ? ! # etc... Apparently, the basis of XSS is to make a link that appears like a valid URL but that will, in some clients, execute as a javascript code, usually in order to steal cookies (therefore, an opened session) of the user watching the post. There seems to be a shield vs sword thing growing between attackers and web developers. You have numerous ways of "hiding" a code in an URL, hexadecimal notation, strange utf-8 characters and so on. Here again, an incomplete implementation of a standard is the cause of major headaches.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  5. Too Lazy? by Anonymous Coward · · Score: 2, Informative

    It looks like the attacks can be prevented by simple user input validation. Are the above mentioned high profile website developers/architects being too lazy or nobody knew about this type of vulnerability until recently ? I cant see how Joe Average will know about this exploit because he will not bother to read the query string(or even understand what it does) if it points to major website.