Cross-Site Scripting Enabled On 1000 Major Sites (thestack.com)

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Enabled On 1000 Major Sites (thestack.com)

Posted by yaelk on Tuesday February 23, 2016 @09:46AM from the check-your-sites dept.

An anonymous reader writes: A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables cross-site scripting. This article details his examination of the top 1 million Alexa sites for evidence of compromised settings and finds that about 1000 of the sites on the list are capable of being compromised because of running a header called Access-Allow-Origin. He found the vulnerability while working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. The header, which Johnson claims the vulnerable websites are outputting, is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.

54 comments

Min score:

Reason:

Sort:

Bad Summary by Anonymous Coward · 2016-02-23 09:52 · Score: 3, Informative

Bad summary, as usual. Access-Control-Allow-Origin: * explicitly forbids requests with credentials. Even if the host reflects the Origin domain in the Access-Control-Allow-Origin header, it must also send Access-Control-Allow-Credentials: true to be vulnerable.
https://annevankesteren.nl/2012/12/cors-101
1. Re:Bad Summary by DJ+Rubbie · 2016-02-23 10:06 · Score: 3, Interesting
  
  Not only that, this is not even Cross Site Scripting (XSS), but a straight up Cross Site Request Forgery (CSRF) even though XSS might be involved for this issue. XSS is where client-side scripts are injected directly into the response body of an affected website, typically through unescaped html input that gets rendered by web browsers belonged to victims who then make that subsequent client request. CSRF is where the victim's browser is told to do an action (via Javascript doing an asynchronous javascript/xml (AJAX) request) on the target's website by an unrelated website that the victim somehow visited, and sometimes this attack script is injected via XSS by attackers on a completely unrelated site. While XSS can be related, it is completely distinct to the CSRF issue which is what is being not properly mitigated against by these top websites (In fact, as parent said, they purposefully disabled this protection).
  
  --
  Please direct all bug reports to /dev/null
2. Re:Bad Summary by jrumney · 2016-02-23 18:47 · Score: 1
  
  What proportion of the top million websites do we expect to be offering public APIs, designed to be used in this way (maps.google.com as just one example)? 1 in a thousand maybe?
3. Re:Bad Summary by Anonymous Coward · 2016-02-24 02:34 · Score: 0
  
  1 in a thousand maybe?
  That's about 1000 in a million, which is what the summary says.
4. Re:Bad Summary by Anonymous Coward · 2016-02-24 14:01 · Score: 0
  
  *Whoosh*
Venerable to SOAP by U2xhc2hkb3QgU3Vja3M · 2016-02-23 09:53 · Score: 1

I told you to stop picking on us! Leave Slashdotters alone! Leave them alooooone! /cry
1. Re:Venerable to SOAP by JazzLad · 2016-02-23 10:25 · Score: 1
  
  I don't think that word means what you think it means.
  
  --
  "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
2. Re:Venerable to SOAP by Anonymous Coward · 2016-02-23 10:44 · Score: 0
  
  Then what is it doing in a sentence with "XML" next to it?
3. Re:Venerable to SOAP by U2xhc2hkb3QgU3Vja3M · 2016-02-24 01:14 · Score: 1
  
  Oh crap, I totally read "vulnerable".
4. Re:Venerable to SOAP by JazzLad · 2016-02-24 01:54 · Score: 1
  
  Ha ha, it happens - I always blame auto correct :-)
  
  --
  "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
Access-Allow-Origin Header by Actually,+I+do+RTFA · 2016-02-23 09:53 · Score: 1

Why are we trusting site X as to whether we should load XSS from it. Or better yet, why not just deny third-party scripts.

--
Your ad here. Ask me how!
1. Re: Access-Allow-Origin Header by Anonymous Coward · 2016-02-23 10:11 · Score: 0
  
  Why are we trusting site X as to whether we should load XSS from it. Or better yet, why not just deny third-party scripts.
  Because that wouldn't allow all the shitty, malware-laden advertising that is so important.
2. Re: Access-Allow-Origin Header by Runaway1956 · 2016-02-23 10:32 · Score: 1
  
  Exactly. Cross site scripting was bad from the beginning, and it only got worse when the advertising industry discovered how they could abuse it. Pretty much everything is blocked on my network. Screw the advertisers, and screw everyone who thinks that my bandwidth belongs to them. I want to read Slashdot, and that's all I want. If it becomes mandatory to load crap from third party sites, then I'll stop reading slashdot. It's that simple.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
3. Re: Access-Allow-Origin Header by Anonymous Coward · 2016-02-23 11:54 · Score: 0
  
  I do deny third party scripts, but Google tricked many web authors into loading script libraries from Google's servers, so denying third party scripts really isn't something that can be made default now. It breaks too many web sites.
4. Re: Access-Allow-Origin Header by jrumney · 2016-02-23 18:51 · Score: 1
  
  When 5000 sites use visit are using jQuery, do you really want to download 5000 copies of it into your browser's cache?
5. Re: Access-Allow-Origin Header by Actually,+I+do+RTFA · 2016-02-23 20:23 · Score: 1
  
  Well, I don't want 5000 sites to use jQuery. There's no reason for that much javascript.
  
  --
  Your ad here. Ask me how!
6. Re: Access-Allow-Origin Header by Anonymous Coward · 2016-02-23 23:15 · Score: 0
  
  The same sites which load jQuery from Google for performance reasons immediately turn around and load hundreds of kilobytes of uncacheable data for tracking. Performance is a red herring. I don't even use a local disk cache anymore, because its faster that way and it doesn't clutter the disk with tens of thousands of files. So, whether I load jQuery from Google or from some other server doesn't make any difference whatsoever, except that it breaks the web site, because as I said, I don't allow third party scripts by default.
7. Re: Access-Allow-Origin Header by Actually,+I+do+RTFA · 2016-02-24 04:48 · Score: 1
  
  The real issue is those 5000 sites don't want to serve me the file.
  
  --
  Your ad here. Ask me how!
8. Re: Access-Allow-Origin Header by Actually,+I+do+RTFA · 2016-02-24 05:08 · Score: 1
  
  fixed tags version
  Upon reflection, my new answer is "yes". The performance hit is minimal (jQuery.js is small), the plethora of different versions means I would need a bunch on my system anyway, and websites shouldn't treat too much JS everywhere as something I subsidize, they should pay the full costs for their site.
  The real issue is those 5000 sites don't want to serve me the file.
  
  --
  Your ad here. Ask me how!
Horrible summary by diamondmagic · 2016-02-23 09:54 · Score: 0

Access-Control-Allow-Origin: * allows all the same information (less, actually) that you would normally need a proxy to access (i.e. making an AJAX request to the same domain, that gateways the request to a remote server). There's no security vulnerability here, so long as the websites are on the public Internet (and not behind a firewall/private intranet).

--
Wonder what the public key field is for?
1. Re:Horrible summary by Anonymous Coward · 2016-02-23 12:03 · Score: 3, Interesting
  
  Step away from the keyboard and stop giving security advice! That header lets any site load any content from that site, so if you are logged into with-header.example.com and you're looking at bigbadwolf.example, then bigbadwolf.example can impersonate you on with-header.example.com, because it can use your logged-in browser to access with-header.example.com, instead of accessing only the public information that it could get by accessing it from the server of bigbadwolf.example.
2. Re:Horrible summary by Anonymous Coward · 2016-02-23 12:19 · Score: 0
  
  Just disable the enforcement of that header in your browser, and every site on the web becomes vulnerable.
3. Re:Horrible summary by Anonymous Coward · 2016-02-23 18:56 · Score: 0
  
  No, the same-origin policy exists for a reason, and giving all sites access to the resources on your domain is not the default. That header gives more access, not less. It doesn't give as much access as one might naively fear, because it was wisely defined with sloppy developers in mind who would just allow wildcard access, but it does not allow just what would have been allowed anyway.
Am I misunderstanding? by jbmartin6 · 2016-02-23 09:55 · Score: 1

I can't read TFA due to work blockage. The summary makes it sounds as if he discovered a vulnerability, analyzed a bunch of sites for it, then published a list of the vulnerable sites along with details of the vulnerability.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
WRONG: not disabled by Anonymous Coward · 2016-02-23 09:57 · Score: 0

Nobody goes and clicks a button to "enable" cross-site scripting.
They simply fail to prevent it.
Like how Slashdot fails to provide any real News for Nerds.
1. Re:WRONG: not disabled by Anonymous Coward · 2016-02-23 10:05 · Score: 0
  
  What happened to that company who bought Slashdot a while back? I notice that nothing has changed and their shill hasn't posted anything for a while.
2. Re:WRONG: not disabled by Anonymous Coward · 2016-02-23 10:13 · Score: 0
  
  Nobody goes and clicks a button to "enable" cross-site scripting.
  They simply fail to prevent it.
  And also it isn't actually a real vulnerability.
Why is this feature so widely enabled? by Anonymous Coward · 2016-02-23 09:58 · Score: 0

Is it to support third-party advertising and "telemetry" and analytics and a dozen other varieties of tracking what we do?
1. Re:Why is this feature so widely enabled? by Anonymous Coward · 2016-02-23 13:36 · Score: 0
  
  Its to enhance the web 3.0 required mandated javascript functionality from jquery, google anal ticks and gstatic to display the web on your browser for mobile phones (they don't make them pcs obviously) and to invigorate your Web 3.0 experience. Please register your email to continue reading this comment!
Huh? by Anonymous Coward · 2016-02-23 09:59 · Score: 0

What in the fuck?
The web is one hack after another! by Anonymous Coward · 2016-02-23 09:59 · Score: 0

This is the kind of shit that can happen when using the web, because it's just one filthy hack layered on top of another. The web has been bent and twisted into a really half-arsed application development platform, built around one of the worst programming languages around (JavaScript), combined with a print-oriented style description language (CSS), tied together with a goddamn markup language (HTML). Given its origins and evolution, we shouldn't expect it to be anything less than broken, even in the hands of the most talented users. It's shit from its bottom to its top.
As bad as the web stack is, what I'm extremely concerned about is Rust. It's being portrayed as the holy savior of software security, yet it's very doubtful that it offers any benefits at all. Scarier, though, is how anyone who questions Rust tends to get attacked. I saw an example of this today, where somebody questioned Rust and was swiftly attacked by Rust supporters who downmodded the comment. Remember that Rust is being developed by Mozilla, who are using it to develop Servo, which is supposed to be their next-generation web engine.
Things are bad enough already when it comes to the web. It really scares the shit out of me that anyone who questions Rust gets attacked and silenced in such a manner. We can't move software security forward when we have people buying into hype, rather than substance. We surely can't move software security forward when anybody who questions Rust gets attacked with censorship.
1. Re:The web is one hack after another! by Anonymous Coward · 2016-02-23 10:07 · Score: 0
  
  Anyone who attacks or criticizes Rust here at Slashdot gets modded up. At HN any dissenting opinions are often voted down rather swiftly. HN has its good aspects but it feels like if you don't have something positive to say about the story, you might as well just shut up.
2. Re:The web is one hack after another! by Anonymous Coward · 2016-02-23 10:20 · Score: 0
  
  The most constructive and valuable things to say about any topic are often the most negative ones. It only makes sense that they should be modded up. And it makes perfect sense that we see them modded up here: Slashdot isn't filled with thin-skinned, sissy, weak-minded, hipster, Millennial man-children like other forums are. Slashdot's readers and commenters don't try to put on a feel-good show here. We dig deep, and get to the bottom of issues. We don't pussyfoot around controversial topics. We charge at them head-first! But the thin-skinned, sissy, weak-minded, hipster, Millennial man-children don't have the guts and balls to face difficult topics. They cry and resort to downvoting. It's actually quite pathetic.
3. Re:The web is one hack after another! by UnknownSoldier · 2016-02-23 10:28 · Score: 1
  
  > built around one of the worst programming languages around (JavaScript),
  . /sarcasm But it such as bastion of good design. *snicker* You mean it being written in 10 days wasn't long enough? :-)
  "JavaScript: Designing a Language in 10 Days" aka Javascript: 10 days for the designer, 10 years of frustrations about fucked up design for devs
  * http://www.computer.org/csdl/m...
  As Douglas Crockford, inventor of JSON, said about Automatic Semi-Colon Insertion
  
  @34:31 "Why am I betting my career on this piece of crap"
  And about amateurs
  
  "Most of the people writing in JavaScript are not programmers. They lack the training and discipline to write good programs. JavaScript has so much expressive power that they are able to do useful things in it, anyway. This has given JavaScript a reputation of being strictly for the amateurs, that it is not suitable for professional programming. This is simply not the case."
  But let's keep relying on stupid shit such as this hack to turn on type safety:
  
  "use strict";
  
  *facepalm*
  --
  Why do the two shittiest languages, PHP and Javascript, power the web??
4. Re:The web is one hack after another! by Anonymous Coward · 2016-02-23 10:36 · Score: 0
  
  Why do the two shittiest languages, PHP and Javascript, power the web??
  It's actually powered by 3 of the shittiest languages : PHP, JavaScript and Ruby [thanks to Ruby on Rails].
  If Mozilla has their way, it will be powered by 4 of the shittiest languages: PHP, JavaScript, Ruby and Rust.
  It is most interesting to note that some of the main Rust developers jumped ship from the Ruby on Rails community when the Rails hype really started dying down.
5. Re:The web is one hack after another! by Anonymous Coward · 2016-02-23 10:52 · Score: 0
  
  Why do the two shittiest languages, PHP and Javascript, power the web??
  Don't forget "HTML" and "CSS", so that's at least four. No, they're not programming languages, but as markup and style sheet languages, they're languages all the same. And yes, both HTML and CSS are pretty shitty too, very deeply so. HTML5 is turning out to be possibly shittier than HTML4. Imagine that.
  And the reason might well be that the people involved in founding and building the combined crapolade just aren't and weren't good enough to do, or even interested in doing, a decent job, and now we're stuck with the results.
6. Re:The web is one hack after another! by Anonymous Coward · 2016-02-23 11:40 · Score: 0
  
  Don't forget "HTML" and "CSS", so that's at least four. No, they're not programming languages, but as markup and style sheet languages, they're languages all the same. And yes, both HTML and CSS are pretty shitty too, very deeply so. HTML5 is turning out to be possibly shittier than HTML4. Imagine that.
  Using HTML and CSS you can design a page that displays information, which is what most people actually want, and you can actually do it pretty well.
  All of this other stuff -- Javascript, Ruby, Php, etc -- is just a bunch of poorly designed shit that mucks everything up and serves little or no useful purpose.
Why does Slashdot use a "Taboola" or a "Janrain"? by Anonymous Coward · 2016-02-23 10:15 · Score: 0

Like any sane web user, I use a ton of browser extensions that warn me about requests to questionable third-party hosts.
When I browse Slashdot, requests are attempted to "Taboola" and "Janrain" and "ScoreCard" and "NTV" and "rpxnow" and "StackSocial".
Now I don't know what the fuck any of those are, and TBH I don't care to know.
So let's say I made an HTTP request to slashdot.org. As far as I'm concerned, the page served up by slashdot.org doesn't need to require requests be made to any other host to show me the stories and comments here.
whipslash, can you give us more information about what these questionable third-party hosts are doing, and why the pages served up by Slashdot try to trigger requests to these questionable hosts?
More importantly, when will slashdot.org stop trying to get my browser to make requests to them?
1,000 of the top 1,000,000? by Anonymous Coward · 2016-02-23 10:19 · Score: 1

So, we are saying that .1% of web sites have this vulnerability?
And this is news?
Also the poster is worried about bitcoin, which has bigger problems than XSS?
lol
Re:Why does Slashdot use a "Taboola" or a "Janrain by Anonymous Coward · 2016-02-23 10:22 · Score: 0

>
More importantly, when will slashdot.org stop trying to get my browser to make requests to them?
maybe when u start 1337 ad blocking like its 2001, hax0r? hth k thx bye
NoScript by purplepolecat · 2016-02-23 11:01 · Score: 1

Another reason to run NoScript, which blocks these kinds of shenanigans.
8Chan by Anonymous Coward · 2016-02-23 11:15 · Score: 0

8chan did this for a while (and likely still does, not checked), and it led to a hilarious exploit that worked via another Reddit exploit or something like that.
It abused the in-page "extension" system to store data inside one of its fields.
It is shocking how many sites have this enabled without a care in the world to look up what it actually means.
Worse when they have it on domains that are "secure".
"The top one million websites"? by Anonymous Coward · 2016-02-23 11:42 · Score: 2, Insightful

That's a very large net to catch a not so sensational number. Look at it another way: that's 99.9% of the top one million websites *don't* "run a default setting that allows cross-site scripting".
Seriously, "top one million" means they're trawling pretty far down the pool to find these idiots.
Not just telemetry by Etherwalk · 2016-02-23 12:16 · Score: 1

Also vendor SDKs that are loaded from their canonical sources, etc...
Feature, not vulnerability by Anonymous Coward · 2016-02-23 12:16 · Score: 0

This doesn't allow traditional cross-site-request-forgery. The browser won't send authentication information or cookies unless the code explicitly enables it.
Even if it does, the destination server needs to return a "Access-Control-Allow-Credentials: true" header for the response to be made available to the caller.
Without that extra header sent in the response, it's no different than adding a hidden form to the DOM and submitting it. All you can do it send a request, you can't read the response.
If you web application is vulnerable to the form submission attack vector, the "Access-Control-Allow-Origin" header won't help you at all. Setting it to * isn't going to make it any worse.
Missing feature by manu0601 · 2016-02-23 14:54 · Score: 3, Insightful

The problem is that Access-Allow-Origin cannot hold multiple value, which pushes developers to use * so that it works with more than one site
The right solution is to read the requester site name and return the Access-Allow-Origin header with it if it is in a whitelist. But that require a few extra line of coding.
1. Re:Missing feature by bad-badtz-maru · 2016-02-24 02:12 · Score: 1
  
  The spec is short-sighted and should've been designed to allow multiple origins. The spec puts the onus of implementing support for multiple origins back on the server-side developer, when it would've been better implemented in the browser.
Re:Why does Slashdot use a "Taboola" or a "Janrain by Anonymous Coward · 2016-02-23 15:02 · Score: 0

>
More importantly, when will slashdot.org stop trying to get my browser to make requests to them?
maybe when u start 1337 ad blocking like its 2001, hax0r? hth k thx bye
fuck your gay adblocking, get a scriptblocker which actually protects against cross site scripting attacks, moron
So what's new by Professor+Paradox · 2016-02-23 15:33 · Score: 1

There actually isn't any problem here, as all these sites are just as vulnerable to direct attacks irrelevant of the XSS headers. XSS only protects users which load data from suspicious websites, and those websites intend to make malicious calls to the vulnerable ones. Oh, did I mentioned the user has to be still logged in. This is nothing new, and why most browser default configuration is to prevent XSS. As a matter of fact XSS is required for all those social media APIs little icons to actually function, it isn't a vulnerability, it's a feature, and a useful one at that.
Weak sauce stats usage by Anonymous Coward · 2016-02-24 02:14 · Score: 1

If you have to examine a million sites to find 1000 with that vulnerability, not only should you be trumpeting the fact that "...99.9% of the web is safe from this particular attack vector" (which doesn't sound NEARLY as inflammatory or click-baity) but you are also using a much broader definition of "major" in describing those websites.
I'd be willing to bet that once you get below the top 1000 on Alexa not many people consider anything in the rest of the "top 1,000,000 web sites" as "MAJOR".
Re: Why does Slashdot use a "Taboola" or a "Janrai by cdwiegand · 2016-02-24 02:31 · Score: 1

Given that the web is an interconnected place, it isn't unreasonable to use resources from other hosts. That's been going on since at least '95. Sigh. Your objection is companies are using that to track you, allowing them to pay slashdot and others to keep websites running.

--
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
APK Hosts File Engine 9.0++ SR-4 32/64-bit... apk by Anonymous Coward · 2016-02-24 07:02 · Score: 0

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.start64.com/index.p...
* Accept NO substitutes... Custom hosts files blocking entries stops requests to known "bad actors" in 3rd parties linked to on websites.
APK
P.S.=> Does more for speed (hardcoded favorites + adblocking), security (adblocking + blocking known bad sites/servers & dns issues avoiding DNS), reliability (vs. downed or dns poisoned dns), & anonymity (avoiding dns request logs) than ANY other SINGLE "so-called -solution'" out there, bar-none, for less using what you already natively have - unlike "AlmostALLAdsBlocked", UBlock, Ghostery etc. it's not detectable & blockable by ClarityRay/BlockIQ + it uses FAR LESS RESOURCES yet does far more (especially vs. DNS security issues)... apk
Re:APK Hosts File Engine 9.0++ SR-4 32/64-bit... a by Anonymous Coward · 2016-02-25 10:15 · Score: 0

You're right. Those 1000 hosts probably used the APK hosts tool, and thus got the security vulnerability mentioned in the article.
Not possible: My program blocks threats online by Anonymous Coward · 2016-02-28 05:00 · Score: 0

See subject: If anything IF they used it they'd have been safer for it as my program blocks online threats...
APK
P.S.=> You dimwit trolls + shills for inferior competing products are so desperate you'd lie - which only makes me stronger knowing you're resorting to that... apk