Cross-Site Scripting Enabled On 1000 Major Sites

An anonymous reader writes: A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables cross-site scripting. This article details his examination of the top 1 million Alexa sites for evidence of compromised settings and finds that about 1000 of the sites on the list are capable of being compromised because of running a header called Access-Allow-Origin. He found the vulnerability while working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. The header, which Johnson claims the vulnerable websites are outputting, is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.

"The top one million websites"?

That's a very large net to catch a not so sensational number. Look at it another way: that's 99.9% of the top one million websites *don't* "run a default setting that allows cross-site scripting".

Seriously, "top one million" means they're trawling pretty far down the pool to find these idiots.

Missing feature

[manu0601]

The problem is that Access-Allow-Origin cannot hold multiple value, which pushes developers to use * so that it works with more than one site

The right solution is to read the requester site name and return the Access-Allow-Origin header with it if it is in a whitelist. But that require a few extra line of coding.