Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Enabled On 1000 Major Sites (thestack.com)

Posted by yaelk on from the check-your-sites dept.

An anonymous reader writes: A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables cross-site scripting. This article details his examination of the top 1 million Alexa sites for evidence of compromised settings and finds that about 1000 of the sites on the list are capable of being compromised because of running a header called Access-Allow-Origin. He found the vulnerability while working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. The header, which Johnson claims the vulnerable websites are outputting, is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.

25 of 54 comments (clear)

  1. Bad Summary by Anonymous Coward · · Score: 3, Informative

    Bad summary, as usual. Access-Control-Allow-Origin: * explicitly forbids requests with credentials. Even if the host reflects the Origin domain in the Access-Control-Allow-Origin header, it must also send Access-Control-Allow-Credentials: true to be vulnerable.
    https://annevankesteren.nl/2012/12/cors-101
       

    1. Re:Bad Summary by DJ+Rubbie · · Score: 3, Interesting

      Not only that, this is not even Cross Site Scripting (XSS), but a straight up Cross Site Request Forgery (CSRF) even though XSS might be involved for this issue. XSS is where client-side scripts are injected directly into the response body of an affected website, typically through unescaped html input that gets rendered by web browsers belonged to victims who then make that subsequent client request. CSRF is where the victim's browser is told to do an action (via Javascript doing an asynchronous javascript/xml (AJAX) request) on the target's website by an unrelated website that the victim somehow visited, and sometimes this attack script is injected via XSS by attackers on a completely unrelated site. While XSS can be related, it is completely distinct to the CSRF issue which is what is being not properly mitigated against by these top websites (In fact, as parent said, they purposefully disabled this protection).

      --
      Please direct all bug reports to /dev/null
    2. Re:Bad Summary by jrumney · · Score: 1

      What proportion of the top million websites do we expect to be offering public APIs, designed to be used in this way (maps.google.com as just one example)? 1 in a thousand maybe?

  2. Venerable to SOAP by U2xhc2hkb3QgU3Vja3M · · Score: 1

    I told you to stop picking on us! Leave Slashdotters alone! Leave them alooooone! /cry

    1. Re:Venerable to SOAP by JazzLad · · Score: 1

      I don't think that word means what you think it means.

      --
      "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
    2. Re:Venerable to SOAP by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Oh crap, I totally read "vulnerable".

    3. Re:Venerable to SOAP by JazzLad · · Score: 1

      Ha ha, it happens - I always blame auto correct :-)

      --
      "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
  3. Access-Allow-Origin Header by Actually,+I+do+RTFA · · Score: 1

    Why are we trusting site X as to whether we should load XSS from it. Or better yet, why not just deny third-party scripts.

    --
    Your ad here. Ask me how!
    1. Re: Access-Allow-Origin Header by Runaway1956 · · Score: 1

      Exactly. Cross site scripting was bad from the beginning, and it only got worse when the advertising industry discovered how they could abuse it. Pretty much everything is blocked on my network. Screw the advertisers, and screw everyone who thinks that my bandwidth belongs to them. I want to read Slashdot, and that's all I want. If it becomes mandatory to load crap from third party sites, then I'll stop reading slashdot. It's that simple.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re: Access-Allow-Origin Header by jrumney · · Score: 1

      When 5000 sites use visit are using jQuery, do you really want to download 5000 copies of it into your browser's cache?

    3. Re: Access-Allow-Origin Header by Actually,+I+do+RTFA · · Score: 1

      Well, I don't want 5000 sites to use jQuery. There's no reason for that much javascript.

      --
      Your ad here. Ask me how!
    4. Re: Access-Allow-Origin Header by Actually,+I+do+RTFA · · Score: 1

      The real issue is those 5000 sites don't want to serve me the file.

      --
      Your ad here. Ask me how!
    5. Re: Access-Allow-Origin Header by Actually,+I+do+RTFA · · Score: 1
      fixed tags version

      Upon reflection, my new answer is "yes". The performance hit is minimal (jQuery.js is small), the plethora of different versions means I would need a bunch on my system anyway, and websites shouldn't treat too much JS everywhere as something I subsidize, they should pay the full costs for their site.

      The real issue is those 5000 sites don't want to serve me the file.

      --
      Your ad here. Ask me how!
  4. Am I misunderstanding? by jbmartin6 · · Score: 1

    I can't read TFA due to work blockage. The summary makes it sounds as if he discovered a vulnerability, analyzed a bunch of sites for it, then published a list of the vulnerable sites along with details of the vulnerability.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  5. 1,000 of the top 1,000,000? by Anonymous Coward · · Score: 1

    So, we are saying that .1% of web sites have this vulnerability?

    And this is news?

    Also the poster is worried about bitcoin, which has bigger problems than XSS?

    lol

  6. Re:The web is one hack after another! by UnknownSoldier · · Score: 1

    > built around one of the worst programming languages around (JavaScript),

    . /sarcasm But it such as bastion of good design. *snicker* You mean it being written in 10 days wasn't long enough? :-)

    "JavaScript: Designing a Language in 10 Days" aka Javascript: 10 days for the designer, 10 years of frustrations about fucked up design for devs
    * http://www.computer.org/csdl/m...

    As Douglas Crockford, inventor of JSON, said about Automatic Semi-Colon Insertion

    @34:31 "Why am I betting my career on this piece of crap"

    And about amateurs

    "Most of the people writing in JavaScript are not programmers. They lack the training and discipline to write good programs. JavaScript has so much expressive power that they are able to do useful things in it, anyway. This has given JavaScript a reputation of being strictly for the amateurs, that it is not suitable for professional programming. This is simply not the case."

    But let's keep relying on stupid shit such as this hack to turn on type safety:

    "use strict";

    *facepalm*

    --
    Why do the two shittiest languages, PHP and Javascript, power the web??

  7. NoScript by purplepolecat · · Score: 1

    Another reason to run NoScript, which blocks these kinds of shenanigans.

  8. "The top one million websites"? by Anonymous Coward · · Score: 2, Insightful

    That's a very large net to catch a not so sensational number. Look at it another way: that's 99.9% of the top one million websites *don't* "run a default setting that allows cross-site scripting".

    Seriously, "top one million" means they're trawling pretty far down the pool to find these idiots.

  9. Re:Horrible summary by Anonymous Coward · · Score: 3, Interesting

    Step away from the keyboard and stop giving security advice! That header lets any site load any content from that site, so if you are logged into with-header.example.com and you're looking at bigbadwolf.example, then bigbadwolf.example can impersonate you on with-header.example.com, because it can use your logged-in browser to access with-header.example.com, instead of accessing only the public information that it could get by accessing it from the server of bigbadwolf.example.

  10. Not just telemetry by Etherwalk · · Score: 1

    Also vendor SDKs that are loaded from their canonical sources, etc...

  11. Missing feature by manu0601 · · Score: 3, Insightful

    The problem is that Access-Allow-Origin cannot hold multiple value, which pushes developers to use * so that it works with more than one site

    The right solution is to read the requester site name and return the Access-Allow-Origin header with it if it is in a whitelist. But that require a few extra line of coding.

    1. Re:Missing feature by bad-badtz-maru · · Score: 1

      The spec is short-sighted and should've been designed to allow multiple origins. The spec puts the onus of implementing support for multiple origins back on the server-side developer, when it would've been better implemented in the browser.

  12. So what's new by Professor+Paradox · · Score: 1

    There actually isn't any problem here, as all these sites are just as vulnerable to direct attacks irrelevant of the XSS headers. XSS only protects users which load data from suspicious websites, and those websites intend to make malicious calls to the vulnerable ones. Oh, did I mentioned the user has to be still logged in. This is nothing new, and why most browser default configuration is to prevent XSS. As a matter of fact XSS is required for all those social media APIs little icons to actually function, it isn't a vulnerability, it's a feature, and a useful one at that.

  13. Weak sauce stats usage by Anonymous Coward · · Score: 1

    If you have to examine a million sites to find 1000 with that vulnerability, not only should you be trumpeting the fact that "...99.9% of the web is safe from this particular attack vector" (which doesn't sound NEARLY as inflammatory or click-baity) but you are also using a much broader definition of "major" in describing those websites.

    I'd be willing to bet that once you get below the top 1000 on Alexa not many people consider anything in the rest of the "top 1,000,000 web sites" as "MAJOR".

  14. Re: Why does Slashdot use a "Taboola" or a "Janrai by cdwiegand · · Score: 1

    Given that the web is an interconnected place, it isn't unreasonable to use resources from other hosts. That's been going on since at least '95. Sigh. Your objection is companies are using that to track you, allowing them to pay slashdot and others to keep websites running.

    --
    . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.