Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Enabled On 1000 Major Sites (thestack.com)

Posted by yaelk on from the check-your-sites dept.

An anonymous reader writes: A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables cross-site scripting. This article details his examination of the top 1 million Alexa sites for evidence of compromised settings and finds that about 1000 of the sites on the list are capable of being compromised because of running a header called Access-Allow-Origin. He found the vulnerability while working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. The header, which Johnson claims the vulnerable websites are outputting, is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.

4 of 54 comments (clear)

  1. Bad Summary by Anonymous Coward · · Score: 3, Informative

    Bad summary, as usual. Access-Control-Allow-Origin: * explicitly forbids requests with credentials. Even if the host reflects the Origin domain in the Access-Control-Allow-Origin header, it must also send Access-Control-Allow-Credentials: true to be vulnerable.
    https://annevankesteren.nl/2012/12/cors-101
       

    1. Re:Bad Summary by DJ+Rubbie · · Score: 3, Interesting

      Not only that, this is not even Cross Site Scripting (XSS), but a straight up Cross Site Request Forgery (CSRF) even though XSS might be involved for this issue. XSS is where client-side scripts are injected directly into the response body of an affected website, typically through unescaped html input that gets rendered by web browsers belonged to victims who then make that subsequent client request. CSRF is where the victim's browser is told to do an action (via Javascript doing an asynchronous javascript/xml (AJAX) request) on the target's website by an unrelated website that the victim somehow visited, and sometimes this attack script is injected via XSS by attackers on a completely unrelated site. While XSS can be related, it is completely distinct to the CSRF issue which is what is being not properly mitigated against by these top websites (In fact, as parent said, they purposefully disabled this protection).

      --
      Please direct all bug reports to /dev/null
  2. Re:Horrible summary by Anonymous Coward · · Score: 3, Interesting

    Step away from the keyboard and stop giving security advice! That header lets any site load any content from that site, so if you are logged into with-header.example.com and you're looking at bigbadwolf.example, then bigbadwolf.example can impersonate you on with-header.example.com, because it can use your logged-in browser to access with-header.example.com, instead of accessing only the public information that it could get by accessing it from the server of bigbadwolf.example.

  3. Missing feature by manu0601 · · Score: 3, Insightful

    The problem is that Access-Allow-Origin cannot hold multiple value, which pushes developers to use * so that it works with more than one site

    The right solution is to read the requester site name and return the Access-Allow-Origin header with it if it is in a whitelist. But that require a few extra line of coding.