[Full-Disclosure] Cross-Site Scripting - an industry-wide problem
se_cur_ity at hotmail.com
Fri Dec 24 06:42:04 GMT 2004
quite commom, funny because xss can be used in PHISHING attacks.
instead of <alert blah> try some html redirects to a hosted site with a fake
spoofing the original content ( a login page ) and capture username/password
then pass them to the real login page.
or better yet... xss dos attacks, like.
but i guess xss is just kiddi play... or is it?
> Cross-Site Scripting - an industry-wide problem
> In early december i started a series of tests to find Cross-Site Scripting
> (XSS) vulnerabilities. It quickly turned out that the majority of all
> websites suffer some kind of XSS. This is a disclosure of 175
> vulnerabilities at once. Enjoy the ride...
> Test scenario
> the output page by making a browser GET or POST request to the webserver.
> a proof-of-concept the script "alert(document.cookie)" got used.
> All tests were made on a fully patched WinXP SP2 machine and Internet
> Explorer 6. Most of the proof-of-concept links in this report will not
> styles which isn't supported by browsers like Firefox and because Firefox
> automaticly applies character encoding to a URL. I was just too lazy to
> each issue cross-browser, so this doesn't mean automaticly that Internet
> Explorer is more vulnerable to XSS.
> In many cases XSS is reduced to the attack of stealing session cookies,
> XSS can be used to do a lot more things. Using DOM manipulation you can
> change the target of a login form or fake one, change download links or
> simply insert your own content into a website. As part of mass-mailings
> can be used for login data phishing, spreading of malware or distribution
> false news that seem to come from a trustworthy source (which is an
> intresting option for daytraders on penny stocks for example).
> Don't forget that the injected script is running in the security context
> the affected site. If you know who you are attacking and that the victim
> the affected site in a special trusted zone it can be possible to execute
> "not safe for scripting" ActiveX controls - giving you more or less total
> control. In intranets and for extranet web applications this is a not so
> uncommon configuration.
> For sure XSS is nothing compared to a remote buffer overflow. But only
> because this "worst case scenario" is happening quite often these days, it
> does not mean XSS is not a security issue. XSS flaws are easy to find and
> spammers are always searching for new stuff.
> Finally for some sites on the list dedicated to security a XSS flaw is
> an embarrassing thing ;)
> Affected sites
> This list is reduced to the second-level domain for readability and
> size. This isn't always fair since sometimes a sub-domain is indepentend
> from the SLD. Please download the complete list of proof-of-concept links
> from http://www.mikx.de/xss.php.
> All webmasters were informed by an email and/or their website feedback
> during december, to give them a fair chance to react. Some of them replied
> really quick and patched the issue in a few hours, others (sadly a lot)
> never replied. If you are responsible for one of the affected sites and
> have not been informed or are not able to reproduce the issue, please
> hesitate to contact me.
> The sites in the tests were picked at random from international and german
> major websites and/or sites related to security/computers. I just tested
> what came to my head - so there is no "hidden message":
> about.com, activestate.com, adobe.com, altavista.com, amazon.com, amd.com,
> annoyances.org, aol.com, apache.org, apple.com , archive.org, arcor.de,
> ask.com, ati.com, bahn.de, bitdefender.de, blizzard.com, blogdex.net,
> blogger.com, bloogz.com, ca.com, ccc.de, cdu.de, chip.de, ciao.de,
> chillingeffects.org, cnn.com, comdirect.de, consors.de, csialliance.org,
> csu.de, dell.com, daypop.com, divx.com, dooyoo.de, doubleclick.com,
> download.com, easycredit.de, ebay.com, etrade.com, evite.com, excite.com,
> fedex.com, fimatex.de, flexwiki.com, fool.com, free-av.de, freshmeat.net,
> fsf.org, fujitsu.com, gamestar.de, gm.com, gmx.net, gnu.org, go.com,
> golem.de, google.com, groupee.com, gruene-partei.de, guenstiger.de,
> heise.de, hosting.com, hp.com, ibm.com, icq.com, idealo.de,
> infineon.com, informationsecurityireland.com, infospace.com, intel.com,
> itaa.org, izb.de, jamba.de , juno.com, kde.org, kelkoo.de, kerio.com,
> liberale.de, linspire.com, looksmart.com, lufthansa.com, lycos.com,
> macromedia.com, mandrakesoft.com, mayflower.de, mcafee.com, meetup.com,
> messagelabs.com, metacrawler.com, metadot.com, microsoft.com, mlb.com,
> mnogosearch.org, modblog.com, modssl.org, mozilla.org, mozillazine.org,
> msdn.com, msn.com, msnbc.com, nasa.gov, nationalgeographic.com, nba.com,
> netiq.com, nfl.com, netflix.com, netscape.com, nokia.com, novell.com,
> nytimes.com, onlinekosten.de, opencores.org, openssl.org, opera.com,
> oracle.com, paypal.com, pc-magazin.de, pcpowerplay.de, pcwelt.de,
> phpcenter.de, pmwiki.org, privacy.org, pro7.de, ptb.de, postgresql.org,
> quoka.de, reactos.com, real.com, redhat.com, redvsblue.com, riaa.com,
> rtl.de, ryanair.com, sans.org, sbroker.de, securityfocus.com,
> securityspace.com, shutterfly.com, slashdot.org, snocap.com, sony.com,
> sourceforge.net, sparkasse.de, spd.de, spreadfirefox.com, squid-cache.org,
> sqlite.org, staysafeonline.com, stern.de, strato.de, sun.com, suse.de,
> technorati.com, telekombusiness.de, theonion.com, tiscali.com,
> tomshardware.com, uci.edu , ups.com , upside.de, us-cert.gov,
> varbusiness.com, vasoftware.com, viruslist.com, w3.org, web.de,
> worldofwarcraft.com, wsj.com, xoom.com, yahoo.com, yopi.de, zonelabs.com
> It turned out that in some cases third party software used on the websites
> are suffering a bug. Here the Common Vulnerabilities and Exposures
> (cve.mitre.org) names:
> CAN-2004-1059 mnogosearch (as used at www.redhat.com)
> CAN-2004-1061 bugzilla (as used at bugzilla.mozilla.org bug #272620)
> CAN-2004-1062 viewcvs (as used at cvs.apache.org)
> CAN-2004-1146 cvstrac (as used at cvs.openssl.org)
> I woud like to thank a few people for helping me out through the tests and
> working on fixing the issues as quickly as possible:
> Christoph "Locke" Wehrmann (for making me addicted to XSS)
> Mark J Cox (Red Hat Security Response Team)
> Daniel Bachfeld (heisec)
> Jamie McCarthy and Chris Nandor (slashcode)
> Alexander Barkov (mnogosearch)
> Microsoft Security Response Center
> Google Security Team
> Bugzilla Team
> Everybody who responded to my report mail :)
> Michael Krax <mikx at mikx.de>
> Happy Holidays!
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure is hosted and sponsored by Secunia.