Cross-site Scripting Bugs

Following on from the PHP month of bugs, IDG reports that two hackers have announced they intend to make April the month of Myspace bugs. They apparently intend to publish mainly cross-site scripting (XSS) bugs.

XSS has been widely written about; the idea is that if a web site will display unescaped user-submitted data then this can be used to include malicious code in a page as a means of stealing user data, such as session cookies. One of the main approaches to mitigate this threat is to filter input, and escape output; filtering against a “white list” of allowed characters is usually more effective than trying to hunt for combinations that are invalid. The XSS cheat sheet has a set of markup fragments that you can use for testing. Assuming you have PDFs on your site, and your users are running Acrobat version 7.0.8 or earlier, it is very easy for a malicious site to make the Acrobat plug-in pass JavaScript to the browser; simply append to the file name:

http://www.example.com/example.pdf#anything=javascript:alert(1);

The advisory from Adobe recommends upgrading to the latest version.

A related, but slightly different technique is the Cross-Site Request Forgery (CSRF) which (as described by Wikipedia) “exploits the trust of the origin of the request and transmits commands from a trusted user”. For example, if del.icio.us didn’t guard against this, a piece of malicious code might post a link for some undesirable site to your collected bookmarks
while you are logged in (the cookie set by del.icio.us remains active for a long time, to avoid the hassle of having to log in frequently). The CSRF FAQ offers some good advice on how to protect your application against CSRF attacks, including:

  1. Fix any XSS vulnerabilities first
  2. Set short session times
  3. Prompt the user to enter their login details on important pages
  4. Include a random token in the request page, which is then checked against a value stored in the session (read the FAQ, and Chris Shiflett’s article for further guidance)

(Update: Bruce Schneier highlights a paper describing possible attacks against Web 2.0 applications using data in JavaScript Object Notation, and how to mitigate against these.)

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: