This white paper discusses the security risk that cross site scripting (XSS) represents for organizations. The white paper outlines the different forms of XSS vulnerabilities including reflective, persistent and DOM-based, why they are dangerous, and how to prevent them.
The Open Web Application Security Project (OWASP) is, by its own definition, “a worldwide free and open community focused on improving the security of application software. Its mission is to make application security ‘visible,’ so that people and organizations can make informed decisions about application security risks.”
The global OWASP community includes corporations, educational institutions, and individuals. The project is not affiliated with any technology company, although it supports the informed use of security technology. Anyone may participate, and all materials are available under a free and open software license.
One of OWASP’s key projects is its Top Ten List, compiled by network security experts from around the world. The list, currently available in English, French, Japanese, Korean, and Turkish, catalogs what this group views as the Top Ten Most Critical Web Application Vulnerabilities. It is described by OWASP as a “powerful awareness document for web application security … that represents a broad consensus about what the most critical web application security flaws are.” OWASP’s goal is to urge all companies to adopt this list and begin the process of ensuring that their web applications do not contain these vulnerabilities.
The top item on the OWASP list is Cross-Site Scripting, or XSS. Cross-Site Scripting is a type of computer security vulnerability typically found in web applications that allow code injection by malicious users into the web pages viewed by other users. Examples of vulnerable pages include those containing HTML code and/or client-side scripts.
XSS works in the following way. The attacker inserts code or scripts into a web page, thereby altering its function. This can happen to any page that requests any type of information or input from the user, even through script code embedded in a URL within an email or a blog posting in a place unrelated to the altered web page. This means, of course, that there are many potential avenues for an XSS attack, and a key concern in the network security community is that XSS is becoming increasingly prevalent as trends in website design move toward greater interactivity for the user.
As of 2007, XSS attacks, which can bypass access controls, constituted about 80 percent of all documented security vulnerabilities. During such attacks, the end user, who typically notices nothing unusual, may be subject to unauthorized access, theft of sensitive data, and/or financial loss.
Symantec Corporation, whose anti-spam and antivirus protection products offer security for inbound and outbound computer messaging, issues periodic Internet Security Threat Reports to help organizations implement effective security measures so as to better protect and manage their information. One recent Threat Report noted that there were 11,253 XSS vulnerabilities during the second half of 2007, as opposed to only 2,134 non-XSS vulnerabilities. The vast majority of these XSS vulnerabilities were site-specific, in that they were custom built for a particular target.CVE® (Common Vulnerabilities and Exposures) is a dictionary of publicly known information, security vulnerabilities, and exposures.
CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. The CVE Initiative’s May 2007 Report on Vulnerability Type Distributions listed XSS Number One overall, findings that were endorsed by OWASP in their Top Ten 2007 list.
Some very large websites that have been hit by XSS include Google, Yahoo, MySpace, Facebook, PayPal, SourceForge, and Microsoft. In his December 20, 2008 article in The Register, reporter Dan Goodin described two recent XSS attacks against financial giant American Express. “The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials,” he wrote. “The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.”
Goodin continued, “It turns out that’s not the case. The XSS error that makes it trivial for attackers to steal www.americanexpress.com users’ authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.”
Joshua Abraham, Rapid7 Security Consultant, commented on Amex’s attempted fix. “They did not address the problem,” he said. “They addressed an instance of the problem. You want to look at the whole application and say, ‘Where could similar issues exist?’”
The XSS threat has become so widespread that there is now a website – www.xssed.com – dedicated to providing the latest information on XSS vulnerabilities. It includes news articles and tutorials, as well as an archive of known XSS vulnerable websites.