XSS in the Wild (Updated)
When I recently tried to look up some information about the song L’America by The Doors, I stumbled upon the site songfacts.com (http://www.songfacts.com/detail.php?id=278). At the site, I was immediately greeted by a popup box cheerfully proclaiming “HAI2U”. After having dealt with this extensively in lab 2, I immediately recognized this as an XSS vulnerability that someone had taken advantage of. Looking into the source code, I saw that the javascript alert was the only thing that had been done–luckily not too malicious. Unfortunately, the code was also in a permanent comment on the site so that any visitor to the site is subjected to the attack rather than having to special link. The attack was done with a simple script tag, so obviously little or no filtering is being done. I sent an email off to the site telling them about their vulnerability, what a malicious user could use it for, and how to fix it with a php filter and a link to suitable filter. Although part of me wanted to play around with the security hole a little more (perhaps a real life version of lab 2?), I thought it would be better to try to have them fix the site. I like songfacts because there are some interesting things, so I rather they fix it then have someone else break the site with redirects, cookie stealing, or any other similiar (or even more malicious) things. I just wanted to let everyone know that what we did in lab 2 is most definitely applicable to real life and XSS vulnerabilities are still out there on many different sites.
One other thing I wanted to ask others about is how would you deal with this situation of finding a vulnerability in a website? Would you anonymously report it to the site or offer to help? Or would you try to look into the security hole a little more to see what was there? Perhaps a few people would even want to do some semi malicious things to see what was possible (although I’m sure no one will post that). Also, has anyone else encountered XSS attacks in the wild?
As a side note, please don’t exploit this because the vulnerability is still there on that site. Remember, you signed legally binding and restricting ethics forms!
Update:
After I emailed the website, they took out the offending post and also asked me for more information on fixing this problem. I wrote some more information for them and tried to help clear up this security vulnerability as well as others that may arise from the same issue of user input sanitation. The admin was very glad to have help and offered to send me a t-shirt in return for my help. It looks like being good and helpful paid off.
On another note, I have found XSS vulnerabilities to be way too common on the web. As dangerous as these can be, it seems like site administrators are not well informed about these problems. While just going about normal business on the web, I also found an XSS vulnerability in the Windermere real estate pages. I have emailed that webmaster as well so hopefully they are as receptive to the problems as the first site owner was.
Comment by Josh
February 20, 2009 @ 1:26 pm
> “One other thing I wanted to ask others about is how would you deal with this situation of finding a vulnerability in a website? Would you anonymously report it to the site or offer to help? Or would you try to look into the security hole a little more to see what was there? Perhaps a few people would even want to do some semi malicious things to see what was possible (although I’m sure no one will post that). Also, has anyone else encountered XSS attacks in the wild?”
As part of an Application Security team for a large enterprise, my preference is for people to report findings but restrict their exploration of the vulnerability. For example, it is preferable for them to see if they can get a <b> tag through rather than a <script> tag, and also preferable if they do not overly explore vulnerabilities in a manner that will disclose information of other users, or impact other users. Regardless I would much rather they contact our security@ email directly even if they flexed their creativity first rather than do something like post the vulnerability on sla.ckers.org or similar forum. We have yet to pursue anyone who responsibly disclosed a vulnerability and are generally gracious that they caught the flaw and notified us. That said, we always do forensic analysis to see if there has been previously undetected tampering (they may not have been the first to find the vulnerability, or may not have been as responsible as their disclosure implies)- I suspect most large companies do as well, so don’t assume your activity will be anonymous even if you report from an anonymous email address(unless you found the flaw while employing an anonymizer such as tor, which many IDS/IPS systems will proactively detect).
Most large companies have a similar pragmatic policy. You need to be much more careful with small companies (who also tend to have much more vulnerable websites, as the developers have not been in environments that expose them to proper security practices such as ALWAYS using prepared statements to stop SQL Injection, do HTML Encoding on output, etc) as they can often take the disclosure personally. Having found and reported plenty of vulnerabilities in small websites my tactic is to say something like “Hey I accidentally mistyped and noticed a weird result. I think you might have . With your permission I could examine further to confirm, or explain to your developers the nature of the vulnerability so they can confirm whether it exists”. ALWAYS be benign in your actions so that if they react badly they can’t pin much on you (for example, if you find SQL Injection, DON’T extract or modify information in the database). Also, see if they are employing some open source project (ZenCart for example) and report the flaw to the OSS team.
Comment by Josh
February 20, 2009 @ 1:30 pm
er, that should read:
“Hey I accidentally mistyped <this text> and noticed a weird result. I think you might have <this vulnerability>. With your permission I could examine further to confirm, or explain to your developers the nature of the vulnerability so they can confirm whether it exists”.
I was disciplined about using entity encoding for the b and script reference, but then sloppy when typing the < > in the text above.
Comment by Andrew
February 20, 2009 @ 3:02 pm
Not everyone who reads this blog signed “legally binding and restricting ethics form.” This is teh internets. That said $diety speed songfacts in their remediation of this vulnerability. Are you tracking how long it takes to get fixed?
Comment by Joshua Barr
February 20, 2009 @ 4:31 pm
I’ve found vulnerabilities and security problems before (never XSS previously since I didn’t know much about it before Lab 2, but others), and I just mention them to the owner/admin and move on. If the vulnerability threatens me then I take appropriate action.
For example: most recently I found that all of the copy shops on the Ave (when I last checked) had public-use computers infected with viruses/trojans communicable through USB drives. You plug your drive in and it automatically gets the virus written to it, with the appropriate autorun file to ensure that it will compromise future machines it comes into contact with. I had adequate anti-virus protection for my PC and first discovered the problem with my Mac (which the viruses weren’t targetting), so I was safe. I told the respective proprietors of each infected shop about the problem, but they didn’t really understand the implications and I couldn’t get them to care.
In the face of the ignorance and apathy of the owners I could only do two things: patch the problem myself by installing anti-virus software on their computers, or nothing. I chose nothing, as I wasn’t comfortable with the idea of installing unapproved software on their computers.
Comment by Peter Miller
February 20, 2009 @ 4:45 pm
I think it’s best to just report any vulnerability to the webmaster. If they don’t take note of it, then you have to consider what you know about the site, your relation to it, etc. For some sites, if you continue and provide an example of what could be done to take advantage of it (and the results to the site), then it may spur them into action. In other cases, they’ll continue to ignore you.
Just use different passwords on all different sites (and I’m not claiming I do this–I’m sure very few people in fact do; I use a different password to my e-mail than to various websites because most websites have an option for e-mail recovery of passwords) and the biggest harm can be avoided.
If the target in question is some financial institution though, then you should definitely pursue it or go to some sort of authority I guess(?) if they don’t show interest. Or switch banks 🙂
Comment by Father_Of_1000000
February 21, 2009 @ 1:26 am
Personally, I wouldn’t want to attack the site, not because I don’t want to get myself into legal issues (well I don’t), but I feel bad for the programmers. For instance, when I was in elementary school, I made a simple website. How would you feel if you attacked a little kid’s site? Same with adults.
However, to really help out the website is not to report that they have a vulnerability, but to attack the site and help them fix the problem. The thing is people learn better the “hard” way. They might ignore your suggestions if you just send them an email. I don’t think they are going to ignore you if they see their site being attacked. Then you might get yourself in trouble. Let’s not worry about that. The point is people don’t feel the sense of danger until they are actually seeing the danger.
Comment by David Balatero
February 22, 2009 @ 12:39 pm
I think if the vulnerability was large enough, I would absolutely send the authors of the site an email. But beyond that, if they don’t fix it, then it’s kind of on them…
Comment by jap24
February 27, 2009 @ 7:11 pm
About Father_Of_1000000’s comment… You said you would not attack a website to avoid humiliating the owner, but there’s a more practical reason to not use such a tactic. Attacking a website is not a good way to inform the site administrator about vulnerabilities. Seeing an attack does not necessarily lead to being able to defend against it; if he didn’t spot the security problem initially, he might not know how to fix it. A well-written explanation of the problem would be more helpful. And if the suggestion is ignored, then you can forget about it, and some less scrupulous person will provide a lesson the hard way.