Recently, we received a security alert from David deVitry of Infigon Technologies. David, a security buff and website developer, wanted to inform us of a cross-platform hole that exists on several major websites. Interestingly, the alert isn't a newly found bug or an architectural oversight, rather it is a vulnerability that is well documented by CERT and has been in existence for well over a year and half.
The vulnerability itself, CERT Advisory 2000-02, sometimes called cross-site scripting or malicious tagging, takes advantage of dynamically generated Web pages. Basically, a malicious script, which could be written in a number of different languages, can be inserted as input into dynamically generated Web pages. Unless the pages are specifically built to protect against the insertions of these scripts, they allow an attacker to insert code that can poison cookies, expose SSL connections, access restricted sites, or pull off a number of other attacks.
|Normally, a vulnerability is published, and there is a scramble by software vendors to eliminate it. In this case, despite repeated publishing, it continues to exist on high-traffic sites even a year after discovery.|
The concern, however, is about the window of exposure to this vulnerability and it's pervasiveness. deVitry reported that he could find scripting holes in almost every site he visited. Normally, a vulnerability is published, and there is a scramble by software vendors to eliminate it. In this case, despite repeated publishing, it continues to exist on high-traffic sites even a year after discovery.
With increased network and Internet traffic, recent new rashes of viruses and malicious code, huge layoffs in IT staffs, cutbacks to security, and the increased complexity of Web- and Internet-based technology, this lack of response could portend a dark future for e-commerce, and for unsuspecting consumers.
References and Resources
Thanks to David deVitry and Infigon Technologies for bringing this to our attention.
- Infigon's page on Cross-Site Scripting
- And their list of susceptible sites
- The CERT Advisory
- CERT advisory on disabling browser scripting
Several site scripting vulnerabilities exist because ASP treats all input as trusted. If you use ASP, you need to do text checking with JScript and VBScript. The following scripts are examples taken from Microsoft's IIS 5.0 security checklist.
Script to remove non-normal characters from input (i.e., only allows 0-9 and a-z input):
Set reg = New RegExp
reg.Pattern = "\W+" ' One or more characters which ' are NOT 0-9a-zA-Z or '_'
strUnTainted = reg.Replace(strTainted, "")
Script that strips text after the | operator
Set reg = New RegExp
reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of ' the string to a | character.
strUnTainted = reg.Replace(strTainted, "$1")
Postscript: One reader has written asking if ColdFusion Markup Language (CFML) is also vulnerable to this exploit. It is. Allaire has a security bulletin about cross site scripting located here.
About the Author
Thomas Gutschmidt is a freelance writer, in Bellevue, Wash., who also works for Widevine Technologies.