December 22, 2008 | Posted by Robert Abela | Filed Under Web Security Articles, Web Security News | No Comments
A few days ago a Cross-site-scripting vulnerability was discovered and reported on the American Express Site. A XSS vulnerability can allow attackers to steal user authentication cookies from americanexpress.com, thus leading to an account hijack.
As web-security consultant Joshua D.Abraham said, web developers addressed only one instance of the problem. They did not fully assess the whole application to check for similar issues!
This shows the importance of using an automated web vulnerability scanner. Web vulnerability scanners have an important role to play in the security testing of web applications. Not only do scanners make the process of testing Web Applications more efficient but they can also serve to double check the website developer’s work. Since most large websites are constantly changing, it makes sense to schedule a periodic scan to make sure that any vulnerabilities are detected before they hit customers or your website’s reputation.
By making use of an automated web vulnerability scanner such as Acunetix, a developer or security professional could have found these high profile vulnerabilities. It would possibly have prevented American Express the embarrassment of having to deal with a second security flaw after just a few days!
Read more about the reported vulnerability in this article
December 18, 2008 | Posted by Sandro Gauci | Filed Under Web Security Articles, Web Security News | No Comments
Cross Site Scripting seems to be the word of the past few days with high profile sites getting featured on the technology news sites. ZDNet reported how Facebook just fixed four XSS security flaws affecting their developer’s page, the iPhone login page, the new users registrations page and a Facebook applications page. All of these were reflected XSS vulnerabilities rather than stored XSS. This means that exploitation of the XSS flaw appears only temporarily when the victim is redirected to a vulnerable site after following a crafted link or visiting a malicious website. American Express was also found guilty of hosting code vulnerable to Cross Site Scripting. El Reg is running an article on this vulnerability and about the Bank’s response or lack of. Russ McRee posted details on his blog after the futile attempt to reach AmEx’s security team. The flaw was fixed in a few minutes after The Register picked up the story.
So what is the reason that such vulnerabilities materialize and do not get fixed? Two months ago I too reported a XSS vulnerability to a Bank’s security team. The case was very similar to the security hole in American Express’ website. The vulnerable script was a search script that echoed back the search string. After being told that they knew about the vulnerability, I asked “why not fix it?”. The reason? The Cross Site Scripting vulnerability does not affect the sensitive website (ebanking site) which is on a different server.
In the network security world, this would have been a good answer especially when the servers are segregated. However when it comes to Web Application Security, the situation is a bit different. If the secure ebanking site shares the cookie with the other websites on the same domain (eg. secure.bank.com and www.bank.com share the same cookie), then the risk is immediately understood. Cross Site Scripting on one site affects the other site. Even when that is not the case, Cross Site Scripting can cause trouble. Attackers have previously exploited XSS to launch very convincing phishing attacks on an Italian Bank or to increase their google ranking. Besides that, reputation is easily hurt if (like AmEx) your organization is trying to project the image that it takes security seriously!
November 12, 2008 | Posted by Sandro Gauci | Filed Under Web Security News | No Comments
A worm abusing Facebook’s messaging system is making rounds between friends. It consists of an executable worm known as Koobface that runs on the victim’s computer and searches for Facebook cookies on his or her computer. It will then use these cookies to hijack an authenticated session and send a message to all of the victim’s friends. This message typically contains a link to a website that will try to infect new victims.
This is not the first worm to make use of social networking sites for distribution. Social networking sites are the perfect way of distributing worms in the Web 2.0 world. By their nature, social networking is virulent - very much like malware - and can help reach a large group of people. Some worms previously made use of web application attacks like Cross Site Scripting (XSS) and Cross Site Request forgery (CSRF). In fact the more complex and popular social networking sites become, the more chance that such sites are used as a platform to launch malware. Usage of technologies such as Ajax make the websites more useful and easier to use. As a side effect, they also tend to expose such sites to new risks that were previously not thought to be a security issue.
For example, Facebook supports online Apps that have been found to hide malicious code. One particular malicious Facebook App called ‘Secret Crush‘ was discovered to be spreading early 2008. It attempted to install adware on the victim computers. Web application vulnerabilities together with a bit of social engineering can proof to be a very effective weapon in a malware writer’s arsenal.
Other posts that mention Koobface:
October 24, 2008 | Posted by Robert Abela | Filed Under Web Security News | No Comments
Hackers are clearly becoming more sophisticated than ever these days, not only operating within a very close-knit web hacking community of sites and blogs, but now also creating their own automated and free SQL Injection attack tools and making them availble for the public.
These tools, which are marketed openly as developed for ’security auditing’, help hackers to easily recognize potentially vulnerable web sites that can fall victims to massive SQL injections.
Web developers should be asking themselves what to do against this major threat.
Knowing that vulnerable web applications are the target of SQL injection and other web hacking techniques, the logical thing to do is to stay a step ahead of hackers and prevent these web site attacks from happening by identifying web application vulnerabilities before these are hacked.
Read how Acunetix Web Vulnerability Scanner helps you prevent these sophisticated attacks on your web applications here.
Read more about the free SQL injection attack tools available to hackers here.
