Acunetix WVS 8 Released Candidate Now Available!
Acunetix WVS 8 Released Candidate Now Available!
January 25, 2012 – 10:47 pm | No Comment
Read the full story »
releases

Acunetix Web Vulnerability Scanner Product Releases

docs & FAQs

Acunetix technical documentation and FAQ

news

Acunetix Company and Web Security news, & Press Releases

events

Acunetix Webinars, Events and Training around the world

web security zone

Everything you need to know about Web Security

Home » news

What do American Express and Facebook have in common?

Submitted by on December 18, 2008 – 3:09 pmNo Comment

Cross Site Scripting seems to be the word of the past few days with high profile sites getting featured on the technology news sites. ZDNet reported how Facebook just fixed four XSS security flaws affecting their developer’s page, the iPhone login page, the new users registrations page and a Facebook applications page. All of these were reflected XSS vulnerabilities rather than stored XSS. This means that exploitation of the XSS flaw appears only temporarily when the victim is redirected to a vulnerable site after following a crafted link or visiting a malicious website. American Express was also found guilty of hosting code vulnerable to Cross Site Scripting. El Reg is running an article on this vulnerability and about the Bank’s response or lack of. Russ McRee posted details on his blog after the futile attempt to reach AmEx’s security team. The flaw was fixed in a few minutes after The Register picked up the story.

So what is the reason that such vulnerabilities materialize and do not get fixed? Two months ago I too reported a XSS vulnerability to a Bank’s security team. The case was very similar to the security hole in American Express’ website. The vulnerable script was a search script that echoed back the search string. After being told that they knew about the vulnerability, I asked “why not fix it?”. The reason? The Cross Site Scripting vulnerability does not affect the sensitive website (ebanking site) which is on a different server.

In the network security world, this would have been a good answer especially when the servers are segregated. However when it comes to Web Application Security, the situation is a bit different. If the secure ebanking site shares the cookie with the other websites on the same domain (eg. secure.bank.com and www.bank.com share the same cookie), then the risk is immediately understood. Cross Site Scripting on one site affects the other site. Even when that is not the case, Cross Site Scripting can cause trouble. Attackers have previously exploited XSS to launch very convincing phishing attacks on an Italian Bank or to increase their google ranking. Besides that, reputation is easily hurt if (like AmEx) your organization is trying to project the image that it takes security seriously!

Be Sociable, Share!

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.