Web-based security threats are a popular topic and you can easily find related information, including on cross-site scripting and one of its important flavors, Blind XSS. However, although this information is usually delivered at a high level of detail, the description of the possible targets of such an attack is quite slim and commonly refers generic terms such as “web application” or “web page” and consequently, people mainly think web sites, in this context. In order to realize whether you are exposed to such risks, without being a web security guru, you need to take a closer look at the top targets of Blind XSS and the high level impact of such targets being compromised. Understanding these aspects will help evaluate the current state of web security in your organization and plan for risk mitigation strategies.
So, what are the potential targets in your environment?
1. Security appliances
Security appliances are a common presence in today’s IT environments, with the increased focus on security as a concept, as well as the latest developments in security standards and regulations that enforce the use of several solutions, playing a key role in any security consolidation strategy. Most of the security appliances, regardless of the packaging – virtual or real, are managed via web-based user interfaces and are running on Linux/Unix based operating systems. In general, such operating systems are regarded as being more secure than Microsoft based operating systems and, since we are dealing with security applications (some sold by well-known vendors), the false perception that they are invulnerable is commonly created.
The following are examples of security appliances commonly used in IT environments:
- Log data collection and analysis appliances;
- Secure gateway appliances / Web filtering and anti-malware appliances;
- Network access control appliances;
All these have one obvious thing in common – they are managed via a web-based console, making them vulnerable for web-based attacks such as XSS. More importantly, they all provide role-based access to their management console, with separated roles for data management, security administration and so on, each exposing certain types of information. The areas which can be exploited by XSS and particularly by Blind XSS, are the login forms. In the case of Blind XSS, the hackers expect the malicious payload, delivered on the login forms to be executed in administrative contexts, mainly by running activity reports and checking out the logon dashboards.
Since we are dealing with security appliances, all the consequences of compromised security apply in different ways, depending on the type of equipment being compromised:
a) Successful Blind XSS attacks on log data collection and analysis appliances can allow the attacker to access logging information gathered from the entire environment:
- Authentication log entries: provide information on user accounts used throughout the network, as well as logon times of certain user accounts, the names of critical IT assets that the users have logged on to, etc.
Such information can be used to determine user behavior, normal operational time, as well as user names that have access to other systems, such as the domain controllers, fileservers and database servers, - together with name and IP information for the latter. When equipped with such information, a hacker can perform well targeted attacks on other IT assets, with disastrous consequences.
- Security policy changes, user rights assignment and account management log entries: provide information on how and when security policies are changed, as well as names of user accounts with elevated privileges, having access to critical IT assets in the environment.
Such information helps the hacker identify the best time for an attack on other devices, as well as user names most likely to cover a wide array of devices, with elevated privileges.
Log data contains most of the security relevant activity happening in a network and having access to such data compromises the security of the entire IT environment, not just one specific IT asset.
Example of an XSS vulnerability found in log data management appliances; HP ArcSight Connector Appliance XSS vulnerability.
b) Successful Blind XSS attacks on secure gateway appliances provide the attacker with information on accessing the intranet, IP addresses of eventual proxy servers, user browsing behavior, user names and internal IPs of the endpoints. When equipped with such information, attackers can perform more damaging and better targeted attacks, compromising endpoints holding relevant information.
Example of a recent XSS vulnerability found in Sophos Web Appliance.
c) Successful Blind XSS attacks on network access control appliances provide the attacker with information on means of accessing intranet, current VPN settings, available VPN connections, user names allowed in the intranet from outside, IP addresses of equipment accessing the intranet from the outside, etc.
Example of a recent XSS vulnerability found in Cisco NAC Appliance.
Ultimately, the main consequence of Blind XSS attacks is execution of malicious code within security contexts of privileged users, as well as exposure of security relevant information which can be used to perform further attacks on other assets in the network environment, leading to:
a) Data theft:
- Loss of intellectual property, putting your organization behind competitors, affecting your projects and maybe even leading to closing current projects, which in turn reflects as lack of revenue as well as leading to investment loss;
- Loss of information about customers and business partners, leading to loss of confidence and reputation, which in turn leads to loss of business and revenue, as well as fines enforced by regulations demanding protection of such information (like PCI DSS, HIPAA, Sarbanes–Oxley, etc.);
b) Denial of service attacks on your critical assets causes downtime, decreased quality of service for your customers, slowed down production or affected business flow-all leading to loss of revenue;
c) Usage of your IT resources to launch attacks on third-parties or send spam, with legal consequences.
The aim of this article isn’t to present an in-depth, technical view of how the vulnerabilities in such appliances are exploited, but focuses more on the top level consequences of them being compromised. To get more insight into the technical aspects of this subject, read this blog post.
2. Managed services
Businesses of various sizes choose to outsource their IT management tasks (or parts of them) to managed service providers (MSPs), thus moving the responsibility of downtime, security and management to third-parties. Most MSP’s offerings target IT management and include software programs that perform administrative tasks on customers’ network, as well as vendor management systems for billing and service reporting. Most of these solutions are in turn offered to the MSPs by vendors who offer rebranding capabilities for generic software solutions that perform the tasks required in the MSPs’ business space. Consequently, since we are dealing with rebranding, high availability and flexibility, most of these solutions are web-based, so management on the MSP side is done in a web application, while the customers of the MSPs, and their users, have access to client side applications that interact with the web-based system for various specific tasks, such as logging a bug, opening a support ticket, download a report, etc.
This creates the “perfect” scenario for Blind XSS attacks because malicious payloads can be placed in the client side application as a bug report or a support chat, then they can get stored into the MSP’s system and eventually triggered by MSP personnel when working with the web-based IT management interface of the solution.
The main consequence of compromised web applications belonging to MSP solutions is that of providing attackers with information on the IT environment being managed and, possibly, depending on the context in which the payload is executed, the IT environments of other customers of the same MSP. The information, such as names /IPs of assets, routes to intranet and user names can be used to perform further attacks on the MSP’s customers, or the MSP IT environment itself. Since such an attack can be carried out from ANY single node belonging to ANY customer of the MSP, and the consequences may affect the entire MSP customer base, this threat should be highly considered and mitigated.
Similarly to compromised security appliances, exploiting MSP applications has consequences in terms of security:
- Leaking information about the MSPs customers, with impact on their security can cost the MSP legal liabilities, loss of reputation and loss of business revenue; In addition to that, the legal regulations demanding protection of customer information also apply. Since billing information may also be exposed, this risk falls under the incidence of PCI DSS / Sarbanes–Oxley too.
- For customers, compromised security has all the consequences already discussed at point 1, which all sum up to loss of revenue.
- For MSPs, compromised security can also lead to downtime, decreased quality of service and overall business revenue loss.
3. On-premise IT management applications
Since any business with more than 20 computers needs to automate IT management in order to reduce costs and ensure uptime, on-premise IT management applications are one of the first solutions deployed by network administrators. Lately, in order to deliver flexibility and ease of access, most of these solutions use web-based administration consoles and enable IT administrators to access important dashboards or incident details, even outside normal operational time and off the premises. The web-based consoles deliver role-based access, similarly to security appliances, and can also be vulnerable to XSS and Blind XSS attacks which exploit the login form, get the payload stored in the logs, and eventually execute the payload in an administrative context when the console is loaded by an authorized user.
Compromised IT management applications can feed the hackers critical information about the network and its assets, as well as the users being part of the IT department, who generally have elevated privileges throughout the entire IT network. With such information available, the grounds for further attacks are set. Similarly to vulnerable security appliances, Blind XSS attacks on IT management applications allow execution of code in the intranet, usually with high privileges.
An example of XSS vulnerabilities found in IT management applications; security expert Adam Baldwin presented Blind XSS and a live demonstration of exploiting a vulnerable and rather popular IT management solution at DEF CON 2012.
4. Other targets
Having discussed the MSP solutions in this context, we should also mention cloud-based, Software as a Service (SaaS) solutions which became increasingly popular recently and are still on a consistent growing trend. Cloud-based solutions are offered in many forms and cover a large array of needs, for consumers and businesses, and by extension are similar to the MSP solutions in nature and technology. Thus they share the same possibility of exposing XSS and Blind XSS vulnerabilities, with similar consequences but usually provide a higher level of security and the likelihood is somewhat smaller than in the case of MSP solutions.
Content Management Systems (CMS), are quite popular as well, with larger businesses having many employees who need to share resources, content and workflows in a consolidated manner. Irrespective of their types, most of such solutions provide client access to server data, as well as central web interfaces for management, and consequently may expose XSS and Blind XSS vulnerabilities similarly to the MSP solutions: payload may get injected in the client-side application (which does not necessary need to be web-based), stored on the server and eventually executed in a different context, when the central management web interface is used. Compromised content management systems can provide direct access to critical content used by the company, as well as information on user accounts, user roles and user communications.
There are commonly used applications developed by well-known, popular vendors, which have been vulnerable to XSS and Blind XSS attacks. The vendors usually make considerable efforts to find and address such issues, however there is a time gap between when these vulnerabilities are found, made public, and fixed. In order to ensure protection against these types of vulnerabilities, under such circumstances, it is recommended to use scanners able to detect web vulnerabilities and perform penetration testing on all your applications that are using web technology.
|Target||Exploit area||Trigger area||Top level consequences|
|Security appliances||Login forms||Central management console – logs, reports||Data theft;
Premises for further attacks; Downtime;
Lack of compliance / Fines;
Allows resources to be used by the hacker to attack third-parties.
|MSP solutions||Client-side applications storing data server-side||MSP console – logs, reports, alert details||Premises for further, better targeted attacks;
Loss of reputation.
|On premises IT management solutions||Login forms||Central management console – logs, reports||Premises for further, better targeted attacks;
Allows resources to be by the hackers to attack third-parties.
|Cloud-based, software as a service||Login forms, client side applications communicating with the cloud||Central management consoles in the cloud – logs, reports||Data theft,
Premises for further, better targeted attacks;
May impact business flow.
|Content management systems (CMS)||Client-side applications storing content, login forms||Central management consoles – logs, activity reports, etc.||Data theft;
May impact business flow.