Cross Site Scripting seems to be the word of the past few days with high profile sites getting featured on the technology news sites. ZDNet reported how Facebook just fixed four XSS security flaws affecting their developer’s page, the iPhone login page, the new users registrations page and a Facebook applications page. All of these were reflected XSS vulnerabilities rather than stored XSS. This means that exploitation of the XSS flaw appears only temporarily when the victim is redirected to a vulnerable site after following a crafted link or visiting a malicious website. American Express was also found guilty of hosting code vulnerable to Cross Site Scripting. El Reg is running an article on this vulnerability and about the Bank’s response or lack of. Russ McRee posted details on his blog after the futile attempt to reach AmEx’s security team. The flaw was fixed in a few minutes after The Register picked up the story.
So what is the reason that such vulnerabilities materialize and do not get fixed? Two months ago I too reported a XSS vulnerability to a Bank’s security team. The case was very similar to the security hole in American Express’ website. The vulnerable script was a search script that echoed back the search string. After being told that they knew about the vulnerability, I asked “why not fix it?”. The reason? The Cross Site Scripting vulnerability does not affect the sensitive website (ebanking site) which is on a different server.
In the network security world, this would have been a good answer especially when the servers are segregated. However when it comes to Web Application Security, the situation is a bit different. If the secure ebanking site shares the cookie with the other websites on the same domain (eg. secure.bank.com and www.bank.com share the same cookie), then the risk is immediately understood. Cross Site Scripting on one site affects the other site. Even when that is not the case, Cross Site Scripting can cause trouble. Attackers have previously exploited XSS to launch very convincing phishing attacks on an Italian Bank or to increase their google ranking. Besides that, reputation is easily hurt if (like AmEx) your organization is trying to project the image that it takes security seriously!