Friday, April 17, 2009

We Used to Laugh at XSS

I remember at Defcon 10 in 2002, when members of GOBBLES took to the stage for their much anticipated talk about the state of the security industry. The talk turned out to be a largely incoherent, but entertaining rant and I still remember the Unix Terrorist (aka Stephen Watt) poking fun at the many cross-site scripting (XSS) holes that people had begun to publish advisories for. At the time, he was right. XSS wasn't a high risk vulnerability. It wasn't being leveraged by attackers for anything meaningful and could be easily thwarted by simply avoiding the use of JavaScript. Well...things have changed. Today, Watt faces some serious charges due to his alleged involvement in the TJX breach and XSS vulnerabilities have emerged as a legitimate threat.

What changed?

Last weekend, a web based Twitter worm (aka Mikeyy/StalkDaily worm) hit the media. It was the work of Michael Mooney, a 17 year old, self described 'bored developer', who was brazen enough to brag about the attacks after the fact. He may be regretting the publicity at this point, now that his systems have been publicly hacked and he's no doubt heard about how Samy Kamkar was rewarded for his efforts after a similar attack on MySpace with a felony conviction. However, thus far it seems to have landed him a job as opposed to jail time.

What has happened to turn XSS from amusing interweb trickery into a valuable attack vector? In short, the web has changed, but unfortunately security is lagging behind. In general, I see the following four factors that deserve credit:

1.) Prevention [should be] the best Medicine - We've known about the dangers of XSS for at least a decade now, and yet it remains the most prevalent web application vulnerability out there. Efforts to educate developers has produced limited results, not in my opinion because developers don't care, but because the population of web developers is growing at a tremendous pace, thanks to point 'n click development environments. We've empowered millions with the tools to develop web applications but we've also made it far to easy to produce an insecure application.

2.) The Ubiquity of JavaScript - We used to tell users to avoid XSS by avoiding JavaScript. That was a reasonable statement in 2001 but good luck surfing the web today without a JavaScript enabled browser. You'd be better off using a text based browser such as lynx. With the advent of AJAX enabled sites and the demand for increasingly interactive, user-friendly web content, you'd be hard pressed to find a JavaScript free site that is actually used by anyone.

3.) The Power of Social Networking - Web based worms such as the Twitter worm have one inherent limitation - they live within the ecosystem where they were created. While this would be significant for a seldom used web application, with social networking sites measuring active users in the hundreds of millions this is hardly a limitation at all.

4.) Sky's the limit - While we tend to think of XSS as a way to steal session credentials, such attacks are limited only be the creativity of the researchers/attackers that pursue them. Anton Rager developed XSS-Proxy as a means to remotely control XSS attacks. Billy Hoffman turned a browser into a vulnerability scanner via XSS. Jeremiah Grossman demonstrated gaining insight into someone's browser history and at Black Hat DC this year, I talked about how XSS can be used to conduct client-side SQL injection. The list goes on and on...

The Twitter and MySpace worms were largely benign. When traditional worms began spreading, they were largely benign as well, a proof of concept to prove that something could be done. Once that hurdle had been overcome, criminals moved in to profit and I don't expect the outcome to be any different this time around either.

We've set the bar far too low for attackers. Well known vulnerabilities such as XSS remain far too prevalent, despite having been around for years. It's encouraging to see Microsoft stepping into the fray by adding XSS prevention to Internet Explorer 8 and I hope that other browser vendors will do the same. While the root cause lies with web app developers, it is clear that focusing on developers alone will not fix the problem. The interconnected nature of the web requires that all players pitch in to reduce risk to end users.

- michael

1 comment:

Anonymous said...

You forgot that Steven was indicted for role in TJX.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119042