|
Sep
21
3
|
XSS & HTML Injection are Frighteningly Trivial to Find at Harvard.edu |
|||||
This recent article mentions that XSS and HTML injection are quickly eclipsing the traditional stack smashing and SQL tainting attacks in popularity. But why? I posit that the reason is simple — XSS & HTML injection vulnerabilities are frighteningly trivial to find. I will demonstrate the relative ease of finding injection points in this article. I wrote a script that sniffs out hundreds of such vulnerabilities rapidly and automatically, in fact. Both XSS & HTML injection vulnerabilities are the result of similar flaws in web application software. Typically, a programmer forgets to properly escape or sanitize user-defined data presented in a web application. The result is that a malicious user can cleverly inject arbitrary data in to a web page. Hackers can carefully craft and insert scripts that lift user information, and black hat SEOs can carefully craft and insert links and JavaScript redirects that monetize vulnerable high-ranking authority sites. The stark difference between this type of injection and others is that there are certain very obvious signatures one can use to locate the vulnerabilities using a Google Dork. My favorite one is that of a form — more specifically a search form. I found 100 .edu sites that were vulnerable to XSS attacks in less than 5 minutes. I won't list them, but I promise you, they're out there. Look here if you need a hint. But here's my favorite one — Harvard. Yes, arguably the world's finest university is vulnerable. And my trivial script found it by iterating over all .edu TLD domains. Here it is: That's a sweet PR9 domain for the black hatters out there. I know less about the hacking implications, but I suspect there may be something there as well. Ha.ckers.org is great place to look for informaton regarding XSS vectors. Here is a link to his XSS cheat sheet. Note: Many other schools were far, far worse I might add. Granted, I had the convenience of being able to walk the entire .edu space with a script that probes for such vulnerabilities. And I won't release it to the general public — I don't want script kiddies hacking sites with the script. My interests are purely academic. But I do beleive we have a problem looming in the background. You can also access the same script interactively here: Try out chandra.harvard.edu Related posts: Find HTML Injection Vulnerabilities with Google Code Search I guess I think like a hacker, because I thought... Auditing for HTML Tainting Note: the code for the auditing script is located here.... PubCon / SES Idea: Protecting Yourself From Black Hat Vulnerabilities We all have a mischievous side. I know I do. ... Virtual Hosting is a Liability I was playing around with the What is Hosted on... Code for HTML Auditing <? // +———————————————————————-+ // | HTMLParser | // | Simple HTML Parsing Library | // | Based on Jose Solorzano's Library; his notice is below. | // +———————————————————————-+ // | Portions Copyright (c) 2004-2005 Jaimie Sirovich | // +———————————————————————-+ // | This program is free software; you can redistribute it and/or |...
| ||||||
"3 Wise Comments Banged Out Somewhere On The Internet ..."
Jaimie, as a colleague who manages several .edu domains, would I be able to access your results for our domains specifically to correct any vulnerabilities that may exist? Thanks in advance. ha.ckers.org web application security lab - Archive » EDUs Vulnerable to XSS[...] Jaimie Sirovich is at it again with his scanner. This time he aimed it at some .edu domains. The risks aren't that high compared to the reward for the SEO community. For search engine optimization it's really helpful to have .EDU domains. In this case, using cross site scripting is particularly useful for hijacking page rank via HTML injection. [...]
|
