This recent article mentions that XSS and HTML injection are quickly eclipsing the traditional stack smashing and SQL tainting attacks in popularity.  But why?  I posit that the reason is simple — XSS & HTML injection vulnerabilities are frighteningly trivial to find.  I will demonstrate the relative ease of finding injection points in this article.  I wrote a script that sniffs out hundreds of such vulnerabilities rapidly and automatically, in fact.

Both XSS & HTML injection vulnerabilities are the result of similar flaws in web application software.  Typically, a programmer forgets to properly escape or sanitize user-defined data presented in a web application.  The result is that a malicious user can cleverly inject arbitrary data in to a web page.  Hackers can carefully craft and insert scripts that lift user information, and black hat SEOs can carefully craft and insert links and JavaScript redirects that monetize vulnerable high-ranking authority sites.

The stark difference between this type of injection and others is that there are certain very obvious signatures one can use to locate the vulnerabilities using a Google Dork.  My favorite one is that of a form — more specifically a search form.  I found 100 .edu sites that were vulnerable to XSS attacks in less than 5 minutes.  I won't list them, but I promise you, they're out there.  Look here if you need a hint.

But here's my favorite one — Harvard.  Yes, arguably the world's finest university is vulnerable.  And my trivial script found it by iterating over all .edu TLD domains.  Here it is:

http://chandra.harvard.edu/cgi-bin/AT-Chandrasearch.cgi?search=%3Ca+href%3D%27http%3A%2F%2Fwww.princeton.edu%2F%27%3E%3Cblink%3E%3Ch1%3EGo+to+Princeton+Instead%21%3C%2Fh1%3E%3C%2Fblink%3E%3C%2Fa%3E&sp=sp 

That's a sweet PR9 domain for the black hatters out there.  I know less about the hacking implications, but I suspect there may be something there as well.  Ha.ckers.org is great place to look for informaton regarding XSS vectors.  Here is a link to his XSS cheat sheet.

Note: Many other schools were far, far worse I might add.

Granted, I had the convenience of being able to walk the entire .edu space with a script that probes for such vulnerabilities.  And I won't release it to the general public — I don't want script kiddies hacking sites with the script.  My interests are purely academic.

But I do beleive we have a problem looming in the background.

You can also access the same script interactively here:
http://www.seoegghead.com/tools/scan-for-html-injection.php

Try out chandra.harvard.edu :)

Tell an amigo:
  • Sphinn
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Facebook



Related posts:
Find HTML Injection Vulnerabilities with Google Code Search I guess I think like a hacker, because I thought...
XSS for Lunch - Yum! I was reading SEO Black Hat during my lunch break,...
Auditing for HTML Tainting Note: the code for the auditing script is located here....
PubCon / SES Idea: Protecting Yourself From Black Hat Vulnerabilities We all have a mischievous side.  I know I do. ...
Doesn't Matter if You're Black or White I was just thinking that it really bothers me that...