- Sep. 21st, 2006
- 4 comments
This recent article mentions that XSS and HTML injection are quickly eclipsing the traditional stack smashing and SQL tainting attacks in popularity. But why? I posit that the reason is simple — XSS & HTML injection vulnerabilities are frighteningly trivial to find. I will demonstrate the relative ease of finding injection points in this article. I wrote a script that sniffs out hundreds of such vulnerabilities rapidly and automatically, in fact.
The stark difference between this type of injection and others is that there are certain very obvious signatures one can use to locate the vulnerabilities using a Google Dork. My favorite one is that of a form — more specifically a search form. I found 100 .edu sites that were vulnerable to XSS attacks in less than 5 minutes. I won't list them, but I promise you, they're out there. Look here if you need a hint.
But here's my favorite one — Harvard. Yes, arguably the world's finest university is vulnerable. And my trivial script found it by iterating over all .edu TLD domains. Here it is:
That's a sweet PR9 domain for the black hatters out there. I know less about the hacking implications, but I suspect there may be something there as well. Ha.ckers.org is great place to look for informaton regarding XSS vectors. Here is a link to his XSS cheat sheet.
Note: Many other schools were far, far worse I might add.
Granted, I had the convenience of being able to walk the entire .edu space with a script that probes for such vulnerabilities. And I won't release it to the general public — I don't want script kiddies hacking sites with the script. My interests are purely academic.
But I do beleive we have a problem looming in the background.
You can also access the same script interactively here:
Try out chandra.harvard.edu