Ridding the Web of the XSS Scourge
Oct 19, 2009 6:00 AM PT
Cross-site scripting (XSS)/SQL injection attacks have been blamed for numerous data breaches, perhaps most notably the nightmare of the Heartland Payment Systems data breach. This type of attack has been around for at least a decade.
However, the growing popularity of Web 2.0 applications and the tendency for programmers to continue with old, insecure code writing techniques make XSS one of the most deadly methods for hackers.
Cross-site scripting (XSS)/SQL injection attacks are all about getting reasonable people to click on a compromised site, where malicious code jumps into their computers. The possibilities for hackers are endless.
Solutions for blocking XSS/SQL injection attacks exist. However, the software industry seems sluggish in adopting more secure code-writing practices.
"This wouldn't be such an issue if software developers did a better job of securing their code. About 66 percent of all Web sites are infected with XSS code. There is no real industry push to solve this problem," Michael Sutton, vice president of security research at Web security firm Zscaler, told TechNewsWorld.
How It Works
Cross-site scripting/SQL injection attacks are one of the easiest methods for hackers to use -- in fact, it's almost stupidly simple, according to Manoj Apte, vice president at Zscaler. It requires very little expertise, and it's easy to find vulnerable Web sites. Because it is so easy, he said, XSS is creating a whole new generation of script kiddies.
"A hacker inputs a malicious script into a Web site. Then innocent visitors to that Web site click on that script to start the exploit," Mandeep Khera, chief marketing officer for Web security firm Cenzic, told TechNewsWorld.
Of course, the malicious code is embedded in legitimate links or graphics on the Web site. The site's operator is not aware the site is compromised.
"Cross-site scripting is the No. 1 threat on the Internet. As many as 80 to 90 percent of all Web sites have the infection," said Khera.
The aim of XSS malicious code is not much different than any other software exploit. Hackers want your information. It's another means to ID theft.
"Attackers are mostly trying to steal peoples' cookie sessions for access to legitimate Web sites," Sutton said. "Today's XSS vulnerabilities enable the next generation of Web-based worms."
Once hackers have a real cookie session, they have that user's ID. These cookie sessions can provide access to commercial Web sites, bank accounts, social networking accounts, and more.
Browser features such as NoScript offer end users an elementary but effective method for limiting exposure to XSS attacks. The problem, however, is that many users cannot be bothered using it.
This is detrimental to user experience, so people don't want to use it, he noted.
See No Evil
The XSS problem is growing out of control mostly because software vendors and security experts do not talk to each other, according to Danny Allan, director of security research for IBM Rational.
His company investigates software vulnerabilities. More than half of all vulnerabilities involve Web-based malicious code over the last two and a half years, he said.
"Our hosting operations revealed as many as 200 million XSS infections in the first half of this year," said Allan.
Lack of training is a major reason for the rapid growth of XSS infections, noted Khera.
"Programmers are not trained for secure coding. Many of them are not aware of the issue," he said.
Why do bad guys rob banks? Simple: That's where the money is. That same reasoning explains why hackers flock to XSS attack methods.
Even wanna-be hackers can easily find Web sites that detail over 100 ways to create XSS exploits, according to Allan. As a result, the XSS problem will get a lot worse before it starts to get better, he concluded.
"We're dealing with two different problems. One is XSS attacks against servers. The other is XSS attacks against end users," Allan explained.
To fix what is broken, software developers have to focus on security from the ground up. However, that means new projects, which take time. Programmers need to go back and plug existing security holes.
"This is such a prevalent problem that programmers have to go back to fix all their old code," said Khera.
Fixing old code is easier said than done. Cenzic researchers often find hundreds of vulnerabilities when they test Web sites.
"Programmers can't fix them all. So they must start to prioritize, starting with making XSS vulnerabilities a priority. It is really a race against time. It's not a matter of if but when. End users will get attacked. It is really very bleak," warned Khera.
Some New Thinking
Despite Khera's stark views, Allan sees some glimmer of hope that attitudes within the software industry are starting to change.
A cultural change in code writers' mindsets is slowly taking place. Some programmers are beginning to realize that they have to change the old ways of building software, he said.
"Some organizations are now saying let's stop being reactive. There is a new awareness for proactiveness. The old paradigm is changing," Allan said. "Still, it takes time for people to change the way they build software. We need more of a engineer approach in building software."
Web security firms have the tools to find XSS exploits; it's just that the often cannot remove them.
Some Web browsers and plug-ins provide help in letting end users know of potential cross-site scripting threats. That's one big improvement in Microsoft's Internet Explorer 8 and the NoScript add-on available in the open source Web browser Firefox, according to Sutton.
The key to solving the XSS vulnerability issues rests with IT staff at enterprises, said Sutton. All that most companies do for security is provide workers with desktop antivirus programs and URL filtering via the corporate network.
"Neither one protects from XSS vulnerabilities. It comes down to security people at companies being proactive. They need to inspect the content," Sutton said.
This Web 2.0 world in which we live in is only going to exacerbate the issue of XSS, according to Tyler.
"If we take a look at the last month of Facebook bugs, over 9,700 Facebook applications were found to be vulnerable. This is because Facebook has created an API that allows third parties to offer applications on the site. These applications are what makes Facebook so popular, and they are what makes the end user so vulnerable," said Tyler.
Tyler is not sure whether the software industry will ever solve the XSS issue. Ideas are floating around to alleviate the problem, but none of them are perfect, he concluded.
"And until that perfect solution exists, we're stuck with a user base that would rather accept the risk -- that is, until they find their credit card has been used halfway around the world, and they can't understand how it happened to them," said Tyler.
Some Hope Exists
Several countermeasures exist to deal with cross-site scripting attacks, according to Symantec's Zulfikar Ramzan, technical director for Symantec Security Technology and Response. For instance, Web sites can take various input validation measures to ensure that the query string that appears in the URL right after the location of the particular file to be accessed only contains legitimate data, as opposed to code.
"There are also tools that look for common mistakes made by Web designers, which can sometimes cause sites to be vulnerable to cross-site scripting attacks," Ramzan told TechNewsWorld.
Despite these solutions, the reality is that these attacks continue to occur -- sometimes on the Web sites of very highly-regarded financial institutions. In fact, the attackers themselves have automated tools to find vulnerable sites, he added.
The proper way to defend against this attack is to sanitize user input before it ends up back on an end user's browser. Simply encoding the potentially dangerous scripting tags so that they do not get executed as code on the browser goes a long way, according to Rob Cheyne, CEO of Safelight Security Advisors.
"When I teach application security classes to developers, I always poll the audience to find out their level of understanding of a particular attack. From what I have seen, many developers have heard of the common attacks such as SQL injection and cross-site scripting, but most have not actually seen the attacks fully exploited," Cheyne told TechNewsWorld.
Therein lies the problem. Until people see the repercussions, they are not as inclined to go back into their code and clean up the issues. This leads to the state that we are in today, he said.
Since people fail to take the issue seriously, even at some of the large financial services firms, his researchers occasionally see applications that are riddled with cross-site scripting errors -- and these are the folks who are on the bleeding edge of security, said Cheyne.