Full Disclosure mailing list archives
British Sky Broadcasting Corporation - Web App vulnerabilities (XSS)
From: "Nicholas Lemonias." <lem.nikolas () googlemail com>
Date: Tue, 25 Feb 2014 17:46:40 +0000
_____ .___ _________ / _ \ | |/ _____/ / /_\ \| |\_____ \ / | \ |/ \ \____|__ /___/_______ / \/ \/ Corporation Published Report: 25/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / DOM-based cross-site scripting attack. Author: Nicholas Lemonias. (Information Security Expert) Affected Domain ================ Domain: www.Sky.com <http://www.sky.com/> Vendor Overview ========================= British Sky Broadcasting Group plc. (commonly known as BSkyB; trading as Sky) is a satellite broadcasting, broadband and telephone services company headquartered in London, with operations in the United Kingdom (UK) and Ireland. Formed in 1990 by the equal merger of Sky Television and British Satellite Broadcasting, BSkyB is the largest pay-tv broadcaster in the UK and Ireland with over 10 million subscribers. BSkyB is listed on the London Stock Exchange and is a constituent of the FTSE 100 Index. It had a market capitalization of approximately £14.32 billion (US$23 billion) as of 30 September 2013 on the London Stock Exchange. 21st Century Fox owns a 39.14 per cent controlling stake in the company. Description of the security realization ============================== Visitors and users to BSkyB are directly impacted. This problem results in the re-production and execution of third-party heterogeneous code which defies user level trust, and thus affecting user and product confidentiality, integrity and availability of information (CIA); as per best security practise and standards in accord to (ISO 27001) and (BS7799). Proof-Of-Concept 1 ================== URL: www.Sky.com/ireland/error/invalidbasket/index.html? invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b<http://www.sky.com/ireland/error/invalidbasket/index.html?invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b> Responsible Disclosure Timeline ========================== [+] 31 of January, 2013 - Contacted Vendor concerning the security realisation. [+] 3rd of February, 2013 - Contacted Vendor a second time. Vendor has not replied. [+] 10th of February, 2013 - Contacted Vendor a 3rd time. (No Feedback.) [+] 25th of Feburary, 2013 - Public Disclosure. Remediation / Consultation ========================= The recommendations made to The British Sky Broadcasting Corporation is therefore to consider encrypting the view state of the application. Furthermore to implement a stronger Cross-Site Scripting protection. Apparently XSS filtering is not properly applied, and met character filtering allows data input over the HTTP protocol to inject third-party untrusted code, in JavaScript, Active-X and Visual Basic Script. Please note that malicious users could take advantage of such instances, as we have seen in malware and virus propagation cases - with impact to systems of political importance. Citing examples of Stux Net and Duqu. My consultation to British Sky Broadcasting is therefore, to deploy an immediate Security Risk assessment and thus to enumerate and revisit upper-level security policies in accord to ISO 27001 and ISO 27002. Please also review your ISMS and implement adequate security metrics. Please also further check the SDLC of the vulnerable application and subsidiary pages. Cross Site Scripting attacks are present when a website allows the injection of malicious data from a malicious user. The information is often gathered in the form of a hyperlink. The affected hyperlink is often disseminated either through email, social networking websites, forums or other online sources. A malicious adversary could take advantage of this vulnerability, for the mass exploitation of unsuspecting users, through malware and virus propagation. The malicious user can use defects in the encoding methods, so that the malicious payload is hindered. Appendices ============================ A. Consider the filtering of met characters. B. User server encoding of < and > to < and > in application output. C. An XSS attack could embrace mass user and product attacks, phishing and theft of confidential information such as credit cards, passwords, and stored accounts. Furthermore the use and exploitation of XSS bugs have been present in malware and worms such as Stuxnet and Duqu. D. Filtering < and > and using appropriate encoding. where ( and ) are also filtered and encoded to ( and ), Example: # and & should be converted to # (#) and & (&). References ============================ OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011 OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013. Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/ff649310.aspx.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- British Sky Broadcasting Corporation - Web App vulnerabilities (XSS) Nicholas Lemonias. (Feb 26)