[ISN] Top Security Sites Easy Prey To Script Attacks - Update

From: InfoSec News (isnat_private)
Date: Thu Jan 31 2002 - 02:23:48 PST

  • Next message: InfoSec News: "Re: [ISN] Bills aim at raising infosec expertise"

    By Brian McWilliams, Newsbytes
    30 Jan 2002, 7:29 PM CST
    Web sites operated by several leading Internet security organizations
    are vulnerable to an old but serious security flaw known as the
    cross-site scripting (CSS) attack.
    A cursory survey today revealed that the corporate home pages of
    security software vendors including Network Associates, Kaspersky Lab,
    Trend Micro, SonicWall, and Command Software, were all susceptible to
    CSS attacks.
    Nearly two years ago, the Computer Emergency Response Team (CERT)  
    warned Web developers to prevent their sites from being abused through
    CSS attacks. According to CERT, the presence of CSS vulnerabilities
    can be exploited by malicious third parties to perform an array of
    attacks on site users, including theft of passwords, credit card
    numbers, browser cookies, and other private data.
    Also vulnerable to CSS attacks is the Web home of Internet Security
    Systems (ISS). Eeye Digital Security and SecurityFocus.com recently
    repaired a CSS flaw at their Web sites. The CSS bugs at all three
    sites were identified Tuesday in a posting by a participant nicknamed
    "Phinegeek" on Vuln-Dev, a security mailing list operated by
    The failure of many major Web sites to fix their CSS vulnerabilities
    prompted the Computer Emergency Response Team last week to warn
    Internet users that self-defense may be their only protection against
    privacy- and security-stealing CSS attacks.
    Besides high-profile security sites, instances of CSS vulnerabilities
    have recently been reported at top e-commerce and portal sites,
    including AOL, Citibank, Microsoft, Yahoo, EBay, MSN, Excite, and
    In his search for security sites with CSS holes, Phinegeek also found
    that the Web site operated by the U.S. Social Security Administration
    is vulnerable to CSS exploits.
    CSS attacks are commonly launched by tricking users into clicking on a
    specially crafted link in an e-mail message or on a third-party site.
    The Web page that appears in the victim's browser may appear to be
    coming from the trusted site, but code injected into the page by the
    attacker could perform malicious acts.
    Security experts classify CSS vulnerabilities as "user input
    validation" flaws and advise sites to properly filter commands issued
    by visitors so that intruders are unable to cause the site to send a
    page containing the attacker's malicious code to a victim's browser.
    Sites vulnerable to CSS attacks can be easily identified by submitting
    a short string of code containing JavaScript commands to the site's
    search engine.
    ScreamingCSS, a free scanner that spiders the pages of a site
    searching for CSS vulnerabilities, was released earlier this month by
    David De Vitry, a security consultant who has crusaded to get big
    sites to repair their CSS holes.
    Recently Citibank closed a CSS vulnerability identified by De Vitry at
    the bank's C2IT.com Internet payment site that enabled attackers to
    grab users' credit card and bank account information.
    Since sites appear oblivious to the CSS threats against their users,
    Microsoft should re-design its Internet Explorer Web browser to
    prevent JavaScript code from accessing browser cookie files, according
    to Richard M. Smith, an independent security and privacy expert,
    "The simple change would prevent hackers for doing account hijacks,
    one of the main dangers of cross-site scripting," wrote Smith in a
    list of security recommendations to Microsoft Chairman Bill Gates
    earlier this month.
    Phinegeek's posting to Vuln-Dev is at
    CERT's 2000 advisory on CSS attacks is at
    De Vitry's Web site is at http://www.devitry.com/holes.html 
    Smith's letter to Gates is at 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 06:10:16 PST