Secure Payments, PCI DSS, Regulatory Compliance Blog

PCI DIY - Cross-Site Scripting

May 11th, 2007 by chitchcock Posted in Approved Scanning Vendor, PCI DIY, PCI DSS

xss.jpgYou’re vulnerable.

Really? Don’t hold back or anything. How can you be so sure?

Because your ASV said so, and if your ASV says so, there’s a 99.999% chance that they’re right. Pretty-much everyone is vulnerable to XSS in one way or another.

Well how do they even test for it?

If they’re a “network” security ASV, then they’re probably just doing a generic “pop-up” test and simply looking at the resulting HTML page for their input to be spit back without being escaped. Not very elegant, but it works. If they’re an “application” security ASV, then their testing is likely a bit more complicated.

Then why can’t I get it to work with my browser? I don’t see a pop-up.

First of all, an attacker isn’t going to make anything pop-up on your screen. A test like that is only used as a proof-of-concept by your ASV. Second, not all browsers are vulnerable. The point of fixing XSS is to protect the end-user. Relying on the end-user to use a non-vulnerable browser is essentially making it incumbent upon them to provide for their own security. While that’s all well-and-good, it’s a bit idealistic. Web-browsers are embedded in all sorts of applications; you can’t just assume that everyone is using the latest version of IE or Firefox.

OK, but XSS isn’t really that important. So a hacker can steal cookies…big deal.

Not so grasshopper. Payloads delivered by XSS are becoming increasingly more malicious: Keylogging…worms…remote control…etc. There are plenty of tools available to demonstrate this.

Got it. So assuming that I wanted to fix it, can my ASV help out a little and tell me how?

Yes and no. They can’t tell you the exact details on how to fix it, because they probably don’t have intimate knowledge of your web-application. As you’re well aware, web-applications can be particularly complex; the XSS vulnerability can be within the web-server, the application server, cgi scripts, the database, etc… All your ASV knows is that they send a particular request to your application and get a response indicating that you’re vulnerable.

So where else can I go to get information on how to fix it?

OWASP is a good place to start; you can also read the upcoming and guru-authored XSS book; or you can even ask a real person. It really just boils down to input validation. Every point within your application that accepts user input — either directly or indirectly — should have mechanisms that filter all input except for that which your application requires. But don’t worry…implementing XSS filters isn’t nearly as difficult as determining where the filters should be implemented. :)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. One Response to “PCI DIY - Cross-Site Scripting”

  2. By DAG on May 12, 2007

    XSS has an interesting history. It was not just another instance of a known class of vulnerability. It was an entire new class by itself.

    When it was first discovered and published, the world seemed to ignore it for almost two years! Most of the early XSS vulnerabilities were found in things like web server 404 pages. Not applications. There were maybe one or two exceptions to this and they got very little play.

    Then there was a rash of public XSS outings. All custom web applications. Some government, some banking. Things like transfering money between two bank accounts. It’s one thing to get hit by a DoS or a virus. Quite another when your major business application gets hosed.

    In one case that I was involved in investigating, a major online application for registering sensitive information had been in development for over a year. A security problem was found and fix. We were a second set of eyes and found an XSS problem. This happened after the rash of public outings. The developer, a large software integration company, was clueless. Less than two days after we found the problem they “fixed” it. Their fix was in the web page javascript itself and took only a few minutes to bypass. A proper fix took quite a while longer. They were offline for a several months.

    It was clear that we could have done quite a lot. Not only their application but their support systems as well. Information theft, malware injection, session hijacking. One need only look at the long list of serious browser and office bugs in the last few years to connect the dots.

    The customer, wisely, saw the potential for harm and spent their efforts fixing the problem rather than trying to demonstrate each nasty case.

Sorry, comments for this entry are closed at this time.