January 30, 2002

By Brian McWilliams, Newsbytes


Web sites operated by several leading Internet security organizations are vulnerable to an old but serious security flaw known as the cross-site scripting (CSS) attack.

A cursory survey today revealed that the corporate home pages of security software vendors including Network Associates, Kaspersky Lab, Trend Micro, SonicWall, and Command Software, were all susceptible to CSS attacks.

Nearly two years ago, the Computer Emergency Response Team (CERT) warned Web developers to prevent their sites from being abused through CSS attacks. According to CERT, the presence of CSS vulnerabilities can be exploited by malicious third parties to perform an array of attacks on site users, including theft of passwords, credit card numbers, browser cookies, and other private data.

Also vulnerable to CSS attacks is the Web home of Internet Security Systems (ISS). Eeye Digital Security and SecurityFocus.com recently repaired a CSS flaw at their Web sites. The CSS bugs at all three sites were identified Tuesday in a posting by a participant nicknamed "Phinegeek" on Vuln-Dev, a security mailing list operated by SecurityFocus.

The failure of many major Web sites to fix their CSS vulnerabilities prompted the Computer Emergency Response Team last week to warn Internet users that self-defense may be their only protection against privacy- and security-stealing CSS attacks.

Besides high-profile security sites, instances of CSS vulnerabilities have recently been reported at top e-commerce and portal sites, including AOL, Citibank, Microsoft, Yahoo, EBay, MSN, Excite, and Lycos.

In his search for security sites with CSS holes, Phinegeek also found that the Web site operated by the U.S. Social Security Administration is vulnerable to CSS exploits.

CSS attacks are commonly launched by tricking users into clicking on a specially crafted link in an e-mail message or on a third-party site.

The Web page that appears in the victim's browser may appear to be coming from the trusted site, but code injected into the page by the attacker could perform malicious acts.

Security experts classify CSS vulnerabilities as "user input validation" flaws and advise sites to properly filter commands issued by visitors so that intruders are unable to cause the site to send a page containing the attacker's malicious code to a victim's browser.

Sites vulnerable to CSS attacks can be easily identified by submitting a short string of code containing JavaScript commands to the site's search engine.

ScreamingCSS, a free scanner that spiders the pages of a site searching for CSS vulnerabilities, was released earlier this month by David De Vitry, a security consultant who has crusaded to get big sites to repair their CSS holes.

Recently Citibank closed a CSS vulnerability identified by De Vitry at the bank's C2IT.com Internet payment site that enabled attackers to grab users' credit card and bank account information.

Since sites appear oblivious to the CSS threats against their users, Microsoft should re-design its Internet Explorer Web browser to prevent JavaScript code from accessing browser cookie files, according to Richard M. Smith, an independent security and privacy expert,

"The simple change would prevent hackers for doing account hijacks, one of the main dangers of cross-site scripting," wrote Smith in a list of security recommendations to Microsoft Chairman Bill Gates earlier this month.

Phinegeek's posting to Vuln-Dev is at http://www.securityfocus.com/archive/82/252894

CERT's 2000 advisory on CSS attacks is at http://www.cert.org/advisories/CA-2000-02.html

De Vitry's Web site is at http://www.devitry.com/holes.html

Smith's letter to Gates is at http://www.computerbytesman.com/security/bill1.htm

main page ATTRITION feedback