“SQL and XSS vulnerabilities will be the fastest growing threat of 2012,” Outpost24 predicted to Infosecurity, “a trend continuing from the raft of data breaches seen in 2011. This is down to the relative ease with which hackers can scan for such flaws in the coding of websites and exploit them. SQL and XSS attacks are simple and devastatingly effective.”
The prediction is well-founded. In just this last week, a small sub-set of discovered XSS flaws includes 10 top US universities (by Zer0Lulz and TeamHav0k, with proof of concept posted in Pastebin), in Skype (by independent security researcher Ucha Gobejishvili), in NASA, Sega, Verizon, Cisco, and Discovery sites (by TeamHav0k), in ESET (by security researcher Fabián Cuchietti), in LiveJournal (posted here), in Harvard (Fabián Cuchietti) and Yale (Matias Vicente), and in Bill Gates’ official website (Fabián Cuchietti).
Today we have news reported in Softpedia of a further 25 flaws in UK online retail shops, where “the worrying thing is that all of the sites bare Verisign Trusted, Internet Shopping is Safe, Internet Delivery is Safe, Verified by Visa, and MasterCard SecureCode logos.” ASDA Direct is a 26th store – but at least “it doesn’t display any logos that guarantee shopper safety.”
Freedom, who found the flaws, told Softpedia, “It is just another example of how they are leading the users in to a false seance of security.” He adds that it’s the same piece of flawed code re-used by the different sites, even though it is, well, “pants.”
“Cross-site scripting security vulnerabilities,” says John Stock, senior security consultant at Outpost24, “are like an open door to attackers, as they are able to easily inject script and access control of the site in question. For retailers, this is especially risky given the personal and financial customer data that could be compromised. It’s essential that retailers take the protection of their web-applications seriously, as these vulnerabilities are easily identifiable by hackers, and the result can be extremely damaging.”
RandomStorm was today acknowledged by eBay for finding and reporting another XSS vulnerability. During his bug-testing on the site, Avram Marius Gabriel found “scripting issues that could have allowed an XSS attack Redirect, HTML injection or Local File Inclusion.”