Pentagon site still at risk

The hacker, whose handle is NeOh, has posted a proof of concept attack on his blog, demonstrating input validation errors relating to URL parameter handling in the ‘tour images’ section of the Pentagon site.

While the Pentagon website itself seems to be used mainly for publicity purposes and does not appear to host any sensitive data, if not patched, it could enable attackers to launch a non-persistent cross-site scripting (XSS) attack.

Daniel Kennedy, a partner with security services provider the Praetorian Security Group, said in his blog that the session ID appears to be a JSESSIONID Java tracking cookie, which means that Javascript could be used to write a URL to redirect the user to a third party site that looks like the Pentagon’s.

Another possible means of attack could come from an iFrame inclusion vulnerability. Kennedy explained how this would work: “An iFrame is an element in an HTML page that is loaded and refreshed as a separate page, but loads under the original page. In this example, an attacker can load content from outside the Pentagon website, but serve it to the user as part of the Pentagon website (malicious software and so forth) in a provided URL.”

Kennedy added that, although the security vulnerabilities were not overly serious, the Pentagon had a “reputation interest in appearing to be highly competent in security their infrastructure” and should, therefore, fix them.

The Pentagon website is run by the Office of the Assistant Secretary of Defence for Public Affairs, which has been warned about the existence of the XSS vulnerability by at least two other researchers over the last few months.

NeOh, meanwhile, has in the past identified SQL injections at two MTV websites, one in India and the other in the Philippines, and XSS vulnerabilities on TinaTurnerlive.com and Logitech.com.

What’s hot on Infosecurity Magazine?