Friday, December 22, 2006

Why don't people take XSS seriously?

Recently RSnake wrote an article on the seriousness of XSS, because a lot of people are asking him what the worst thing is XSS can do. He goes on about how it can be used to do sophisticated cross-domain exponential attacks, but he doesn't touch too much upon the underlying problem. Why are people asking this question?

In my experience people don't see XSS as a problem. This is since the people who should care about it are system administrators and/or programmers. They're the same people who think Linux is safe because each user can only fuck up his own files. And this is the fundamental problem! Sure, a user can only fuck up his own files, but those are the only important files to the user. The user couldn't care less if the systems emacs binary becomes crippled. Because It is easy to replace everything in the system, but not the user files.

It's the same with XSS versus SQL injection. SQL injection is seen as a serious problem since you can attack the system. But you don't need to attack the system, attacking the client is enough. Let's say I want to hack a bank, because of a lack of money. Of course if I could do SQL injection (let's say this bank uses a mysql database ;) ) and change some of the amounts and end up with a lot more money.

However, I don't really need 5 million euro's and I'll settle for a few thousand. If I can just hack one account and make one user do a deposit to my account, wouldn't that be enough? Similarly, if I'm a student and I want to change my grades, I only need to hack the teachers account. And these are typically the kind of attacks most easily done by XSS. You only need to find one XSS exploit somewhere on the site and then need to social engineer someone to click on a link (which doesn't even have to be to the site, but can be a redirect) or if you're lucky you can even use persistent XSS. And almost all sites I know of are full of XSS, while fewer and fewer have SQL injection leaks.

So what can you do with XSS? Anything the person you are hacking can do.


ntp said...

It's not a problem! Just turn Javascript off in your browser! DUH!!!

In reality, people think that XSS can only be used to falsify the URL field of the browser and that it's easy to spot such activity. Most think it's restricted to email or links you have to click on in a forum. Most people think they can identify "incorrect URL's" to avoid XSS (I'm not sure how they get this idea).

If you tell them it can steal cookies, they don't understand that either. They think stealing cookies means that somebody is taking a peek at what is in their shopping cart. They think cookies are pieces of code that track your location and what you buy. Nobody knows that cookies contain things like session ID's, and those are encrypted anyways, right?

People still think that anti-virus scanners will protect them from any/all malware. People still think that if they upgrade to the latest version of Internet Explorer, Firefox, or Safari that they are now safe from all past security vulnerabilities. Every time they upgrade, that means that all of the zero-day vulnerabilities are now gone until mean hackers find new zero-day exploits, which takes at least a month or two.

Website owners don't care because they don't see the attacks. I guess this stuff just isn't on the radar yet. Until Sergey's GMail account, Wells Fargo account, and the Google HR database gets hacked in the same afternoon by some 12 year old Romanian kid and published on Slashdot - nobody is going to notice or do anything about it.

Mark IJbema said...

Thanks for your comment. Especially the point about cookies is really one of those things I overlooked since I have been in webdevelopment for so long now...