[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

arian.evans arian.evans at anachronic.com
Sat Jun 24 13:13:54 EDT 2006

> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
> Sent: Friday, June 23, 2006 12:54 PM
> To: Web Security

> While Phishing is one possible angle to XSS, new avenues of attack  
> are emerging that are increasingly similar to the general  
> capabilities of todays malware. Threats far more dangerous than we  
> originally anticipated when we began researching XSS years ago. For  
> instance when you visit a website (even a trusted website) the page  
> port scans your network and reconfigures your DSL/Router from the  
> inside. This will be the subject matter my talk this year at BH  
> "Hacking Intranet Websites from the Outside".

While mostly ignored (as non-viable I think), this attack vector
is real and legit. The "Session Riding" whitepaper mentioned this.
Our little security group first published commercial product vulns
for this around 2002 or 2003. I demonstrated how to do this against
Nokia's "security platform" at BH Amsterdam 05 (the current platform
has implemented output encoding to defeat the "auto-admin" attack
demonstrated but not published). The *exact* same week, a similar
type of attack was discovered in the wild in use against Ebay, used
to artificially make/increment bids.

Most home DSL/cable/Router-thingies have changed from GETs to POSTs,
that I've looked at, but some POSTable forms still parse GET anyway 
(maintaining trivially high attack surface).

This year we released a homegrown WAF at BH Amsterdam to transparently
block these types of attacks, and were *really* excited about it.
It was poorly received and I think poorly understood, as I mentioned
before, due to presentation deficiencies.

There's some easy ways to fix this stuff, but folks aren't taking
it seriously. Look at Cisco, they have XSS in products today that
they've been notified about for roughly a year, and in code that
is four or five years old, and they don't fix it.

I think the key here is presentations like yours, to raise awareness.

The reality is, you can embed ActiveX controls and *everyone* in
userland will click okay, install the control if your form says
the control is needed, and now you have complete control of
the user's PC, hard drive, etc.

I am seriously a fan of keeping folks off of my PC, but hey,
consumers are voting with their dollars, and COTS vendors
small and large simply *do not care*. Probably due to lack of
perception of there being a real threat.

The low-quality of XSS tests in the automation tools sold on
the market today isn't helping either, to be quite frank. I
think some of the vendors know this, but their features are
driven by clients, who do not know this.

The Cisco vulns that Jake Reynolds at FishNet published this
week were interesting, and I used Call Manager as one of my
unnamed sample applications for benchmarking tools for Hacking
Exposed Web Applications v2, because not one automated testing
tool could find the glaring XSS/CSRF issues present in the
CCM product web interfaces.

Before testing the tools, I suspected Cisco of complete lack
of due diligence. Afterwards, I realized they could have run
a scanner and found nothing, and walked away comfortable, false
sense of security in hand.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list