Thought leadership. threat analysis, news and alerts.
Cross-Site Scripting: Still One of the Biggest Cyber Threats
Cross-site scripting, also known as XSS, is one of the most dangerous software errors that threatens websites and applications, even the likes of Gmail.
Security researcher Michał Bentkowski of Securitum recently discovered a cross-site scripting vulnerability in Gmail’s AMP4Email, also known as “dynamic email”. Launched in July 2019, Gmail’s dynamic email allows users to take action directly from within the message itself, such as RSVP to an event, filling out a questionnaire or browsinga catalog.
Allowing dynamic content in Gmail, Google knows it opens itself to security vulnerabilities such as cross-site scripting – a security vulnerability that allows malicious actors to add malicious code into trusted websites or applications. While Google takes a number of precautionary measures against cross-site scripting, Bentkowski discovered that Gmail’s dynamic email didn’t block the specific code HTML id attribute, thereby opening the email service vulnerable to cross-site scripting.
Bentkowski said he reported the cross-site scripting vulnerability to Google on August 15, 2019. According to Bentkowski, Google replied that “the bug is awesome, thanks for reporting”. Bentkowski added that on October 12, 2019, he received a confirmation from Google that the bug was fixed.
What Is Cross-Site Scripting?
Cross-site scripting vulnerability is so widespread that it’s ranked second in the 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors. According to CWE, which is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), ranking for the top most dangerous software errors is based on the data from Common Vulnerabilities and Exposures (CVE) data and data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).
The NVD data, in particular, covered the period from the years 2017 and 2018, which consisted of nearly 25,000 CVEs. Based on the NVD count, out of the 25,000 CVEs for the years covered, 3,430 CVEs were cross-site scripting vulnerabilities.
Cross-site scripting is a security vulnerability found in web pages or applications that accept user input. This includes login page, check-out page and, in the case of the Gmail case, Gmail’s AMP4Email or dynamic email.
While users typically place legitimate inputs such as usernames and passwords in login pages, credit card details in check-out pages or RSVP to an event in the case of Gmail’s dynamic email, these fields that accept user input could be exploited by malicious actors, giving them opportunity to insert malicious code into an otherwise trusted website or application.
In the case of Gmail’s dynamic email, there’s no report that malicious actors were able to exploit the said cross-site scripting vulnerability.
Security engineers at Microsoft were the first ones to coin the term cross-site scripting back in December 1999. In December 2009, in commemorating the 10th year anniversary of coining the word, security engineers at Microsoft, in the blog post “Happy 10th birthday Cross-Site Scripting!”, wrote, “Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!”
As shown in the latest ranking in the most dangerous software errors, cross-site scripting appears to be far from dead. Microsoft itself recently patch a cross-site scripting vulnerability on its Microsoft Outlook for Android software. The company said that the cross-site scripting vulnerability allows an attacker to “run scripts in the security context of the current user”.
Cross-site scripting has recently been put back into the headlines by Magecart – the umbrella term given to cybercriminal groups that steal credit card details from unsecured payment forms on websites. Magecart has been linked to the data breach at British Airways and the recent data breach at Macy’s.
Researchers at RiskIQ reported that Magecart breached British Airways baggage claim information page by just inserting 22 lines of code, enabling the attackers to grab personal and financial details entered by customers and sent the data stolen to the server controlled by the attackers. A security researcher, meanwhile, who wishes to remain anonymous, told BleepingComputer that the recent data breach at Macy's website was caused by the alteration of https://www[dot]macys[dot]com/js/min/common/util/ClientSideErrorLog[dot]js script, enabling the attackers to grab data entered by customers in the company’s website, in particular, checkout page and wallet page.
Preventive and Mitigating Measures Against Cross-Site Scripting
Attempts in the past have been made to stop cross-site scripting. One such attempt was XSS Auditor, a feature added to Google Chrome v4 in 2010.
XSS Auditor aims to detect XSS vulnerabilities while the browser is processing the code of websites. It uses a blocklist to identify suspicious code. In July of this year, Google security engineer Thomas Sepez announced the retirement of XSS Auditor.
Google senior security engineer Eduardo Vela Nava first proposed the retirement of XSS Auditor in October 2018. “We haven't found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped,” Nava said. “In the past 3 months, we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.”
As shown in the above examples, cross-site scripting vulnerability is a menace to websites and applications.
This holiday season – the time of the year when online shopping and other transactions are at its peak, it’s important to sanitize your organization’s website and applications to protect it from cross-site scripting.
When you need to protect your website and web applications against XSS and other common attacks, our team of experts is a phone call away and ready to protect your web applications in just minutes.
Under denial of service attack with ransom demands? Don’t pay! We will stop the DDoS attacks in a few minutes, for good.
Call today (888) 900-3749 or connect with us online.
Steve E. Driz, I.S.P., ITCP