Cross-site scripting (XSS) is one of the greatest security threats organizations face. Malicious codes are injected into otherwise trusted websites using HTML, JavaScript, VBScript, ActiveX and Flash allowing attackers to hijack accounts to steal user data, change user settings, access cookies and falsely advertise.
CyberInt’s Research: What We Uncovered
CyberInt’s offensive team recently identified a reflected cross-site scripting vulnerability within VirusTotal’s intelligence search component. VirusTotal allows organizations to use various search queries; however, if a search query is filled with a mismatched value, an error code pops up. For example, when we tried to launch a search for “type: Test” the application said there is no such search query and returned the error code below.
Our team found that the VirusTotal application does not perform input validation on the search query parameter, which could contain malicious code that would trigger a successful reflected XSS attack. This could happen, for example, by injecting the <hr> HTML tag as a search query parameter.
By using WAF or other security protections, VirusTotal blocked some XSS payloads that perform malicious action by disallowing the following characters:
- Parentheses (_)
- URIs – http://, ftp://, Gopher:// and more
- Spaces
- Additional JavaScript event arguments
We were able to get around that by developing a unique payload without the disallowed characters. To evade the use of spaces, for example, we figured out that using the ‘/’ character converted to a space on the server side, allowing the beginning of our payload to start with ‘<script/src=’. Next, we evaded the URI restriction by figuring out that “//” characters converted to ‘http://’ or ‘https://’ on the server side, creating the payload: ‘//path_to_external_js_file’. By connecting all the dots, we were able to generate this successful payload.
How Can I Keep My Company’s Information Safe?
It’s crucial for all organizations to understand the risks and threats associated with XSS. Security experts have identified this vulnerability even in some of the world’s most popular and highly-secure websites, including Google, Amazon, Facebook and PayPal. Free prevention tools don’t go far enough.
Our advice for preventing XSS attacks includes:
- Validate all user controlled data including server side and client side
- Define the types of characters that can be accepted (often U+0020 to U+007E, though most special characters could be removed and control characters are almost never needed)
- Defines a minimum and maximum length for the data (e.g. {1,25} )
- Use whitelist approach to define the values the application should accept.
- Validating Rich User Content – It is very difficult to validate rich content submitted by a user. Consider more formal approaches such as AntiSamy.
- Never Insert Untrusted Data except in Allowed Locations
- HTML Escape before Inserting Untrusted Data into HTML Element Content
- Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
- JavaScript Escape before Inserting Untrusted Data into JavaScript Data Values
- HTML escape JSON values in an HTML context and read the data with JSON.parse
- CSS Escape and Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
- URL Escape before Inserting Untrusted Data into HTML URL Parameter Values
- Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way
- Use HTTPOnly cookie flag
Related Articles
