Dark Reading

Add Ace Hardware, American Red Cross, GNC, HP, Johnson & Johnson, Nike, Northrop Grumman, Petco, Ritz Camera, the Red Cross, Sony, Sports Authority, World Bank, Yahoo, and Yankee Candle to the list of Hacker Safe-labeled Websites identified by sla.ckers.org as containing cross-site scripting vulnerabilities (XSS). (See 'Hacker Safe': Safe for Hackers.)

In the past few days, the hacker group has posted these and several additional Hacker Safe sites as containing XSS bugs, and says there will be plenty more. But ScanAlert, which provides the security scanning services for these sites and provides the Hacker Safe seal, says users won't become victims of XSS attacks if they go directly to those sites.

ScanAlert maintains that XSS isn't a server-side problem, but more a client-side one. (See Hackers Reveal Vulnerable Websites and Two Vendors Deny XSS Flaws.)

"Cross-site scripting is a problem in the Web browser and the site, but all code is executed on the client side," says Joseph Pierini, director of enterprise services for ScanAlert. "It requires some social engineering...to entice users to follow a link or click on a link sent via an email."

The debate over where the XSS problem truly lies may be more an issue of semantics. ScanAlert says none of the sites sla.ckers identified as XSS-susceptible has been compromised. And Sla.ckers, meanwhile, says that although a XSS attack requires client-side action, it's still a server-side problem, too.

"A lot of people believe XSS is a server output issue. If the server validated what it echoed back to the client, XSS would not be an issue," says sla.ckers.org member kyran. "While the code is executed client-side, the issue would not exist if it wasn't for server-side problems."

Jeremiah Grossman, CTO for White Hat Security, agrees. "Cross-site scripting is a vulnerability in the Web application software on the server," he says. "The target is the client (user), using the flaw as a conduit of the attack," and not all XSS attacks require a user to click on a link, he says.

ScanAlert's Pierini, meanwhile, also notes that not all of the Hacker Safe sites posted on sla.ckers truly have XSS vulnerabilities, although he couldn't disclose ones which do not.

ScanAlert had found XSS problems with some of the sites noted by sla.ckers, Pierini says, and then alerted its clients. The company notifies its clients via email of vulnerabilities it finds in its daily scans, and encourages them to log in and review the bugs. "We will persist [alerting them about] that vulnerability until it's been taken care of" by them.

Trouble is, XSS is not a priority for all companies, he says, and the fixes may not come any time soon for some organizations. "You can take a horse to water, but you can't make them drink."

And sites flagged as XSS-vulnerable don't lose their Hacker Safe seal, he says. "The Hacker Safe seal is certification on the server-side infrastructure," Pierini says. "There are no vulnerabilities if you place an order on that site, and no vulnerabilities where someone has access to data on that server. You can't access data on that server with XSS."

Web application developers can take some preventative measures to protect their sites from XSS. They can keep the site safer by not trusting user input, filtering for untrusted characters, and using other types of input validation, notes Pierini.

One thing ScanAlert and sla.ckers do agree on is XSS's pervasiveness. About 90 percent of ScanAlert's customers initially come with XSS vulnerabilities before the company begins providing its scanning services, Pierini says. "It's extremely prevalent throughout the industry."

Says kyran: "Many sites are vulnerable to XSS, and since all Websites change, eventually another XSS hole will probably open up on sites previously thought [of as] safe."

And interestingly, ScanAlert's Pierini says he regularly refers to the sla.ckers.org and ha.ckers.org sites. "I've been using slackers and RSnake's Websites for the last year or so to elevate the severity of cross-site scripting with our customer base."

—Kelly Jackson Higgins, Senior Editor, Dark Reading