Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

01:30 PM
Connect Directly

Don't Discount XSS Vulnerabilities

XSS flaws are more serious than you'd think.

Last week's release of the WordPress 4.0.1 update offers a good lesson in vulnerability prioritization for security organizations -- namely that security professionals need to stop underestimating cross-site scripting (XSS) vulnerabilities.

The release notes issued by the WordPress team fixed a number of critical vulnerabilities, including a handful of serious XSS vulnerabilities. Alongside this release, an update of the WP-Statistics plug-in fixed another XSS bug found by Sucuri researchers that could be used to create new administrator accounts, insert SEO spam in blog posts, and perform actions within that site's admin panel. In addition to these flaws, the WordPress crew alluded in their notes last week to a severe XSS flaw in all WordPress versions before 4.0 that was found by the Finnish researcher Jouko Pynnonen. He offered further details about that flaw in the Full Disclosure mailing list last week.

With 86% of WordPress sites still running vulnerable versions, this particular XSS allows attackers to post comments with malicious JavaScript on to WordPress sites that don't authenticate users before they make comments, says Pynnonen, a researcher with the firm Klikki Oy. The malicious code would then execute when it is viewed in a blog, a page, or the administrative dashboard. Pynnonen developed a proof of concept that showed how this could be leveraged to devastating effect.

Our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plug-in editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).

These operations happen in the background without the user seeing anything out of ordinary.

While XSS vulnerabilities and exploits have continued to flourish, many security teams have deprioritized these flaws over the last several years in favor of addressing what seems to be higher-severity SQL injection vulnerabilities. Experts say organizations should be wary of that tactic.

"SQL injection vulnerabilities are becoming more and more rare, as well as other high and critical risk vulnerabilities," Ilia Kolochenko, CEO of the consultancy High-Tech Bridge, says in a blog post. "At the same time almost nobody cares about 'medium-risk' XSS vulnerabilities leaving their websites vulnerable. Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals. If you close your door, don't forget to close your windows -- otherwise the entire security is at risk."

A report his firm released last week shows that the architecture of more than 70% of web applications allows for well-crafted XSS exploits to perform an automated and layered attack that could ultimately give the attacker root as a result. Meanwhile, 95% of today's XSS vulnerabilities can be used to perform drive-by-download attacks to exploit even the most security-concious users visiting seemingly harmless URLs.

According to Johannes Ulrich, director of the SANS Internet Storm Center (ISC), as common as XSS vulnerabilities are, they're "often underestimated." It doesn't seem like XSS lets attackers directly tap into databases, the way SQL injection does or doesn't allow code execution on the server, he wrote recently in a SANS ISC blog post. But the truth is that it gives attackers the power to modify HTML on a site, which can ultimately take them down a path of ultimate compromise.

"With that, the attacker can easily modify form tags," he wrote, "or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/26/2014 | 7:38:35 PM
Re: SQL injection is far from rare

Since 2003, SQL Injections have remained in the top 10 list of CVE vulnerabilities.

SQL Injection was #1 in the OWASP 2013 TOP 10.

I bet it will still be #1 when OWASP releases the 2014 Top 10.

The reason is because the impact of this vulnerability is so huge. An entire database that contains sensitive information can be compromised. In many cases this can be leveraged to conduct further attacks on the host such as privilege escalation, and or remote code execution when certain conditions are met.

User Rank: Apprentice
11/26/2014 | 10:46:25 AM
SQL injection is far from rare
"SQL injection vulnerabilities are becoming more and more rare"

Really? Ever heard of Drupal? It was in the news lately. Perhaps Ilia Kolochenko lacks the tools to identify these sorts of attacks and has a false sense of security. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:08:00 AM
Re: Sucuri
Thanks @riramar, I'll correct that in the blog.
User Rank: Apprentice
11/26/2014 | 9:01:14 AM
It's Sucuri not Securi.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...