Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

01:30 PM
Connect Directly

Don't Discount XSS Vulnerabilities

XSS flaws are more serious than you'd think.

Last week's release of the WordPress 4.0.1 update offers a good lesson in vulnerability prioritization for security organizations -- namely that security professionals need to stop underestimating cross-site scripting (XSS) vulnerabilities.

The release notes issued by the WordPress team fixed a number of critical vulnerabilities, including a handful of serious XSS vulnerabilities. Alongside this release, an update of the WP-Statistics plug-in fixed another XSS bug found by Sucuri researchers that could be used to create new administrator accounts, insert SEO spam in blog posts, and perform actions within that site's admin panel. In addition to these flaws, the WordPress crew alluded in their notes last week to a severe XSS flaw in all WordPress versions before 4.0 that was found by the Finnish researcher Jouko Pynnonen. He offered further details about that flaw in the Full Disclosure mailing list last week.

With 86% of WordPress sites still running vulnerable versions, this particular XSS allows attackers to post comments with malicious JavaScript on to WordPress sites that don't authenticate users before they make comments, says Pynnonen, a researcher with the firm Klikki Oy. The malicious code would then execute when it is viewed in a blog, a page, or the administrative dashboard. Pynnonen developed a proof of concept that showed how this could be leveraged to devastating effect.

Our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plug-in editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).

These operations happen in the background without the user seeing anything out of ordinary.

While XSS vulnerabilities and exploits have continued to flourish, many security teams have deprioritized these flaws over the last several years in favor of addressing what seems to be higher-severity SQL injection vulnerabilities. Experts say organizations should be wary of that tactic.

"SQL injection vulnerabilities are becoming more and more rare, as well as other high and critical risk vulnerabilities," Ilia Kolochenko, CEO of the consultancy High-Tech Bridge, says in a blog post. "At the same time almost nobody cares about 'medium-risk' XSS vulnerabilities leaving their websites vulnerable. Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals. If you close your door, don't forget to close your windows -- otherwise the entire security is at risk."

A report his firm released last week shows that the architecture of more than 70% of web applications allows for well-crafted XSS exploits to perform an automated and layered attack that could ultimately give the attacker root as a result. Meanwhile, 95% of today's XSS vulnerabilities can be used to perform drive-by-download attacks to exploit even the most security-concious users visiting seemingly harmless URLs.

According to Johannes Ulrich, director of the SANS Internet Storm Center (ISC), as common as XSS vulnerabilities are, they're "often underestimated." It doesn't seem like XSS lets attackers directly tap into databases, the way SQL injection does or doesn't allow code execution on the server, he wrote recently in a SANS ISC blog post. But the truth is that it gives attackers the power to modify HTML on a site, which can ultimately take them down a path of ultimate compromise.

"With that, the attacker can easily modify form tags," he wrote, "or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/26/2014 | 7:38:35 PM
Re: SQL injection is far from rare

Since 2003, SQL Injections have remained in the top 10 list of CVE vulnerabilities.

SQL Injection was #1 in the OWASP 2013 TOP 10.

I bet it will still be #1 when OWASP releases the 2014 Top 10.

The reason is because the impact of this vulnerability is so huge. An entire database that contains sensitive information can be compromised. In many cases this can be leveraged to conduct further attacks on the host such as privilege escalation, and or remote code execution when certain conditions are met.

User Rank: Apprentice
11/26/2014 | 10:46:25 AM
SQL injection is far from rare
"SQL injection vulnerabilities are becoming more and more rare"

Really? Ever heard of Drupal? It was in the news lately. Perhaps Ilia Kolochenko lacks the tools to identify these sorts of attacks and has a false sense of security. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:08:00 AM
Re: Sucuri
Thanks @riramar, I'll correct that in the blog.
User Rank: Apprentice
11/26/2014 | 9:01:14 AM
It's Sucuri not Securi.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-27
WeBid 1.2.2 admin/newuser.php has an issue with password rechecking during registration because it uses a loose comparison to check the identicalness of two passwords. Two non-identical passwords can still bypass the check.
PUBLISHED: 2021-01-27
oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php
PUBLISHED: 2021-01-27
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
PUBLISHED: 2021-01-27
condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.
PUBLISHED: 2021-01-27
HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method.