Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11/24/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Don't Discount XSS Vulnerabilities

XSS flaws are more serious than you'd think.

Last week's release of the WordPress 4.0.1 update offers a good lesson in vulnerability prioritization for security organizations -- namely that security professionals need to stop underestimating cross-site scripting (XSS) vulnerabilities.

The release notes issued by the WordPress team fixed a number of critical vulnerabilities, including a handful of serious XSS vulnerabilities. Alongside this release, an update of the WP-Statistics plug-in fixed another XSS bug found by Sucuri researchers that could be used to create new administrator accounts, insert SEO spam in blog posts, and perform actions within that site's admin panel. In addition to these flaws, the WordPress crew alluded in their notes last week to a severe XSS flaw in all WordPress versions before 4.0 that was found by the Finnish researcher Jouko Pynnonen. He offered further details about that flaw in the Full Disclosure mailing list last week.

With 86% of WordPress sites still running vulnerable versions, this particular XSS allows attackers to post comments with malicious JavaScript on to WordPress sites that don't authenticate users before they make comments, says Pynnonen, a researcher with the firm Klikki Oy. The malicious code would then execute when it is viewed in a blog, a page, or the administrative dashboard. Pynnonen developed a proof of concept that showed how this could be leveraged to devastating effect.

Our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plug-in editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).

These operations happen in the background without the user seeing anything out of ordinary.

While XSS vulnerabilities and exploits have continued to flourish, many security teams have deprioritized these flaws over the last several years in favor of addressing what seems to be higher-severity SQL injection vulnerabilities. Experts say organizations should be wary of that tactic.

"SQL injection vulnerabilities are becoming more and more rare, as well as other high and critical risk vulnerabilities," Ilia Kolochenko, CEO of the consultancy High-Tech Bridge, says in a blog post. "At the same time almost nobody cares about 'medium-risk' XSS vulnerabilities leaving their websites vulnerable. Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals. If you close your door, don't forget to close your windows -- otherwise the entire security is at risk."

A report his firm released last week shows that the architecture of more than 70% of web applications allows for well-crafted XSS exploits to perform an automated and layered attack that could ultimately give the attacker root as a result. Meanwhile, 95% of today's XSS vulnerabilities can be used to perform drive-by-download attacks to exploit even the most security-concious users visiting seemingly harmless URLs.

According to Johannes Ulrich, director of the SANS Internet Storm Center (ISC), as common as XSS vulnerabilities are, they're "often underestimated." It doesn't seem like XSS lets attackers directly tap into databases, the way SQL injection does or doesn't allow code execution on the server, he wrote recently in a SANS ISC blog post. But the truth is that it gives attackers the power to modify HTML on a site, which can ultimately take them down a path of ultimate compromise.

"With that, the attacker can easily modify form tags," he wrote, "or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
100%
0%
theb0x,
User Rank: Ninja
11/26/2014 | 7:38:35 PM
Re: SQL injection is far from rare
Agreed.

Since 2003, SQL Injections have remained in the top 10 list of CVE vulnerabilities.

SQL Injection was #1 in the OWASP 2013 TOP 10.

I bet it will still be #1 when OWASP releases the 2014 Top 10.

The reason is because the impact of this vulnerability is so huge. An entire database that contains sensitive information can be compromised. In many cases this can be leveraged to conduct further attacks on the host such as privilege escalation, and or remote code execution when certain conditions are met.

 
M1ch43L
100%
0%
M1ch43L,
User Rank: Apprentice
11/26/2014 | 10:46:25 AM
SQL injection is far from rare
"SQL injection vulnerabilities are becoming more and more rare"

Really? Ever heard of Drupal? It was in the news lately. Perhaps Ilia Kolochenko lacks the tools to identify these sorts of attacks and has a false sense of security. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:08:00 AM
Re: Sucuri
Thanks @riramar, I'll correct that in the blog.
riramar
50%
50%
riramar,
User Rank: Apprentice
11/26/2014 | 9:01:14 AM
Sucuri
It's Sucuri not Securi.
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8741
PUBLISHED: 2020-02-28
A denial of service issue was addressed with improved input validation.
CVE-2020-9399
PUBLISHED: 2020-02-28
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
CVE-2020-9442
PUBLISHED: 2020-02-28
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
CVE-2019-3698
PUBLISHED: 2020-02-28
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux...
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.