Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/20/2013
03:34 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Healthcare.gov Security Hiccups

Take two aspirin and call me in the morning

Senior penetration testers used to say that if you wanted to practice on a live Internet website and not get into any trouble, then pick a porn site. Even if you were caught by the site owners, they'd never prosecute and, if they did, the court of public opinion would be on your side.

Today it looks like there's a new candidate for honing your hacking skills: the website of President Obama's flagship Affordable Care Act.

Healthcare.gov has been subject to a barrage of attacks, both online and in the media, ever since appeared online. This week, the site has a portion of the media hot under the collar due to a few client-side flaws and an expectation that recorded attack attempts should have been scrubbed from some prefill search results.

For the public reading these stories, many are bound to think that someone's limb had been torn away by a pack of rapid wolves, and surgeons were desperately trying to sew the victim back together. In reality, it's more like dealing with a hangover from the night before, where the cure is a good old aspirin.

Essentially, two vulnerabilities are being talked about this week. The most visible is merely a reflection of how people have been trying to hack the website, and how the contextual prefill of the search box lists the most common attack strings folks have been throwing at it. It's amusing, really.

The site developers appear to have done a good job sanitizing the input (i.e., replacing potentially malicious characters with their safe HTML counterparts), but they could have probably saved themselves the present grief had they simply dropped certain strings from making it to the prefill candidate list. They appear to have applied some prefill filtering in the past to prevent common swear words from appearing, and have now (since this media frenzy started) added many of the strings more commonly associated with SQL injection since the issue was pointed out. For example, the following no longer appear if you type a semi-colon:

The second vulnerability has to do with the way the client-side script components of the website handle HTML characters as they're typed into the search box (and, no doubt, other areas of the site if you were to go hunting for them). In essence, the client-side scripts get a little confused. While potentially annoying for people having a poke at the website in their bug-hunting quest, it's nothing to be concerned about by those actually intent on using the site for what it's supposed to do.

I've heard a few people point out that the combination of these two bugs could potentiallybe exploited in a cross-site scripting attack, but you have better odds of being hit by a meteorite.

For all of the faults in the site that have been pointed out in the past month, this latest batch only merits a one-shoulder shrug.

-- Gunter Ollmann, CTO IOActive Inc.

 

Gunter Ollmann serves as CTO for security and helps drive the cross-pillar strategy for the cloud and AI security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeff Stebelton
50%
50%
Jeff Stebelton,
User Rank: Strategist
11/21/2013 | 6:38:26 PM
re: Healthcare.gov Security Hiccups
Trusted Sec stated in their report that they found several critical issues with the Web site that they could not release under responsible disclosure principles. This was noted in the report they submitted to the House of Representatives Science, Space and Technology Committee hearing.

The other three researchers concurred, rather emphatically, if you watched the hearing. Perhaps it would be prudent to wait until the site is fixed and the researchers can release the information on the other issues they found before dismissing their findings. Given the number of other technical shortcomings the site has had, the fact that it was put into production in spite of warnings as far back as last March that it wouldn't be ready, the revelation that it was never properly tested and the statement that there are over 500 million lines of code involved, I don't think it would be a surprise if it was found as insecure or more so than most other federal government web sites.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...