Cross site scripting, or CSS hack poses threat to popular Web services
Cross site scripting, or CSS, a relatively new method of attack, has proven itself to be a formidable opponent in the battle to secure the Web. The attack involves a method whereby an unauthorized script is passed to a Web server for execution -- even if the server is secured against running such scripts.
Simply by visiting a Web site or by reading an HTML formatted e-mail, users can potentially become the unwitting victims of malicious hackers. Leading providers of Internet services such as Microsoft Corp. have long advised customers to "avoid promiscuous Web browsing." However, some of the most mainstream sites, including Microsoft's own Hotmail service, were at risk to a vulnerability discovered by experts at WhiteHat Security...
New hack poses threat to popular Web services
David Worthington, BetaNews, special to eWEEK
Although Hotmail was affected, the attack is not vendor-specific. The full scope of the findings also includes all HTML-aware Web applications.
Upon discovering the exploit, a handful of leading companies were immediately notified, were provided with technical details and have subsequently addressed the concerns initially raised by WhiteHat's Jeremiah Grossman. Popular online services such as auctions, message boards, HTML chats and guestbooks are among those at risk.
Recently, a Japanese auction site called Price Loto experienced a similar attack, resulting in considerable damages and a substantial interruption in its services.
By simply placing an HTML "Link" tag in an e-mail or Web application, JavaScript can be executed on behalf of the hosting domain, providing the same trust relationship set aside for legitimate code. According to WhiteHat, the Link tag masquerades an off-site script as a style sheet. This particular attack represents a new form of CSS attack never before publicly disclosed.
With a few short lines of HTML, security is bypassed, allowing the script to execute or modify files, propagate e-mail viruses, or even steal a cookie -- a file that stores sensitive information -- from Web sites. JavaScript includes a number of robust functions and is often filtered out for security purposes.
Given these conditions, it is also possible to flood a particular site address, such as the White House or even Microsoft's own home page, with overwhelming traffic, effectively launching a denial-of-service attack.
The Code Red worm followed a similar concept and sought to bring down whitehouse.gov, disrupting Internet traffic and enjoying major press coverage in the process.
WhiteHat's Tim Orden issued the following statement to BetaNews: "WhiteHat Security is dedicated to assisting in the effort, to secure the Internet as a reliable, safe way to exchange ideas, disseminate information and propagate commerce. We release information on Web application security in order to tighten up what continues to be a relatively lax concern for the public's right to a secure Internet.
"It is our hope that by publicly releasing information describing Web application vulnerabilities, we can remind these public utilities to focus on responsible, secure services for the masses.
