Nowadays, it is becoming more and more difficult to click on some links published by a friend or even by a well-known site. More and more, great sites are showing flaws in their pages, some with fast corrective action, like the example of XSS recently found ( http://www.xssed.com/news/95/Google_SSL_page_vulnerable_to_XSS/ )while others ignore warning e-mails received from people who found such flaws.

Just to point out some names highlighted on the internet in these last weeks regarding security flaws:

- Mcaffee

Displayed with an aggressive title: “Mcaffe enabling malware distribution and fraud”

Link: http://www.readwriteweb.com/archives/mcafee_enabling_malware_distribution_and_fraud.php

- Google

XSS on Google’s https page, what we may consider a terrible opening for session stealing (here our compliments to Google’s team for their quickness in their corrective actions).

Link: http://www.xssed.com/news/95/Google_SSL_page_vulnerable_to_XSS/

- Foundstone Support

It is vulnerable to Cross-Site Framing.

Link: http://skeptikal.org/screenshots/pci-asv_vulns/support.foundstone.com_XSF.png

If you use twitter and love seeing flaws on the web, just take a look at http://twitter.com/XSSExploits and you will see security flaws being commented on, in sites like:

- CNN

Link: http://edition.cnn.com/

- ESPN (still vulnerable, until the day this article was written).

Link:
http://search.espn.go.com/results?searchString=chat&ref=http://sports.espn.go.com/chat/chatESPN?event_id=13330%22%3E%3Cscript%3Ealert(%27XSS%27);%3C/script%3E&404=true

- CBS (still vulnerable, until the day this article was written).

Link:
http://www.cbs.com/primetime/the_unit/video/video.php?cid=446409735&pid=Vs6yBRgqMDQz0mt1iVgHowjlGhrM1xwp%22%3E%3Cscript%3Ealert(%27tst%27);%3C/script%3E&category=editorial&play=true%3Cscript%3Ealert(%27tst%27);%3C/script%3E

- NYT

Title says all: “NYTimescom, danger for your browser”.

Link: http://stratusec.com/blog/2009/05/nytimescom-danger-for-your-browser/

- Vimeo (still vulnerable, until the day this article was written).

Link: http://vimeo.com/tag:xss%27;alert(%27xss%27);v=%27

If you wish to see more big portals just take a look at the already mentioned XSSExploits (it posts something new on a daily basis). By the way, we are also present at http://www.twitter.com/nstalker .

Be careful when clicking on something as today it is becoming too difficult to boldly trust any given dominium. Unfortunately, programers are careless in what refers to validation of their programs and thus XSS are becoming a plague. People say XSS is a flaw, others say no - some weeks ago in OWASP Brazil a discussion took place as to whether XSS is a plague or vector (in case you might be interested, our CTO participated in the thread (pt_BR) at https://lists.owasp.org/pipermail/owasp-brazilian/2009-May/000589.html .

Independently of what you think about XSS (Cross Site Scripting), i.e., whether it is a vector or flaw, we would really be pleased to invite you to test N-Stalker to find out if your compamy’s site or application is vulnerable, since, be it bector or vulnerability, your company’s reputation is at stake.

You may as well request na evaluation of our scanning tool through our website at: http://nstalker.com/products/enterprise/request-evaluation .

In case of doubts, please get in touch with our Support Department.

N-Stalker Research Team

Upon reading this week’s feeds, we have been faced with two cases in which a simple XSS may become an immeasurable loss for the companies involved.

In the first case, the site belonging to a company which offered a model SaaS software (Software as a Service) had its service/software disfigured through a XSS, i.e., every customer who accessed the interface at that moment saw (instead of beautifully made graphics), a message requesting the correction of  flaw, on behalf of system’s users.

Here it becomes difficult to measure value of XSS, as the values of the services rendered by service-now.com are unknown to us, as well as the quantity of users who probably saw the modified screen,–however, to have their dominium and site published on a professional site of renown as well as having their future customers see the disfigured site, for sure, do represent a great loss.

After seeing the post below would you make available to the mentioned company your data and requirements?  Do you question the security of the online services they use?

The post about security flaw of  service-now.com can be read on:  http://holisticinfosec.blogspot.com/2009/05/eweek-hypes-secure-saas-without.html

Another interesting case involving a XSS flaw noticed in this week was the Strong Webmail’s contest ( http://www.strongwebmail.com ). The contest challenged hackers to find out flaws in their webmail system, paying 10 thousand dollars to winners (http://www.strongwebmail.com/secure/email/contests/hack).

The system added a new security engine where, in order have his/her authentication, the user would receive digits to complete authentication via mobile phone. However, taking advantage of a XSS flaw, the challengers sent an e-mail message to company’s CEO and sequestered his account, thus gaining access to it and logically without using PIN.

Here follows some posts with comments on this subject  “When a XSS is worth 10 thousand dollars”: http://www.cgisecurity.com/2009/06/when-xss-can-cost-you-10000.html .  Also what has been mentioned on zdnet: http://blogs.zdnet.com/BTL/?p=19318

How much did such flaw (or XSS in question) cost? Nominally ten thousand dollars but what about company’s image? The costs of a negative repercussion in the media may result insurmountable.

The appearance of  XSS on the site is something one cannot tolerate nowadays (XSS is one of the flaws we often find when performing scanning routines using the  N-Stalker Web Application Security).

It is worth reminding all developers or security professionals that the OWASP TOP10 ( http://www.owasp.org/index.php/Brazilian#Tradu.C3.A7.C3.A3o_OWASP_TOP10 ) classifies the XSS as TOP 1 . Although it is a flaw considered as client side, since it requires, in most cases, a vector or third party for attack, as it can be easily exploited. There is an excellent thread in pt_BR, in OWASP-BR ( https://lists.owasp.org/pipermail/owasp-brazilian/2009-May/000589.html ) about “Is XSS  really a vulnerability?” .

Therefore, beware against attacks exploiting Cross-Site Scripting (XSS) vulnerabilities, as you system may have other hidden flaws. This may bring traumatic consequences to your company’s image and data security.

N-Stalker Research Team