A security researcher disclosed Monday that “at least 99.88%” of all topic links and all domains related to About.com are vulnerable to open XSS (Cross Site Scripting) and Iframe Injection (Cross Frame Scripting, XFS) attacks.
According to the researcher’s findings and proof-of-concept results, all subdomains of About.com are affected.
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS) at Nanyang Technological University (NTU) in Singapore disclosed the massive vulnerabilities — essentially attack vectors that About.com is distributing to its unwitting visitors — on Sunday, Oct 19, 2014 but Jing received no response.
“Until now,” he said at the time of his public disclosures Monday, February 2 — over three months later — “they are still unpatched.”
Jing added, “Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks too. This means all domains related to About.com are vulnerable to XSS attacks.”
XSS: Intriguingly versatile — and really bad
XSS is listed in OWASP’s 2013 top 10 of evil, or rather, 2013’s Top Ten Application Security Risks.
Because these kinds of attacks go after the user rather than a server or application, the vulnerability on About.com’s subdomains put all visitors at risk of attacks that can steal data (like cookie information, saved logins, and identity theft); take control of a user’s session in a different tab; run malicious code (even on your home router); access clipboard contents; get access to free or paid content; access your network; or be used as part of a phishing scam.
- See also: Veracode’s XSS Cheat Sheet
Security researchers reading this will be keen to know that the About.com attacks are open to anyone.
XSS attacks are a staple in both research and crime; XSS attacks have been around since the Internet was young, and are regularly used by penetration testers when helping websites and organizations beef up their security.
But they’re cancer for the ordinary user’s security.
Jing said, “For the Iframe Injection vulnerabilities, [they] can be used to do DOS (Denial-of-Service Attack) to other websites, too.”
Due to the critical, and large-scale nature of the issue, Jing created a detailed report and proof of concept documentation (including the video below), and disclosed the problem on his blog, the blogSecurity Pitch, and Jing’s Twitter feed.
According to Jing, the vulnerabilities can be attacked without user login and work across all the popular browsers.
For Jing’s XFS and open redirect attacks, “Tests were performed on Microsoft IE (10.0.9200.16750), Windows 8, Mozilla Firefox (34.0), Google Chromium 39.0.2171.65-0, Ubuntu (14.04), and Apple Safari (6.1.6 of Mac OS X Lion 10.7).”
For Jing’s About.com XSS attacks, “Tests were performed on Mozilla Firefox (26.0) in Ubuntu (14.04), and Microsoft IE (9.0.15) in Windows 7.”
On the Full Disclosure list he included, “The vulnerability occurs at About.com ‘offsite.htm’ page with “zu” parameter,” and included several vulnerable URLs and PoC URLs in his disclosure posts.
All links under the topics of about.com can be used for this attack.Just attach “/lr/” to any About.com’s sub-domains. Then attach “any codes + sciript” or attach “script” code directly is OK.
The structure is (…)
OWASP defines the attacks as:
In the first of ComputerWeekly’s excellent series on application-layer attacks, Michael Cobb writes, “XSS attacks work even if the site is viewed over an SSL connection, because the script is run in the context of the “secured” site, and browsers cannot distinguish between legitimate and malicious content served up by a Web application.”
User defenses against XSS and XFS attacks are little outside of avoiding the vulnerable websites, and practicing good privacy hygiene such as not allowing your browser to ‘remember’ your logins and passwords, blocking as many tracking cookies as possible, keeping sensitive data in encrypted storage, and frequent login/password changes (especially with critical accounts, such as banking and medical sites).