|A Second-order of XSS : 2008 : Frequency-X Blog : Blog : Home|
A Second-order of XSS
Several people have approached me for more information about the spate of search engine iFrame injection attacks that have been occurring for the last few weeks. Dancho Danchev’s blog entry provides a good primer of the threat observed thus far, and lists some of the popular news sites that have been hit with the attack thus far. The USA Today story seems to be getting quite a few hits as well, and contains some further insight from X-Force on the topic.
While there has been a lot of attention upon the fact that the Google search engine is acting as the conduit for the attack, let’s be clear, the vulnerability itself doesn’t lie within Google (or any of the major search engines). At its heart, this is the widespread exploitation of simple cross-site scripting vulnerabilities situated within the Web sites application parsing of "searched-for" content.
Effectively, a number of sites (the most notable being USAToday.com and ABCNews.com – with more listed on Dancho’s Web site) incorrectly parse content retrieved from Web browsers as users visit their Web site, and that their Web application dynamically incorporates that data (in this case a malicious iFrame) in to the page content and URL’s. The attack vector is sometimes termed second-order cross-site scripting and you can read a paper I wrote back in 2004 on this and related vectors at Technicalinfo.net as to why it works.
In this current attack the initiation vector appears to be picked up from the REFERER field of the Web browser as the vulnerable Web site parses that REFERER information for the search words and renders them in to URL format (this is part of the vulnerable Web applications “Search Engine Optimization” phase).
This type of vulnerability should normally be picked up by most Web application vulnerability scanners, and will almost certainly be identified during any consulting-based penetration test – so I’m a little surprised that many of the sites identified thus far are actually vulnerable to this attack because I’d have expected them to have invested in a regular pentesting regimen. Luckily, this particular mass-attack vector is pretty easy to correct and I see that several of the (previously) vulnerable sites have now been fixed.
An interesting aspect of this particular mass-attack threat is its organization.
The attackers have obviously been searching out and testing these vulnerable Web sites for quite some time.
Mind you, identifying
sites that are
vulnerable to this
particular attack (i.e.
the vector being used at
the moment –
The actual malicious content within the iFrames linked exploit scripts is pretty standard stuff – related in a sense to the IIS/ASP/SQL mass-defacement iFrame injections we’ve been seeing over the last few months.
Search Engine Focus
Of critical importance in this attack is the role of the search engine. Attackers have already used off and on as a vector for Pharming attacks for the last three to four years, and it is increasingly becoming more popular as a vehicle for driving “victims” to sites the attackers control. In this current attack, the cross-site scripting vulnerable Web sites themselves caused the problem as they appear to have sought to “optimize” their page ranking on the search engines.
Leveraging domain hijacking and botnet’s, the attackers have become very proficient in controlling page-ranking of their malicious Web content. I don’t expect this to diminish in the near future.
As I stated at the start of this blog, several people had approached me information about not only the threat, but also about protection (and remediation). Here is what I’d recommend...
Owners of the vulnerable sites:
Home and Corporate users: