SkiifGeek's Journal: The Ongoing Risk of XSS

A number of hacker-friendly mailing lists and sites have recently been publishing details of sites that are vulnerable to Cross Site Scripting attacks (XSS), including many large sites that should really know better (including many Information Security vendors and large banks). It is now fairly well accepted that an XSS vulnerability with a site can be used to present fake site content (relevant for media and Information Security sites), steal a user's session or authentication details (relevant for financial sites, and any site that maintains user accounts), or even hide the true source of malicious material (relevant for an site).

Many users now know that it is important for them to manually type in the address of their bank / online stock broker and other critical sites, or to go to them via a known good link (such as might be saved in their Bookmarks). The problem now, is that many sites overload the end of their legitimate intra-site URLs with content that makes little sense to anyone trying to validate the address as accurate. This plays directly into the hands of the attacker that is attempting to exploit an XSS vulnerability - they hide their malicious data inside one of these odd-looking bit of text appended to a site address. The now-malicious URL is sent to victims through a number of methods, in an effort to get the victim to follow the link and activate the payload.

Even various anti-phishing filters fail to pick up on these XSS attacks, as many only consider the component of the site address prior to the appended text - treating the malicious link as a legitimate address.

The best advice, as it always has been, is to be cautious of following links that have been randomly presented to the user, and to always manually enter / use a trusted link in order to access sites that the user cares about their data on.