House of Hackers

RedTeam

Cross-site Madness in 2008

I have been spending much of my time recently running security tests on web applications, many of which are bespoke websites developed in-house by large corporate companies. I am astonished by the number of Cross Site vulnerabilities that are built into these sites, by development teams that have little experience of writing and coding secure applications.

In a recent study (http://www.thejournal.com/articles/22603) we can see that XSS comes second in terms of popular vulnerabilities, only just pipped at the post by SQL injection. The study shows that of these web application vulnerabilities, 82 percent stemmed from the application itself, thus leaving a measly 18% down to browser client or servers.

It surprises me that development teams are still coding without security in mind, most of the time these vulnerabilities can be avoided by simple means of input validation, they have been around some time now, they are easy to test for and easy to rectify. One would have thought that after the launch of XSS Shell some months back development teams would have awoken to the realization that XSS is a serious threat and needs to be addressed.

For those that are unaware of XSS Shell - its one of the most interesting projects I have come across in a long time, more information can be found at http://ferruh.mavituna.com - I am keen to see how this research evolves as its starting to show the true power of exploiting relatively simple vulnerabilities

Cross-site request forgery is also allot of fun, the OWASP CSRF tool provides a simple means to create your own tests, they are very effective and for those that are new to the term, essentially CSRF enables a malicious user to execute a business process by piggy backing on the authenticated session of a legitimate user. Much of the time, the victim is unaware that the transaction has taken place, its smart, simple and dangerous..

I believe its time development teams start to look at their own processes and begin to think about how they develop their web applications, writing sloppy code in the hope that it will be caught by quality assurance teams is unacceptable and bad practice - implementing security earlier into the SDLC is one way to minimize a companies exposure to threats, perhaps in addition to revising coding standards and re-educating or retraining development teams.

The internet is still in its infancy, it has yet to become the beast we are all responsible for, and given the internet has no owner we all need to be responsible for our own contributions, and being responsible includes providing secure, robust and reliable applications and services.

Share 

Add a Comment

You need to be a member of House of Hackers to add comments!

Join this Ning Network

marchiner Comment by marchiner on May 14, 2008 at 2:45pm
RedTeam...
I agree totally with you... is just a question of time! The problem is that the people that many companies that develop software don´t care about this security issues... if it works...and someone pay for that ... its ok! Until.. something goes wrong.. or not :D
RedTeam Comment by RedTeam on May 14, 2008 at 8:56am
Is your presentation something that the HoH members would find useful? I agree, CSRF is a very clever yet very simple exploit and you'd be surprised how may companies have no idea that their web applications are vulnerable. I have also come across many developers who have no idea what CSRF or XSS is.
dookie Comment by dookie on May 14, 2008 at 1:15am
I just did a presentation today on CSRF. I find it fascinating and I'm just waiting for it to explode.

About

pdp pdp created this Ning Network.

© 2009   Created by pdp on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!