OpenIDThe Register hit by XSS
Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.
This is a classic example of a cross site scripting attack, in which malicious client-side code (usually JavaScript) is uwittingly served up by an otherwise innocent site. Usually, cross site scripting is caused by a badly written server-side application failing to properly escape data sent in a query string before displaying it on a page. This allows attackers to create links which, when followed, steal cookies or cause other nasty effects for the user following the link. Attacks on third parties with scripts served up on a target website’s pages (ad serving companies are a classic example) are less common but much more damaging as the malicious code involved will be distributed to everyone who visits that site, whether they click on a hostile link or not.
This problem isn’t restricted to ad servers; any service where web pages point to a JavaScript file hosted on an external site are potentially at risk should the external site be compromised by crackers or abused by its legitimate owner.
An aside: users of alternative browsers (Get Firefox!), as well as those who had upgraded to Windows XP Service Pack 2, were unaffected.
Rob Mientjes - 22nd November 2004 15:48 - #
Does anyone have any idea if there is a site intended to host common web-code libraries?
Obviously, there's some reluctance to include a script hosted on another domain, but it seems to me a hardened source site would be useful.
I'm thinking along the lines of MyOwnCSS, but for scripting.
Has it ever been attempted?
Jeremy Dunck - 22nd November 2004 18:45 - #