XSS web attacks could live forever, researcher warns
- 05 October, 2011 01:55
Websites that accidentally distribute rogue code could find it harder to undo the damage if attackers exploit widespread browser support for HTML5 local storage and an increasing tendency for heavy users of Web apps never to close their browser.
If browsers don't provide a mechanism for websites to securely recover from certain cross-site scripting attacks, the attacks could become invincible and the site at the origin of the attack remain compromised indefinitely, warned vulnerability researcher and Google security engineer Michal Zalewski in a blog posting on Saturday.
A normal response to XSS attacks is to patch the vulnerability, invalidate session cookies so that everyone is forced to re-authenticate, and optionally force a password change. But this is not enough, because, according to Zalewski, once compromised a Web origin can stay tainted indefinitely.
"At the very minimum, the attacker is in full control for as long as the user keeps the once-affected website open in any browser window; with the advent of portable computers, it is not uncommon for users to keep a single commonly used website open for weeks," he said. "During that period, there is nothing the legitimate owner of the site can do -- and in fact, there is no robust way to gauge if the infection is still going on."
In essence, there is no way for websites to ensure that their users are no longer affected by an XSS attack. Still, one would be inclined to think that such an attack would stop at some point without the website's intervention, such as when closing the tab or the browser, but as it turns out, that's not necessarily the case.
There are several methods that attackers can use to extend their hold on a compromised origin pretty much indefinitely, according to Zalewski.
If Facebook were targeted by such an exploit, then given the way users constantly open new pages from the site, or external websites carrying Facebook Like buttons, the compromise could go on for as long as one of those pages remains open.
The problem with prolonged origin compromises is that they can bypass other security precautions as well. For example, if someone connects to an unsafe wireless access point, their browser can be tricked into thinking it has visited, say, Facebook.com through a combination of DNS poisoning and invisible frames containing rogue code, all without the user being aware. Later, that rogue code can hijack a real Facebook session when the user is logged in from a safe environment.
Such attacks can also lead to multiple account compromises if the affected computers are used by different individuals. They are not yet common because there are other, simpler techniques that hackers use, including exploiting remote code execution vulnerabilities. However, as exploit mitigation technologies advance, that could change.
"Today, it's so easy to phish users or exploit real RCE [remote code execution] bugs that backdooring Web origins is not worth the effort. But in a not-too-distant future, that balance may shift," warned Zalewski, who wants browser vendors to act now to make sure that point is never reached.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Striking The Balance in Mobility: User Needs vs Security Concerns
- ESG Whitepaper: Testing the claims of speed and volume
- Penrith City Council Case Study - Productivity Rises as High as the Mountains
- Clearswift SECURE Email Gateway Evaluation Guide
- Deploying Oracle Maximum Availability Architecture with Exadata Database Machine
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Spiceworks' free management software gets integrated MDM
Opinion: Why national e-health is not for everyone
Mobility Apps: What every developer should know
Learn how others have delivered industry-leading, multi-platform management and security solutions. In this whitepaper, we look how app developers can develop, deploy and manage apps that enterprises can rely on today and into the future. Click to download!
A Holistic Approach to your BYOD Challenge
More and more enterprises are seeing significant benefits from allowing employees to choose the device they use to get their jobs done, and are adopting bring your own device (BYOD) initiatives. While the BYOD trend increases flexibility and productivity, it introduces a host of new challenges for your IT administrators. Click for more!
Integrated Computing Platforms: Infrastructure Builds for Tomorrow’s Data Centre
Integrated Computing Platforms, such as EMC VSPEX RAs, provide a solution by eliminating the time (and cost) of designing, testing, and engineering integrated environments with components built independently of one another. These validated architectures are ready for production environments upon delivery, and offer a single point of support should IT require it. Learn more on how a leading IT vendor has aligned product innovation with an IT market need to improve efficiency, performance, and value for SMBs.