Should we care about XSS vulnerabilities on eBay?
The ability of attackers to exploit XSS flaws is more an economic issue than a technical one says Ilia Kolochenko who calls for prompt professional action when vulnerabilities are identified.
Should we care about XSS vulnerabilities on eBay?
New Cross-Site Scripting (XSS) flaws on eBay.com have made headlines recently. Some security experts criticised eBay's reaction, while others essentially supported it.
To draw any conclusions or make any judgments about these contradictory responses, we need to consider several important technical details and facts.
First, XSS flaws are very common web application vulnerabilities and almost any large website has several XSS flaws on it. It's extremely difficult to totally eliminate these vulnerabilities, as web developers are working under permanent pressure from their management which wants the latest functionality immediately, forgetting about the need for security.
Obviously controlling such development processes is extremely difficult, yet I remain convinced that vulnerable web applications are fundamentally not a technical problem, but rather an economical one. Stop cutting infosecurity budgets, insert security testing as an essential part of your SDLC (software development life cycle), implement regular external security auditing by independent security companies – and the overall number of vulnerabilities and cyber-attacks will fall significantly. Web applications cannot be secure if we start our IT security budget negotiations with comments such as “how can we cut it down?” or when the main criteria for choosing an external information security auditor is the lowest price.
But, let's come back to [currently] unavoidable XSS vulnerabilities in web applications – some large companies give up and do nothing to improve the situation, while others take all possible measures and actions to, at the very least, prevent malicious XSS exploitation. A properly installed and configured Web Application Firewall (WAF) is probably one of the most efficient and simple measures to prevent exploitation of the vast majority of XSS vulnerabilities.
Some people seem to think that WAFs cost millions, but just using mod_security (which is free) and a single competent security expert (that you may already have on your team) could easily solve the problem. Obviously, simple prevention of XSS exploitation is not an ideal solution as competent attackers can bypass almost any WAF, but it's still better than doing nothing. I reported several XSS flaws to eBay this year and I would say that the quality of its WAF (or a similar mechanism that prevents most known XSS exploitation techniques) could be substantially improved.
XSS is a medium-risk vulnerability and, despite this being a web application vulnerability, it always requires interaction with a victim and actually targets a website visitors/administrator, not the web application directly. XSS cannot be compared with SQL injections, for example, whcih enable an attacker to take control of the vulnerable application without any interaction with victims. Therefore, theoretically we can see XSS as not presenting any risk if attackers have no way to interact with [any] users of the web application. Nevertheless, it's almost always possible to find a way to make users click a malicious link. Moreover, advanced exploitation of XSS in combination with social engineering and drive-by attacks can easily allow remote attackers to compromise vulnerable websites.
It's very easy today to find out who are the web administrators or privileged users of any large website - numerous social networks contain all the information required. Then, we just need to get them to open any web page [controllable by the attackers] that they would trust enough to click, to gather all the information about their OS, browser and location. As soon as the attackers have these details, they can send a second link to the victim containing a personalised exploit and malware which would enable the attackers to control the victim's device as soon as the victim follows that link. This means privileged access to any web applications where the victim has access.
Advanced Persistent Threats (APTs), which have become a very popular term in the media recently, quite often involve advanced exploitation of XSS vulnerabilities: if you have a well-known or reputable website, an XSS vulnerability on it can be exploited to infect third-party users with malware by getting them to open a specially crafted XSS link on your website.
In the unregulated world of cyber warfare, the key to defence is how rapidly and professionally an organisation handles notifications about security vulnerabilities, including XSS. In my professional experience, reporting on all kinds of web vulnerabilities to a wide range of companies, I have seen very prompt and professional responses, as well as those whose reactions were characterised by negligence and incompetence.
Personally, I would say eBay is probably somewhere in the middle: it does have a dedicated centre for security researchers and replies to emails quite quickly, but its vulnerability patching cycle may take a while (my XSS flaws remained exploitable for weeks). The recent issue of actively exploited XSS on eBay's website confirms this.
We all have the option of making ourselves better, so eBay should use this opportunity to transform its approach to web security management and turn itself into an example worth following. Otherwise customers and partners may start looking for more reliable places to shop.