Wednesday, August 29, 2007

XSS vulnerabilities, do they even care?

Is your site at risk? If you knew it was would you do anything about it? I would hope so, but, you'd be surprised. I've found many "very large" companies online with exploitable vulnerabilities in their main websites that could potentially be very embarrassing and costly.

This article is the start of several where I will test the philosophy of "responsible disclosure" by contacting 5 companies and notify them of security holes that I have found in their sites - even offer assistance and resolutions - to see how long it takes for them to fix them, if at all. I'll keep the names of the companies to myself and just describe them as "industry/estimated # of employees". Just a little white hat test that should get interesting.

By now, most companies and organizations have a little more than a static html brochure online. Most sites are actually full blown online applications either purchased "off the shelf", developed in house, or custom developed by some third party. Dynamic sites, although a necessity, can potentially open doors when improper techniques are used when developed. Once your web application is online, mal-intented site patrons have all the time in the world to pick apart your site for potential vulnerabilities. I speak from experience as web applications that I have created have even been the target of attacks in the past - and I'd be ignorant to think they wouldn't be targeted again in the future.

Some background on the method of the day, XSS..

For this test I'm going to focus on one facet of web application security, XSS(or more confusingly CSS in some cases - not Cascading Style Sheets). XSS stands for cross site scripting and is generally a method employed by hackers to inject their own modified code into your site. I have identified a diverse range of flawed websites below to see what, if anything, their reaction is to someone telling them they have a problem. Here are the companies and description:

1. Retail/95,000 Employees- notified webmasters 8/30/2007
2. Government/1,000 Employees- notified webmasters 8/29/2007
3. Manufactoring/23,000 Employees- notified webmasters 8/30/2007
4. Transportation/19,000 Empl0yees- notified webmasters 8/30/2007
5. Pharmaceutical/2,000 Employees- notified webmasters 8/30/2007

If you'd like for me to take a quick run through of your site, drop me an email with the URL and I'll be glad to send you what if anything I find (time permitting:)

So, there you have it. I'll post updates as responses come in. Let the whirlwind begin.

If you read this far,  you should follow me on Twitter!