Wednesday, August 29, 2007

XSS vulnerabilities, do they even care?

Is your site at risk? If you knew it was would you do anything about it? I would hope so, but, you'd be surprised. I've found many "very large" companies online with exploitable vulnerabilities in their main websites that could potentially be very embarrassing and costly.

This article is the start of several where I will test the philosophy of "responsible disclosure" by contacting 5 companies and notify them of security holes that I have found in their sites - even offer assistance and resolutions - to see how long it takes for them to fix them, if at all. I'll keep the names of the companies to myself and just describe them as "industry/estimated # of employees". Just a little white hat test that should get interesting.

By now, most companies and organizations have a little more than a static html brochure online. Most sites are actually full blown online applications either purchased "off the shelf", developed in house, or custom developed by some third party. Dynamic sites, although a necessity, can potentially open doors when improper techniques are used when developed. Once your web application is online, mal-intented site patrons have all the time in the world to pick apart your site for potential vulnerabilities. I speak from experience as web applications that I have created have even been the target of attacks in the past - and I'd be ignorant to think they wouldn't be targeted again in the future.

Some background on the method of the day, XSS..

For this test I'm going to focus on one facet of web application security, XSS(or more confusingly CSS in some cases - not Cascading Style Sheets). XSS stands for cross site scripting and is generally a method employed by hackers to inject their own modified code into your site. I have identified a diverse range of flawed websites below to see what, if anything, their reaction is to someone telling them they have a problem. Here are the companies and description:

1. Retail/95,000 Employees- notified webmasters 8/30/2007
2. Government/1,000 Employees- notified webmasters 8/29/2007
3. Manufactoring/23,000 Employees- notified webmasters 8/30/2007
4. Transportation/19,000 Empl0yees- notified webmasters 8/30/2007
5. Pharmaceutical/2,000 Employees- notified webmasters 8/30/2007

If you'd like for me to take a quick run through of your site, drop me an email with the URL and I'll be glad to send you what if anything I find (time permitting:)

So, there you have it. I'll post updates as responses come in. Let the whirlwind begin.

If you read this far,  you should follow me on Twitter!


Ryan Butcher said...

And we have a winner... Our "Government" (smallest scale site at less than 1k employees) site greatfully replied within 24 hours with a fix already in place on their production site. I consider this a great response time. We'll see if any of the big boys reply...

Ryan Butcher said...

OK, time for an update. All but two of our companies have responded thusfar. Interestingly, every response contained a derivative of "we already knew about it, and our IT department is currently looking into it". Doesnt make sense to me either.

Our smallest organization, "Government/1000 employees" still gets the gold star because they not only responded first but have already mitigated the vulnerability. The other respondees, albeit very greatful for the information have not fixed the holes!

As for our non-respondants.. The two biggest organizations contacted have yet to respond or fix the vulnerabilities. These two companies also have by far the most to lose because these issues could be exploited to take over user sessions and launch phishing attacks - not to mention a crashing stock price if discovered.

1. Retail/95,000 Employees
Notified webmasters: 8/30/2007
Response: No Response
Hole fixed: NO

2. Government/1,000 Employees
Notified webmasters: 8/29/2007
Response: Within 24 hours
Response too long, synopsis: thanks for the info - we took the time to fix it..
Hole fixed: YES

3. Manufactoring/23,000 Employees
Notified webmasters: 8/30/2007
Response: Within 48 hours
"Thanks for the email regarding the cross-site scripting on We are currently aware of a few issues and are taking them into account with a redesign which is currently in process."
Hole fixed: NO

4. Transportation/19,000 Employees
Notified webmasters: 8/30/2007
Response: None
Hole fixed: NO

5. Pharmaceutical/2,000 Employees
Notified webmasters: 8/30/2007
Response: Within 72 hours.
"Thanks for this information. We were aware of a problem with the %%%%%%%%% and our IT team is currently working on it. Once again, many thanks."
Hole fixed: NO

Printer Drivers said...

what is the different between vulnerability and virus? i can not distinguish it

canon pixma ix6870 driver download

canon pixma mg3670 driver download

canon pixma g2000 driver download

canon pixma mp287 driver download

canon pixma ix6770 driver download

Printer driver download

canon printer driver download

Softfamous said...

Anonymous said...

But this would CNC machining to|this may} not be possible without our machinists, they are highly expert and experienced of their roles. Computer Numerical Control grew to become commonplace in the latter half of the twentieth century, changing machine outlets eternally and it continuos to evolve. A grinding machine is a type of energy tool that makes use of an abrasive wheel to grind the workpiece.