Let's assume a Web application similar to Twitter is vulnerable to an attack such as cross-site scripting (XSS), where special HTML meta-characters are not encoded. This means that if I post a message with the text <b>Hello</b>, the Hello displays in bold in the Web application.
If it is possible for me to display this information in areas of the Web application where it is displayed to other users, I can insert JavaScript into areas of the Web application where they will be executed within the context of other users' sessions. Very simply, this could result in me obtaining their credentials, but could give rise to any number of other attacks.
Although the attack does not sound particularly "hardcore" (ie, there are no crackers decompiling executable code or wine-swilling coders writing worms using three-dimensional tools or anything else you see in the movies), XSS has become a particularly effective tool in compromising Web applications.
What is even more interesting about it is that it is an attack that targets end-users of the vulnerable Web application and not the Web application itself. The MySpace worm, which was written by Samy Kamkar in 2007, exploited XSS and CSRF vulnerabilities and infected over a million MySpace users within a 20-hour period. This makes it one of the fastest spreading viruses of all time.
On another note, cross-site request forgery (CSRF) has been termed "the sleeping giant of Web application vulnerabilities" by Jeremiah Grossman, a keynote speaker at the 2010 ITWeb Security Summit, and can also be devastatingly effective at compromising Web applications.
The impact of this vulnerability is frequently increased due to the fact that Web application frameworks frequently allow GET and POST parameters to be used interchangeably. In addition to this, it is also an attack that is directed at the user of the Web application, and not the Web application itself.
XSS has become a particularly effective tool in compromising Web applications.
Ian de Villiers,<i style='mso-bidi-font-style:normal'> </i>associate security analyst, Sensepost
When a Web application is vulnerable to CSRF, it may be possible to perform virtually any functionality provided by a site if it contains images for which the “href” attribute has been set to a specific URL. This, however, is only applicable when a user has already logged in and gained access to a Web application and then browses a third-party site.
Naturally, exploiting CSRF vulnerabilities require that the attacker has considerable knowledge of the application being targeted, but in today's inter-connected Web 2.0 world, it's probably something he'd be able to figure out easily in any case.
Share