Thursday, August 17, 2006

Who is interested in XSS?

In the last 12 months, the good guys and bad guys alike have learning about the risks posed by XSS at a furious pace. From the SEO's (search engine optimizers) to casual researchers to phishers to security vendors to infosec professionals, everyone is trying to get a handle on what the most recent research means to them. The key JavaScript Malware issues we've seen are worms, defacements, phishing scams, port scanners, intranet hacking, web server fingerprinting, and history stealing. This is likely just the beginning as the exploits become more refined and of course malicious.

Taking a look a the mainstream press, Brian Krebs from the WashingtonPost blogged "Cross-Site Scripting Flaws Abound". Among other things Brian talk XSS disclosures in the websites of Verisign, eEye Digital Security, Cisco Systems, F-Secure,, the National Security Agency, eBay, and Amazon. There is a running thread on SecurityLab about additional vulnerabilities in IBM, MSN, CyberTrust, etc. If there was ever any question, XSS vulnerabilities are epidemic. Just about every website has A LEAST one. No one is safe, not even security vendors.

Also, I member of some public and private bulletin boards that helps me stay up to date on whos doing what and for what reasons. For instance SEO's are utiziling XSS to boost website ranking by making it appear that popular websites are linking to their websites. Simple XSS-Defacement exploit, where the defacement is a a href link injection. And I can tell you right now, the websites they are targeting a big.

RSnake clued me into this, check it out from Google Trends searching for XSS and Cross Site Scripting:

The U.S. didn't even make the Top 10 in "XSS" and only 6th in "Cross Site Scripting". Those who do top the list tell a compelling story about who is THE MOST interested. JavaScript Malware is the new shell code, time to get prepared.

No comments: