Update 01.21.2008: Jericho from Attrition takes issue as well and says many of the same things.
This weekend someone directed me to another negative ScanAlert article, beyond Geeks.com, about their dubious “Hacker Safe” website badge. According to the story, Kevin Fernandez and Dimitris Pagkalos of XSSed.com provided InformationWeek with a list of 62 popular brand websites vulnerable to XSS who proudly display the logo. Also Russ McRee, another security researcher, notified Toastmasters.org about the same problem – an XSS vulnerability under the auspices of being Hacker Safe. The story forgot to mention all the websites on sla.ckers.org too, but you get the idea.
On any other day this would have been old news, we know their reputation, but company representatives from ScanAlert (acquired by McAfee) and Symantec made some rather peculiar statements.
“Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server.”
Mr. Pierini misses the point entirely, which I thought was to prevent user data from falling into the hacker’s hands. It makes no difference if the hacker can’t penetrate the server (database) directly - they can still use XSS to compromise users while they shop on the “Hacker Safe” website.
"XSS vulnerabilities do present a serious risk. However, to date their real-world use has been limited," said Oliver Friedrichs, director of Symantec Security Response in an e-mail."
What the!?! “Real world use has been limited”? In comparison to what!? Wait, don’t tell me. Malware right!? I guess the millions of exploited users between MySpace, Google’s Orkut, PayPal, Italian Banks and many others out there don’t count. Neither does being the most reported issue according to Mitre, #1 on the OWASP Top Ten, #1 on WASC Statistics, and listed on the SANS 20.
"XSS vulnerabilities can result in the theft of session cookies, Web site login credentials, and exploitation of trust. XSS vulnerabilities are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners."
This makes no sense. On one hand Mr. Friedrichs seems to be saying everything the hacker needs to own a users account is compromised. Then on the other that’s OK because each XSS issue is unique and fixed immediately once the website owner knows about it. Does that happen before or after the website is scanned by ScanAlert or they get notified by XSSed.com? Seesh.
“Pierini maintains that XSS vulnerabilities aren't material to a site's certification.”
I guess so, it is your certification after all, but for PCI-DSS it matters. And its not like your website claims to identify XSS? Oh wait!? It does! Perhaps the website list was generated from crazy complicated RSnake cheat sheet XSS issues, uhhh maybe not, they seem to be the plain vanilla and easy-to-find-in-a-few-minutes variety.
"Cross-site scripting can't be used to hack a server," he said. "You may be able to do other things with it. You may be able to do things that affect the end-user or the client.”
You mean like hack the user and compromise their data when they click a link?
“But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."
Yep, safe and sound in the database, and safe in the hacker’s DB too!
“Pierini dismisses the suggestion that certifying a site as "Hacker Safe" when it remains vulnerable to XSS attacks could be confusing to consumers. “
Nah, it’s not confusing to users who don’t know any better, just to the security experts.
“He insists that the meaning of the certification is clear and notes that his company's scanning service reports the XSS flaws it finds to its clients.”
If you say so.
“Cross-site scripting can be used to do a variety of things, but it's all on the client side. And that's an area that we don't have control over."
It’s funny because most security experts, industry bodies, and respected website owners believe XSS is a serious problem *FOR THE WEBSITE AS WELL AS THE USER*. OWASP, WASC, Mitre, SANS, Google, Yahoo, Microsoft, and on and on. All except ScanAlert apparently, maybe they know something we don’t.
Ahhh its Monday, sounds like the beginning of an interesting week.