Sunday, January 20, 2008

ScanAlert - XSS is not our problem

Update 01.21.2008: Jericho from Attrition takes issue as well and says many of the same things.

This weekend someone directed me to another negative ScanAlert article, beyond, about their dubious “Hacker Safe” website badge. According to the story, Kevin Fernandez and Dimitris Pagkalos of provided InformationWeek with a list of 62 popular brand websites vulnerable to XSS who proudly display the logo. Also Russ McRee, another security researcher, notified about the same problem – an XSS vulnerability under the auspices of being Hacker Safe. The story forgot to mention all the websites on too, but you get the idea.

On any other day this would have been old news, we know their reputation, but company representatives from ScanAlert (acquired by McAfee) and Symantec made some rather peculiar statements.

“Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server.”

Mr. Pierini misses the point entirely, which I thought was to prevent user data from falling into the hacker’s hands. It makes no difference if the hacker can’t penetrate the server (database) directly - they can still use XSS to compromise users while they shop on the “Hacker Safe” website.

"XSS vulnerabilities do present a serious risk. However, to date their real-world use has been limited," said Oliver Friedrichs, director of Symantec Security Response in an e-mail."

What the!?! “Real world use has been limited”? In comparison to what!? Wait, don’t tell me. Malware right!? I guess the millions of exploited users between MySpace, Google’s Orkut, PayPal, Italian Banks and many others out there don’t count. Neither does being the most reported issue according to Mitre, #1 on the OWASP Top Ten, #1 on WASC Statistics, and listed on the SANS 20.

"XSS vulnerabilities can result in the theft of session cookies, Web site login credentials, and exploitation of trust. XSS vulnerabilities are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners."

This makes no sense. On one hand Mr. Friedrichs seems to be saying everything the hacker needs to own a users account is compromised. Then on the other that’s OK because each XSS issue is unique and fixed immediately once the website owner knows about it. Does that happen before or after the website is scanned by ScanAlert or they get notified by Seesh.

“Pierini maintains that XSS vulnerabilities aren't material to a site's certification.”

I guess so, it is your certification after all, but for PCI-DSS it matters. And its not like your website claims to identify XSS? Oh wait!? It does! Perhaps the website list was generated from crazy complicated RSnake cheat sheet XSS issues, uhhh maybe not, they seem to be the plain vanilla and easy-to-find-in-a-few-minutes variety.

"Cross-site scripting can't be used to hack a server," he said. "You may be able to do other things with it. You may be able to do things that affect the end-user or the client.”

You mean like hack the user and compromise their data when they click a link?

“But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."

Yep, safe and sound in the database, and safe in the hacker’s DB too!

“Pierini dismisses the suggestion that certifying a site as "Hacker Safe" when it remains vulnerable to XSS attacks could be confusing to consumers. “

Nah, it’s not confusing to users who don’t know any better, just to the security experts.

“He insists that the meaning of the certification is clear and notes that his company's scanning service reports the XSS flaws it finds to its clients.”

If you say so.

“Cross-site scripting can be used to do a variety of things, but it's all on the client side. And that's an area that we don't have control over."

It’s funny because most security experts, industry bodies, and respected website owners believe XSS is a serious problem *FOR THE WEBSITE AS WELL AS THE USER*. OWASP, WASC, Mitre, SANS, Google, Yahoo, Microsoft, and on and on. All except ScanAlert apparently, maybe they know something we don’t.

Ahhh its Monday, sounds like the beginning of an interesting week.


Anonymous said...

HackerSafe; well as long as it's not XSS/SQL injection or anything else our scanner can't pickup....

Pierini, you need to seriously learn about this industry, the threats involved and also when to speak your mind without doing the necessary research!

Anonymous said...

Jericho from attrition had a lot of the same stuff to say:

Jeremiah Grossman said...

brilliant, thats for the heads up cji. I updated the post with the link.

Anonymous said...

I know that nowadays XSS is really popular and such but what about other known attacks like SQL injection. Is there any results or data about SQL injection against Hacksafe websites?

It might make the number of website hacked be much more than 60...

Francois L

Jeremiah Grossman said...

Francois, good question, and I don't think there is. Where with XSS people feel fairly confident they can test and disclosure issues legally. SQL Injection on the other hand, not so much. Lotta damage could be caused there.

Anonymous said...

I could say the same thing about WhiteHatSec's Sentinel. Black-box, zero-knowledge assessments do not find all the XSS in any given application.

The difference is that ScanAlert runs Nessus version 2 (open-source), so we know where the limitations are. With SaaS models such as Sentinel, we all have no idea -- and with no industry benchmarks or comparisons, it's like starting from scratch at the RFP.

Pot :: Kettle

Jeremiah Grossman said...

Thats a fair argument, but the same could be said for any approach to vulnerability identification. Anyone want to go on record guaranteeing 100% of the vulnerabilities will be found? Of course not, but that's not the point being made.

Which is...ScanAlert is saying badge displaying websites are "Hacker Safe" and speaking out of both sides of their mouth. They say they identify XSS, listed next to SQL Injection, while at the same time discounting its importance. Does this sound right to you?

And if our defense, we're trying everything we can to get a fair comparison made to other solution by any third-party. But there were only two reviews performed last year, Jordan's and Larry's. We got dropped from Jordan's at the last minute because he ran out of time and we didn't know anything about Larry's when he did the work.

The challenge reviews are having is matching SaaS with product is like comparing apples and oranges.... we'll do the best we can to get included in 2008.

Anonymous said...

I will go with Jeremiah on this, Scanalert states a different message with their badge in comparison with the other web scanners in the market. Any companies can say they have the best scanner on the market. It's marketing. It's pride on your product.

But there is a huge difference when a company sells a product with a badge "Hacksafe" on it.

Besides if there are indeed security problems on the website and they use that logo to make me, the customer, feel safe about it then the company lies to me.

Here lies the difference.

P.S. Jeremiah that's funny you put that picture because each time I go to work I see it... I thought the same for Hacksafe... What are they trying to do? Do the same mistake as Oracle with their "unbreakable" statement? :)


Jeremiah Grossman said...

@Francois, yah... posting the picture was just too priceless to pass up. I saw some other ones in the airport recently. Sheesh, I could never be a marketer.

Anonymous said...

"XSS can't be used to hack a server." eh? lol.

maybe they need to take a closer look to my freshly minted universal XSS worm that tries to spawn PHP shells on a server:

How's that for hacking webservers.

It's about time they WAKE up.

Shoaib Yousuf said...

I dont think so Scansafe know the meaning of hacking...

Whether user session is compromised or user credentials it is still the part of hacking....

XSS is ScanAlert problem. But, if they dont care for this issue then we really can't do much.



Anonymous said...

I think the main issue here is the devaluing of the certification.

If ScanAlert have genuinely been notifying their clients to the existence of the XSS issues (which subsequently haven't been fixed promptly), but they have kept the site’s status as certified, then as a consumer, the certification means very little.

HackerSafe simply means “subscribes to ScanAlert”; nothing more.

Anonymous said...

Web site security badges are a double edged sword. They send a message and hang a kick me sign on your assets. (Never a better example than Larry hanging a kick me sign on the whole company).

XSS have been routinely ignored. It took almost 18 months from them being discovered before most people woke up and realized that it wasn't just web server 404 pages. It took a good round of outing.

OWASP and PCI are right to focus on these problems.

Anonymous said...

DD at Beast or Buddha told me he copped some abuse from the regional ScanAlert distributer in AP after he sent a Newsletter out to clients pointing people to his post, which I think he also referenced you. He said he would not censor a response but nothing has been posted! That's a surprise!

Anonymous said...

I am not buying anything online that is "Hacker Safe."

It is a shame that those organizations using Hacker Safe may not even now if they have been hacked anyway. Good Luck.

Anonymous said...

It's obvious these douchebag's are doing nothing to benefit the security of the sites they scan. They're just in it to make a buck.

Anonymous said...

Scan alert are only one out of many which have serious problems with XSS / SQL injection in their PCI scan. The thing are that a PCI scan should NOT detect webapp vulnerabilities (despite the fact, that this is where all the easy exploited vulns are) except for xss and sql-injection.

ScanAlerts technology (together with qualys and a lot of others) do only detect known xss /sql inj. vulns. So its done by looking for known software like guestbooks and such, where vuln are reported.
These tools will not detect vulnerabilities in custom made program and they will not crawl the site to discover all pages in the website.

But they are still certified as PCI scan vendor, with ability to detect XSS and SQL injection, why?
- because PCI councils certification of the ASV vendors only contains 2 web vulnerabilities which both are reported vulnerabilities in known programs.

Thats perfect for Scanalert but it a joke for all others.
And will PCI council change their certification??
No, "global adoption of the program are more important than everything else". Putting a large discount ASV out of business would delay the adoption of the standard

Anonymous said...

As far as PCI DSS is concerned, ASVs are for requirement 11.2 related to vulnerability scanning. ASVs are required to perform non-authenticated and non-disruptive scans on production environment and hence they tend to be lighter on web app vulns.
Requirement 6.6 and the new clarification on it deal with running web app scanning tools on pre-production environment. So both these requirements must be dealt with to be really secure in addition to all the other requirements in the DSS.