Social and business networking sites are the ideal vector for such attacks, because they have millions of people composing Web-based content that millions of other people read. The attack vector works this way: an attacker finds a flaw in a filter on a target website that allows him or her to enter content that contains a malicious browser script. We'll get to the functionality of that script a bit later. The attacker posts the script as part of his or her account profile or other content on the site. When a victim user reads the Web page that includes the attacker's script, their browser fetches the script from the site and runs it. Running inside the victim's browser, the script can do anything on the vulnerable site that the victim can do: delete the victim's data stored on the website; add friends to the victim's account; send messages to the victim's acquaintances; buy really cheesy t-shirts from the site's store; or even update the victim's profile. Then, whenever other users read that victim's pages, they too become infected, spreading the malicious script in a self-replicating fashion.
The vulnerability here is that the target site doesn't properly filter user input to remove scripts. Because of all of the different encoding schemes available for Web content, comprehensive anti-XSS filters can be difficult to maintain.
Such attacks are an issue for the enterprise if employees store information on these types of sites. For example, if several employees of a given company have records on a social networking site that mention their company name, an attacker could construct an XSS worm that hunts for their particular accounts and leaves an embarrassing message associated with the company.
But the consequences could be far worse than simple embarrassment. Some elaborate scripting techniques could force a victim's browser to attack other sites, including intranet websites, when viewing content that includes the malicious script on a social networking site. Think about that -- a user views a friend's MySpace profile, and then his or her browser starts to scan and even exploit an internal ERP server.
To help mitigate these kinds of attacks, users may want to consider using the open-source NoScript plug-in for Firefox. This tool provides users with fine-grained control over when their browsers will run a script from a website, in effect policing scripts and related technologies to minimize the chance that an attacker can make a user's browser do evil. Visit NoScript's website to get more information and download it for free.
- Learn about software development best practices that can prevent cross-site scripting.
- Read about the difference between XSS and cross-site request forgery attacks.
This was first published in April 2008