A few days ago a friend of mine sent me a URL to an online store with a product he found interesting. When I went to the site, aside from the aforementioned product I saw a nice "Hacker Safe" logo, with the date (current date) which was supposed to assure me as a consumer that this site is "safe". Clicking on this logo took me to a page of a security company specializing in "helping sites protect you (the customer) from identity theft and credit card fraud", sounds good, I feel much safer already.
Curios about the truth of the site's hacker-safe claims, I decided to do a very basic test for Cross Site Scripting (XSS) by adding a small HTML string in the place of one of the parameter values in the get query. Imagine my surprise when rather then rejecting the clearly bogus value (number was expected, but non-numeric string was supplied), my input and the HTML tags found within were displayed verbatim. This little oversight would allow anyone to inject arbitrary content to be displayed as part of the store’s front end and if it contained HTML/JavaScript have it be parsed and executed. For example it would be trivial for someone to inject some JavaScript capable of stealing the current user's session and use it for their own gain. Identity theft here we come…
Once the initial novelty of finding a trivially exploitable XSS bug in a fairly large online retailer, I've decided to send them an e-mail detailing the problem and its possible consequences in the hope they would fix it. Two days later, which goes to share just how much they care about security, I received a response, which goes like this:
Thanks for your e-mail.
Although what you've sent us is certainly interesting, it would definitely not qualify as a hacker attack.
Apparently in today's security world session theft via XSS only classifies as interesting, I suppose only a full blown trojan or a virus would constitute a hacker attack. Deciding that perhaps a brush off was just that and the problem was fixed I went to site and entered the same XSS string as before. Lo and behold the bug is still there, even a day later, 4 business days since the initial report the XSS is exploitable as ever. It would seem that adding a simple input validation check is beyond the capability of the store's web development department, nor are "trivial" things like XSS detected by a supposedly reputable "anti-hacker" firm.
Which leads me to the question, do people really care about security or are they simply interested in a token logo, which somehow supposed to make their customers safe and give them somebody to blame when things go wrong? With this attitude in place is it all surprising that every week there is yet another report about a large compromise in one company or another…
Jacques Marneweck's Blog on : Time for an XSS Toolkit?