Friday, March 6, 2009

FOWA Dublin Notes: Web application security horror stories - by Simon Willison


Simon started his both entertaining and informative presentation by talking about the probably most commonly known Web Security threat: Cross Site Scripting (XSS).

An XSS attack is possible when others can inject JavaScript into your page (e.g. via forms or URLs). The attacker is then able to perform virtually any action on the attacked site, just as if they were you.

Myspace Worm

The MySpace Worm was a result of an error in the sanitization of user-provided HTML. The injected code caused the visitor to add a friend request to the attacker and put the attacker's code on the victim's page as well. That way, the attacker had more than a million friend requests after 20 hours, finally bringing MySpace down.

Google UTF-7 hole

A missing character encoding header in Google's redirect pages allowed the users to inject a string into the page which caused Internet Explorer to interpret it as UTF-7 content and execute included JavaScript.

Don't trust CSS

CSS is not executable, is it? Well, you can include active components into CSS by using HTC in Internet Explorer or XBL in Mozilla. Also a position: absolute hack allowed an attacker to steal 30,000 MySpace accounts.

SQL injection

You never ever glue user-provided strings together with your SQL queries. Instead, use parameterized queries or an ORM. This is much safer and also easier to maintain.

A nice variation is to use SQL injection to create a mass XSS: You can insert JavaScript into a database which will then be potentially displayed on every page of the attacked website.


Cross Site Research Forgery is probably one of the most wide-spread vulnerabilities as a lot of developers are not aware of it or don't care about it. If you haven't taken any action to prevent CSRF your site is most likely vulnerable to it. Popular examples are the Digg-exploit (a self-digging page) and the Gmail filter hack.

Just using POST requests for your forms doesn't help. Instead, you have to use hard to guess transaction tokens which the server checks for every action. This, of course, can be useless if your site has an XSS vulnerability as the attacker can then steal your token.


Clickjacking is tricking the user into clicking on a certain link or button. This can be done for example by showing a button which to user wants to click on (e.g. in a game) with an Iframe that has the CSS opacity: 0.0. That way, the Iframe will actually receive the click although it's not visible to the user. The Twitter Don't Click This hack was an example for a Clickjacking attack.

You can prevent this attack by using JavaScript to check whether your page runs in an Iframe. Unfortunately there is no standard way to prevent this when the user has JavaScript turned off, what makes this attack quite dangerous.

Insecure admin accounts hack

The recent Twitter hack was actually caused by a dictionary attack on a popular user's password. The password was "happiness", the user was a Twitter employee with admin access. So you should make sure that admin accounts get an extra protection like limiting the access to users on your local network only.

No comments:

Post a Comment