In association with heise online

Cross Site Scripting

Some other banks have avoided these problems by completely avoiding the use of frames, but this alone does not guarantee security because there are other tricks that an attacker can play. For example, the well known UBS bank, the third largest in the world, does not use frames, but it is vulnerable to another well and long known security problem called cross site scripting (XSS). At the time of our testing, the bank's developers did not filter user input for critical characters so that an attacker can create special URLs that inject HTML or even scripting code into the page displayed on the user's machine. Cross site scripting also allows for advanced spoofing and theft of sensitive user information such as cookies that contain session ids.

If you click on the following link, it will open a search page of UBS and execute embedded JavaScript code. This will display an alert box with a short note and the content of your UBS cookie. It could instead have sent the information on to another web server. Here we simply display the information. Demo. The result of this demonstration at the time of our testing is shown below:

[bild3]

Note that this takes place from within the sensitive, encrypted area of the UBS site. The next demo illustrates spoofing, in which our message is incorporated into the login page displayed on the user's machine: Spoofing Demo

[bild4]

[Update 26.9.06] The UBS bank has reacted to the tests conducted by heise Seurity and changed their web site so that these demos don't work any more. [/Update]

Filtering user input from control characters is one of the most basic security rules every web developer should obey. The total lack of it that is exposed in this demonstration shows that the developers of this page either did not care for security or they did not know better. One might well wonder which is worse.

Cross Site Scripting works, for example, by sending to a server an unusual answer to a request one might enter into an input field for user name or password, some specially crafted string, such as ><script>alert .... If the server processes this string without filtering out the critical characters and answers with something like "><script>alert ... not found" this code is rendered by the browser. Although our demo sends very unusual input data to the server which of course should check for this immediately similarly to the frame spoofing example, nothing out of the ordinary is accessed on the bank's server, and the manipulation takes place on the user's local machine, not on that server. Again, once the manipulation has been successful, an attacker could gather data from the user, and grab this without the bank's server being further involved.

Another example of a site that is similarly vulnerable to Cross Site Scripting is the bank of England. Press the button to see the demo:

[Update 27.9.06] Bank of England changed their application to filter user input, so this demo does not work any more. [/Update]

At the time of testing, this resulted in the following:

[bild5]

It takes two to be secure

It is important to note that not all banks suffer from such vulnerabilities. For example, of those we have tested, Barclays bank is free from the vulnerabilities we have demonstrated here it uses no frames, and at least to some extent validates input data, thereby helping to block XSS attacks. Similarly, the Halifax appears also to be reasonably well protected, with no frames and at least invulnerable to the level of XSS attack that we have tested.

However, it is worth bearing in mind that all of these demonstrations took on average 10-15 minutes to test and prepare. It is easy to imagine the considerably greater effort that might be applied by a determined and skilled attacker. Just because some of the banks pass our tests, this does not mean that there are no other, more subtle flaws in their code, waiting to be discovered and used. It is clear that some have done the necessary work, and have taken steps to protect their customers, but even they need to continue their vigilance against more subtle attacks. But some do not even seem to be aware of quite basic security lessons, which have, after all, been publicly known since the era of Windows 3.1!

Of course, users should also play their part, and it cannot be stated often enough that one should take great care when emails are received that purport to come from a vendor, bank or other organisation. If you did not request the email and are not expecting it, then it should probably be avoided. Never click on a link in such an email that claims to take you to a bank or similar organisation. Only visit the sites of such organisations by entering the URL by hand or by clicking on it from a list of favourites or bookmarks. Also, make sure that you compare the settings of your browser to those suggested in our Browsercheck. For example, check this link to configure Internet Explorer so that it prevents frame spoofing. (ehe)

Print Version | Permalink: http://h-online.com/-747183
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit