In association with heise online

08 April 2010, 15:04

Cross-site scripting using meta information

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom If a web service fails to correctly filter a record, the browser may execute JavaScript
According to security expert Tyler Reguly of nCircle, data fields for storing meta-information offer plenty of latitude for future cross-site scripting (XSS) attacks. JavaScript embedded in Whois and DNS records and in SSL certificates, for instance, can, under certain circumstances, be executed in a browser. There are, for example, web services which carry out online checks on SSL certificates from other servers. As well as cryptographically relevant information, such services also display data on a certificate's owner and who it was issued by.

If a service fails to filter the query data correctly, the user's browser may execute JavaScript contained in the query. Attackers could exploit this to carry out various activities, such as copying login cookies or changing a user's profile settings (for their account for the web service). SSL Shopper is one service provider which was affected by this issue – and has now resolved the problem. According to Reguly, the whois service provided by was also affected by a 'meta information cross-site scripting' (MIXSS) vulnerability. It has also since corrected the problem.

Zoom JavaScript can also be embedded in home-made SSL certificates
In a blog entry, Reguly points out that this type of XSS attack is not novel and, for whois services, has already been described on security forums. He nonetheless considers it important that this information is disseminated and that developers and administrators in particular are aware of the issue. Consequently he has put together a presentation (direct download) containing specific examples.

Many other services could be vulnerable to this type of attack in principle. The problem also occurs with many other pieces of meta information which an attacker is able to define and which are queried by a service. This includes HTTP server headers and SMTP server banners.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit