Cross-site scripting (XSS) vulnerabilities are nasty problems that allow attackers to inject client side script into Web pages.
According to the Open Web Application Security Project (OWAS), because a browser thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Which is why news that two leading software providers, SAP and Salesforce, have discovered and fixed XSS problems is both alarming — that they existed — and reassuring.
–Researchers at Elastica Cloud Threat Labs found a vulnerability in a subdomain of Salesforce used for blogging purposes. “This vulnerability in “admin.salesforce.com” could have been exploited by attackers to hijack Salesforce accounts or to distribute malicious code to the users,” the vendor reported.
“This subdomain was vulnerable to a reflected Cross-site Scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request. As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users. Furthermore, all Salesforce accounts for different applications (including cloud) were at risk because Salesforce uses Single Sign On (SSO) for managing multiple accounts.”
(Researchers were able to create this look-alike salesforce login page and inject it into a vulnerable app)
While Salesforce was told more than a month ago about the vulnerability, it took some prodding before the company acted. Apparently it didn’t think the problem was severe because it wasn’t in the main “salesforce.com” website. After Elastica send a reminder, Salesforce patched the hole.
–SAP issued fixes for 22 vulnerabilities, the biggest number — eight — dealing with cross-site scripting issues. (Th next biggest category was information disclosure bugs). The August patch day page has few details about the fixes, but according to ERPscan, which sells security solutions for SAP and Oracle systems, the patches fix an XSS vulnerability in SAP Afaria 7.
Other major vulnerabilities patched include a Remote Command Execution vulnerability in SAP ST-P, a Reflected File Download vulnerability in NetWeaver AFP Servlet, and a Running Process Remote Termination vulnerability and an incorrect system configuration vulnerability in SAP HANA,
(This SAP graphic breaks down patch categories issued this week)
XSS flaws can be difficult to identify and remove from a web application, notes OWAS. It says the best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. “Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.”
Infosec pros and developers who want more detail can consult this OWAS cross-site scripting prevention cheat sheet, with eight rules to follow.