14 DAY TRIAL // In the past several weeks hackers and security researchers worldwide demonstrated that even some of the larger companies experience difficulties when it comes to protecting their public websites. One of these firms is Shell, the world renowned oil and gas supplier, as demonstrated by independent security researcher Shadab Siddiqui.
Royal Dutch Shell is the second-largest energy company in the world totaling revenue of $368 billion (276 billion EUR) in 2010, but apparently, little of this sum was invested in the company’s public website which turns out to be full of security holes.
While the internal path leakage issue that exists on the site cannot be exploited directly by an attacker, it can be of great aid during the exploitation of other vulnerabilities, such as the numerous cross-site scripting (XSS) and iFrame injection flaws.
“XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application,” the researcher explained.
“This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials.
“This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.”
According to Siddiqui, the XSS vulnerabilities are not present only on the webpage for which he provided the screenshot, but also on at least 10 others.
The hijacking of user sessions, phishing attacks, and man-in-the-middle attacks are just a few of the malicious operations that can be performed by a cybercriminal that manages to successfully exploit these XSSs.
“XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application,” the expert concludes.
Shell has been notified of the issues 5 days prior to the disclosure of the vulnerabilities, but so far they haven’t responded in any way. The article will be updated when more information becomes available.
