14 DAY TRIAL // Many of today's advertising networks are sharing the same security issue and allowing an attacker to launch cross-site scripting (XSS) attacks through their ad codes on legitimate sites.
Ads got a bad reputation in the past year, especially after being abused for malvertising attacks. Now, the situation seems to have taken a turn for the worse, as independent security researcher Randy Westergren has discovered.
XSS payload hides in previous pages, transmitted via ad code to others
The issue stems from the fact that advertisers like to collect everything about their users, including the current page the user is navigating, which is recorded and passed around through ad code as a way to keep track of the user's previous browsing history.
What Mr. Westergren discovered was that many advertising networks recorded complete URLs, including hashes. While XSS payloads were removed from URLs, they were not escaped and neutralized if they were placed after a hash (#), like this:
http://website.com/some/random/url#1'-alert(1)-'"-alert(1)-"
Theoretically, everything after a hash is generally irrelevant information and is used by the browser for in-page navigation, specific to each site.
The problem was that ad networks were recording this information, but they were not applying the same input sanitization procedures to data after a hash, as they did for the normal URLs.
A new attack vector
This gives birth to a new attack scenario. A malicious party could spread links that point to legitimate, authentic pages, but that have a malicious XSS payload attached at the end. When the user clicks the link and reaches the site, nothing happens. If the user navigates away to any other page, the XSS payload executes.
While XSS payloads are useless on news sites and blogs, they can help attackers gain a lot of sensitive information if executed on banking portals or e-commerce sites.
Mr. Westergren says he wasn't able to notify all ad networks of their problem since the advertising market is quite fragmented, and he wasn't able to test all services.
He did notice that many top-tier services seemed to be vulnerable and even created a Chrome extension to automate the testing of this issue, if other researchers or the ad networks would like to conduct more in-depth research on this matter.
