14 DAY TRIAL // A security researcher called ProtocoL has found that sites such as the one of Cartoon Network (cartoonnetwork.com), Disney (disney.go.com) and Master Chef Australia (masterchef.com.au) contain cross-site scripting (XSS) vulnerabilities.
None of them is persistent, but that doesn’t make them far less dangerous. Because the sites are popular, cybercriminals could easily leverage the flaws to lure users to their malicious operations, but why not let the hacker himself explain the risks posed by XSS issues.
“XSS may help to compromise users by the execution of client sided arbitrary code. Under certain conditions, XSS can also be used to produce redirects,” he said.
“This could direct targets to specially crafted pages which are designed to steal user names or passwords or in severe circumstances, lead to browser exploit packs which leverage overflow vulnerabilities in the browser. The possibilities with client sided injections are severe, it shouldn't be taken lightly.”
Although XSS flaws are highly common, many website owners and administrators still fail to see the dangers they pose, especially for their customers.
“I find it quite disappointing to find easily fixable vulnerabilities such as XSS in large companies. Do they not pay their companies enough to escape input and output? Don't they realize that XSS is essentially the execution of arbitrary client sided code, in fact it can lead to session hijacking. Embarrassing, wouldn't you think,” ProtocoL told us.
So, we’ve asked the hacker to tell us how he believes these vulnerabilities should be handled. It’s a question we’ve been asking quite often lately, but since this is becoming a growing concern, any piece of advice could prove to be useful for webmasters.
“I hate it when minute web application vulnerabilities affect users. Companies should focus towards protecting their customers because they are who really matter, the ability to trust and the integrity of web applications plays a vital role in 2012,” he added.
“They should employ administrators who actually bother spending time fuzzing the web application, then escaping input and output via PHP validation functions which are already built in, it is all down to data validation.”
ProtocoL has stated that the passion he puts into security research was influenced by TriCk, the leader of the TeaMp0isoN crew who has recently got arrested.
