Talking with my good friend Chris Mueller this afternoon, we stumbled across an article about a cross-site scripting sort of vulnerability that’s pretty wide-spread on the internet.
The general background is that many many dynamic websites, including probably this one, use forms or variables in the url of the page to communicate information from one page to the next. This includes things like login information, page choice, and virtually any link that changes over time. (mousing over the “Most Recent Entries” links at the right gives ….?entry=entry839402874 and such)
This is hackable because, though my password might be unhackable, once I’m logged in to the admin or user-privaleged portion of a site, a hacker can send me to a site that essentially gets me to do their work for them. They do this by adding a
tag to a page. Because the user is already logged in on their site, when this page opens the link within the tags, it allows things to go through, changing database entries, deleting pages, or even adding users with administrative privaleges.
If only the vulnerability stopped there….
Unfortunately, it’s also possible to create a form with default values that automatically submits itself to your password protected page when the hosting page loads. And, just as the URL-based hack works, this tricks the site into thinking it’s the authenticated user making the changes and gives a hacker essentially free reign if they know what they’re doing.
Now, this isn’t something that will just randomly happen to anyone – it relies on the hacker deliberately planting these or tags on a page and getting a logged in user to visit the page. Nevertheless, it’s striking how many seemingly secure sites are open to this type of attack.
What can you do? SESSION variables cannot be spoofed in the same way as these POST and GET variables can so using them protects you against this kind of issue. Additionally, there are a variety of frameworks such as xaraya and other tools that generate authentication codes to verify that indeed submitted forms came from a safe location.
It’s a crazy crazy world out there…