Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Script Injection Makes Phishing Harder to Catch



 By: Matthew Broersma
2004-07-19
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Cross-site scripting can work when user input is utilized to create a dynamic Web page, and researchers say preventing such attacks is the responsibility of Web site programmers, who must validate any user input and weed out dangerous scripting and HTML.

Cross-site scripting (XSS) attacks have become one of the better-known Web security vulnerabilities over the past four years, but they are still easy to carry out on large sites handling sensitive information, such as major banks, as a U.K. researcher recently demonstrated.

They make phishing attacks—which attempt to swipe user login information—harder to spot, even for the most alert users. And while they are simple for site designers to prevent, the errors seem to keep slipping through, security experts say.

XSS, also called script injection, can happen when user input is utilized to create a dynamic Web page—a sites search page, for example. Sites commonly allow such user input to be embedded directly in a URL.

The attack requires that a user click on a URL containing JavaScript or HTML that is disguised as user input. If the site doesnt double-check the user input, then once the dynamic page has rendered, the HTML or script is executed, allowing the attacker to carry out an exploit on the site.

Read more here about the new phishing technique.

In the case of script-injection attacks designed for phishing, the script causes the host site to display a malicious page of the attackers choice, rather than that of the real site. This could be a fake login page collecting passwords, for example.

Resource Library:
Phishing has become a major issue because of the increasing volume and sophistication of attacks carried out via junk e-mail messages, often posing very convincingly as a message from a bank. Such attacks so far have relied on spoofing techniques, where a malicious URL is made to appear identical to a trusted URL, through a variety of techniques.

These exploits have a number of limitations, all related to the fact that the site the user is looking at is not really a trusted site, security experts say. For example, they dont open a secure SSL (Secure Sockets Layer) session, easily identifiable by a browser icon.

The main advantage of script-injection phishing attacks is that they are carried out on the trusted site itself. "If the user is vigilant and verifies the identity of the site by examining the SSL certificate, the attacker is still able to steal information," said Thomas Kristensen, chief technology officer at Denmark-based security firm Secunia. Such attacks work just as well on SSL sessions.

Like other kinds of phishing, XSS attacks require sophisticated social engineering—a user must be persuaded to visit an untrusted site or HTML e-mail and then to visit a trusted site via a link from the untrusted source.

All a user has to do to avoid the attack is to type in the trusted URL by hand or to find it via a trusted site such as a search engine. But scammers have shown that fake bank e-mails, for example, can be made very persuasive, experts say.

Script injection hasnt been used in any phishing exploits so far, researchers say. This is likely to be at least partly because XSS has two limitations that spoofing attacks dont. It takes some time and skill to hunt down vulnerabilities within trusted sites, although security researcher Sam Greenhalgh recently proved that this is far from impossible.

eWEEK.com successfully tested his script-injection demonstration on sites such as MasterCard, NatWest, Reuters and Barclaycard, using Internet Explorer on Windows XP with Release Candidate 2 of Service Pack 2, the Mozilla Firefox 0.9.1 browser and Apples Safari.

Click here to read about the final preview of the Firefox browser before its full release.

Secondly, once a scam comes to light, it would take about 10 minutes for an affected site to fix the problem. "The time to exploit it would be very limited, because it is a server-side bug," Kristensen said. "A vulnerability on the client side takes much longer to get users protected."

Besides phishing, researchers consider the most important kind of potential XSS attack to be browser-session hijacking. In this exploit, the malicious script is used to steal the temporary cookies that secure sites use to validate a user during his or her session. These usually have a short shelf life, but until they expire, a stolen cookie could allow an attacker to access a users bank account or carry out "one-click" purchases on an e-commerce site, for example.

Unlike some attacks, script injection isnt a software problem, experts say. "Browsers could have functionality to prevent it, but that is really the wrong place to be fixing the problem. It could be required functionality on certain Web sites," Kristensen said.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Preventing script-injection attacks is the responsibility of Web site programmers, who must validate any user input and weed out dangerous scripting and HTML, researchers say.

"Web programmers can prevent most cross-site scripting attacks by validating form input and ensuring that all user data is correctly encoded before it is displayed or stored," Mike Prettejohn, president of Web analysis firm Netcraft Ltd., of Bath, England, said in an analysis of the issue. "Never trust user input is a basic security tenet designed to reduce the risk posed by Web forms."

Despite this rule, researchers say vulnerabilities continue to exist and arent difficult to find. One reason is that theyre created by Web developers, who might not be as security-conscious as IT staff, particularly if they are in-house developers, Secunias Kristensen said.

"You might have system administrators out there patching IIS [Internet Information Services], configuring firewall rules and doing everything by the book, but the problem is the developers," he said. "They make the site with functionality as the primary goal, and security is secondary. They might not consider something like script injection. You see that very commonly, unfortunately."

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  



  Reader Comments: Script Injection Makes Phishing Harder to Catch
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Matthew Broersma
 


x}ks8q8c=mG-9֎my-%L*EB%)ۚ'ΗSOx-N&{N-`n4w~ IM˙Kל۔\sPç}$5]2i*_ d&@ jہ)}mk4 uB;{#|6S%߽w *s=NN5KԚLÆ|g&$ƾl dkdp,FcwO d|@'AjZ$6m(GJ{<KE!H׶cշ8>vP ߩUaÙO,}!*{>"e%k4݋ʏIGO(ɀYWFz.Qu^V∌l׸ڮUX'[vR䅰Q(0F.Č/u#wJ;qy'Mr'fx\Ñc7PpmׇVKTq3c}fݷt#Է@:S1)æI#!꿩 ¥0 ?GpA'ס"gml_k| tns<"s~3 CoZeNDj% ?q7`JaCJ&5\_-׉"Sˑ,ft0eʆ}wʡVWR\=Tʇ╇C`[©;htnTUMSU@Blݹڎ6жF^׵vCq={grعx';AW@o&1`ZLTQRxf Rc@G',BݓK>o VqW-ÒhZIAvina[E4f™EUCdndЖ_-AA9C,[3KA4 ̠+`Wk1e`=k߾\svڽ>9ݐvcGV}Bg#j`BcYueUZrn`KvO|g6~b M u ôW+ZvtC!u{J ,ߖNe=h./!_w nr@ i/]"nG,Y`MIhL2Tc]NjGoNX ZRĿ"G/O;3jZYc;Ni$|NI}ѦM>dMfB7g ƩeLI|B3} H8Mlz:{mQH08us3t7Nm~|YFhIO3_hy9g~>厬m[_4@>V*|z[.z:ԍ$r%5kb$T`CL ::O]%{`۩:_0TN(e!\o JkX"L M=t%<42.|O\V,'0 gе3ҝbea?묮 {UK\HZq>n: V!2ED+ه0`-EDM{R^ 0i\W+JIU/Ҥ`k@Lf2,rǮmAu،; <}Zj\Z<>7Q>5 < ıςL׃RUaT8j]7<5Xe;;pMbA >AS-cfBL;$!O_'%Ex!5ᚉ 1'$o':!#XE~H> \RZr>j +"X[8:T:4f6W߁:,Cd>5>OM{c>4YU fyP2~2j&8x_ℯ/883hÿ>)CzKp`>sW.}O>xN¢ -{h'(0ZN O+J?#2ByQYhw\rR2 S#<~~Ɋ0 ClW͵]@S+!LuO##cYd:@ݐ늦 uzwVE@ t@z#x؃N HMҚnwHyZ\9rZkBZ'@ ucqmy@(pᘙ@FCS؇`m/R;Tڞw ^,_]hD1(dyDF4D/qbk lR{}p@b#RiCݜ5o"uy@VIJYhQ{+X6MOOWи6s}&no^F{y"S۝Er dZKp|]av^JreH˷bgfitLeb`l "Z`|i/Y`&c1 s* }l3pڳ `Ϙɧb_?ؠcփ0 I'}wsOnyUcG6~ zi1b`{7=;#[(4ϷQ5rRl2y6PC*lγ>AqHlBO//'Wa9L96=RJ 2=cte>ugc5NZ:<*C)/TʜYe/(QUmq'F.҂^ߍK]bRvYLvLʪH'٭TS82V6ZZaoaqVZF HU EM#/ PNFC~g$2@|)AU$UHU*J5}Urk4rO,ش,>6W"h -z; ezzX-,sK"hJgԋ_q[rn)ty4ņ5ѣ(4CFup0 O+os{KIl/kK{@utS6dUuZ]J_D'sL؞EA('d:)dnQ==׍![^H &|ݙCadJH5 ]Uj{_ 1K4G\0BR1|B$r UN7._VZvq *s>PV9Oɷwnj‰,SXx|{ [PHXXD>ġifR{e">QT㘘ٿ~[( L $q)YUihja{i12A$KzWuٽtg|L8@wut{WGAwqa^ҸGZ`>*uڝ1U/ozR&FøDo9)P K cE1>bt߫]=/co[vtaF.:g(V@iDWNzARlݼ^/~.z7(1^utx޵x\Oc;R%9!hUHӋN&:a3hmǛ&%ckC2 xmdL6 Z(XťwpfiZ ^/k=W17U8ވFhv[G_aݪ,d20!&*tṽ}E9ǀzB:/Z#Y%LB[( `M/Щ caLFrEl&zZG>egiřπ/QENQ):VrvPEr}#= ](3vcvd\:Gw*b9,_}hrrӅ[ `С{$smCgLرDݘ~zNhso. cgm:{@FP$"BQD=%,`ԧ*h 5nWKotA?#Wi] :7uipjt`~%X@2oBOH4b5~ÿ|뢧  r{k_=#g䢅q+~P{20tKtؗe{qOKn<]1hn鈧4lLgI")Vz5w7`\8%/+wr62Ӣ @7YM (f~Z;pOʠ%cc}d}ݸw[f1viÉfP%( Q>]awP{_zÞ6YiEu/K\ -"PnZY|Hז%0)7ZI޲mrq&߸3 klL!|@$j(%;]ޚ`BOh&H QQXs,s|ҶZzum"Jv:GT<&K`K4I*Jrt#[5u;x$Ղ/a-HN&.MZHr4_ bGU*n˱WXHTS{2޺~@sMM7.l[a4f'5p[>:$I>8ǹP_""+h׀,q$jdl`#4Ln"WDSRϘhmٵ슉x,$rӚ҉>` ܕt֐t[!d@h"@K.I 0_N^LK!OKVݖAkgPt_ {_MemtSs5`-U/Wu所OKEP$ELus+sr1ljtU%U,kgYY,΂D_o\T×}cN|vng`PtBC]>K/a^E7ad^k[T*kK +o@37F-[<tf1^L׀%'j͉&,Gԇt=X-s:5\k "`A8j#wBK-9B.YpHs:1%HG<y^ I+'UQ 0=ķJ3lYF͗ؒ_ۉm;ݑ"5}}:T 'Sqfz>u&,2_`|% JHܩjuы~r&7 BIX"Bq ChlSxr 0DтDp[䵩9_a^*)Hίl78ŝ+P<gKJxmc I i$ӆFy[a ;0V@aJŐZܐd; "_z\ hݎt*c.; DL"_JxMb-)Чrܕߥ<+wXP~m܍-U\ wJY@%dv榘s :Qcp!mqmn[K;b#׋B?7IRS:Ŕ: i8G:Ż$7<_:_ک)cL)햯iuN Ȩ;/S4-C*>taQI”Y,woɱ/b~y<'\^ OT^[¬2oUjmg$S R57oa ͽȪhF̊>t%ۼR͊rWjp,sFۺt !(d ƗY'6sZIHgcS8WhƊ8cYX[S@wF@R wK$=D\/c>ܻF&?_ K{~i[ O`ھ%) d^1ϴT ' LatX.!ZpP]}zUccgtO51ݠ[^2-~7]݃~OeьS9x`G;qxh`T⯠œ6bVPh |  ЌBMwĭn Z^0э~T 3,K?c"&)K=Mѽ.a m0By7꤯ 7vG.FڻEL]KQXcJ:*f5\?ԝST#䉯=MH&o-DcঐQ~x U M:@9eׅ|'aU1sʉmOG[xMMWqb6RX FWx$=cqCvHrzذ]z~rm⋂>v%8E_)=6i[;L4>(C^P"^e’˅M}1Iq9rMJl @ע~MZ# O]c)i5+CۏAE!Lj>#A%ee3-t{(`2ΙTh,ZNtUTĥc.ŝZM9TK.KRG*+*ߕlW1 {BZ+jTes[ɧj*) iT-A8[h1=Hsr_3#lzYC 'J/k&m'a^vD7ge|W@O[fkhP♛U|֝uNؓRc:-:fp찌_?1;7%Ad Odׇn& ~iXm>H':t}jh ܇TbҴJ yvzVcTj~Ew(/9 .oĕպԴzYܧF(+*P6:gw|&|h&|z`GBK.kXl7 W*ZTf0辽 -Gp}X2; kF%.a\lGN$ av1 soa>8(->Øzp׳ƩljWkĢS4H v>x.5!o[I{m>Jz6;i(Ҧ33vb"톮kmnAf|3B{w^1~&jsas)bLce~P:K0̊ۊRo5Jۥ]aYJ"%N09ݱX z==a߷~m>9`V=L0lY&˸zJ <0]Lʎֿ|ֲ͈s%.R%,=M_cBy U1E%[)rUewޠ~z*ޟOJe~fnZ]{F'ȚZGt(J wKmm9tB'`DWZ8E :ћrP3HgO.4}A6ڄyiǥ4Y^ gMr//6\ixc#Vk3du sF@YfOGP56D:ivn;_Z rչ_tM=< wB&8 x`3]ܒ h >z(4xhgo3Y9$.+J1 Swa3v'ŸHVZC8ްnbķ |$rkIC9 3_nʡR0F$u*#:́ Z0h|iED#RhbGFcOs? MϤu:pxXҚ0!,YC) \ߢ0F$%xL1f a9=g3bwDxl/u z9 {k&(?,q֏D {GLƙ;fSZ,s ϾփPyTH"1XJ勁.JgUEt0 7 cn Q&@Ԕu7SI8׽0a s`EPf00a|L?gqxO^F 3+\f)u n9 :j@ g>򽉑0u9,2usx\fH֎>$Ѕ:x,@#!9ωKOc 76úޛZF `p3W VjMDO"ӡRs]j%ur\]ÀƠYU^&*_]Ӕ^*BI] / (HZ W}OCHIP`;w$h]__|"g"g78t9\noW;utڻtֽ\tLG?g&SRo4U9š6u&\ «1.y.r9,tG_04u8ug׋gQ~\e2>2@\9_^%e^?攟CyNߠo9P~S{3W ?W9sw3~=/=?/9q _s?}?P>G(W}#cn66oۜons/=IR<9k]T$RhK "S^9,r%{'sg+i^WKͮ0TntKL썆cn-:AbCa c|u$X2M&#(R^>Ȧc˼=>w懴Ix]"&J2˯-cENz%.~QFxdR$dZ+mFDgeAD1KAA0_w9ݧ,O ;H_ẽxĿ/NÙݞރ}nC7fn@x` ~iMogn[Fpyk;O΋kwյ ~3b 5y?'OtVf 4;) [ԙqe ޢDFEk@Ǥ zY8#las;Ğ~UbxzaQbl}6Tq< 5RYu8% HMԳpNQ?Ѱs73Pz:}K=s~o®|а- i7IղVJZ8~O+A"ð)&0#&_4vXV5rF(2B4|O۴W]7tS+rc<{+4pY-}"z5~B@N,W1"/cA6of)3^46T<gM~ o'2Pd Sebb{ˈLbT|Jx /q 9fX.>&]\ʠaCao/Yb+F;cp\;=m2 gbWIX`&rV21o@wXh =xQJ} O?gb+3b\^:&23M{6u\x| "e*1Ãf Qk`VϹeq-c6O-5U,%w|\tI_-˃a-C7]`b̜#/QxQp&tkW4|p;f9X<ap[b2 BLw u x&9{[qM HPf]32ˋ&g" ɷИYNCŊvsFd}#aq1<̡Pl@PJ]Xv&C. s@e8>cc>m=]wvl#knܙ% .H_;os_`&{ÄEZg%^#%&a"c'x M?Xw`W#׽~rh`=G(gQO%v TF\gȌQ)x>[ n='ID/n˦uM$f@gYl)VxRDڮ9=vRRļKl#mc|@ăx!$KVT^p|"$ϷϒΌLU"zδv{Di+Nޒ{־8 ;C>Bub<#U:.~m\*KxrHIhC>~EE~&OG ϿayH(t&Iw`S)1| j7;1Te]ZQYɶy SO~l϶(#o݊O66x}҂ ]@1Su .Ы v>cx Lw]-1ue|nHJU֧f2{O:з57b8[| ނ4ܨNaeVb05yMvSƸE_2"L-Ԧ?3w(\*],5Ał<qvvt2Q*Ү]^ x[9O`^ۺkAѾYmw0o>`5/Wvį-'yvJ~St 7tlm @JԽ >D73B*{ X^c 0У,:05 8u vKѺ N7"`aA0n,$9&@ Rr=c:p3z26 vQm`#N 40(|Nuu |Ua=vsaSΜ67 *χŀ{ʾ16^f+9uul g)C2^#s!?!LnH2m^^kte(n aaXJ`g~NTvQKeVnwާ+e={`os g>r7*Ѡ,jU z' 4mEgl3W'J^R۽wz"f/ROa6%s|N1Kik^ϦO*L㇅ wm&l2)v}mb-c6C-{1)