Thursday, August 27, 2009

Sears Victim of XSS Attack

URLs using Search-Spider-friendly real words pose a security risk for a Cross-Site Scripting or XSS attack, if your Website also uses cached pages (for speed) and no database confirmation of the URL wording when posting the pages online.

Think those three conditions wouldn't co-exist in the real world, at least not on a high profile site? Think again! Storefront Backtalk reports on the spoofing of the Sears eCommerce site, where hackers turned a page for a gas grill into a "human cooking" device!

Using URLs that mimmicked the "breadcrumbs" on site search, the cached pages were accessible to spoofers who figured out how to grab them and change their URLs. This then changed the wording of the items shown on the page.

“Someone visiting our site defaced a couple of product pages on last Thursday,” Sears spokesman Tom Aiello said on Monday, Aug. 24. “At no time was any of our data [on the back end] compromised. We’ve already taken steps to prevent this from happening again. We sincerely apologize to any customers who may have seen this on our site.”

Reported Strorefront Backtalk: "The person who claimed credit called himself gfixler and said that he noticed that the text displayed on Sears’ site was taken from the URL and that made it pretty simple to change category names by altering the URL and hitting 'send.' The site responded with a page that displayed the altered labels.

"The mistake Sears made," said another hacker, was that instead of having look “at a local database to determine the category and subcategory of an item, they put the category string and subcategory string into the URL” and assumed or trusted the strings would not be tampered with by users before the URL is loaded. “A more severe form of ‘trusting data from the user’ makes Cross-site scripting or XSS attacks possible. In an XSS attack, not only is data from the user trusted enough to display, it isn’t sanitized before it’s used, allowing someone to execute arbitrary code or arbitrary database modifications simply by sending data the programmer didn’t anticipate.”

No comments:

Web Analytics