Stopping HTML Injection is Hard; Let’s Go Shopping!

Once upon a time, the Web was filled with static pages of text, hyperlinks, and the occasional image. Security problems existed even back then, but the pages themselves were generally innocuous. As the years went by, however, the Web became a platform for all sorts of communications and services. In time, the mild-mannered web page became a delivery mechanism for large-scale, dynamic applications. Even mobile browsers now include engines for loading powerful object-oriented programs. As the capabilities of websites expanded, the problem of HTML injection, or cross-site scripting (XSS), became a significant threat. Check any recent research on web-based threats, and you’ll find that this type of vulnerability is widespread online. And if the past few weeks are any indication, we can expect more trouble in the future.

HTML injection itself is hardly a recent issue, but current trends make it more common and more dangerous. In particular, the rise of user-generated content and “mashups” has led to far more data being shared across security contexts in real-time. One example made headlines last week after a few Twitter users discovered they could manipulate the site’s system for parsing links within a post to add custom HTML. Several tweets crafted to exploit this issue spread virally, as an action as simple as moving your mouse could trigger code that would post the same tweet under the victim’s account. Twitter’s entire product relies on user-generated content, but a simple filtering problem led to the rapid spread of XSS worms. Fortunately, none of these cases appeared to be that malicious.

In the realm of mashups, many sites are adding code to integrate with Facebook, providing users a single sign-on experience. A few websites have access to “instant personalization,” a feature that lets the sites identify Facebook users when they first visit rather than after clicking a login button. Soon after Facebook announced this program, a security researcher discovered that one of the partners, restaurant review hub Yelp, had an HTML injection vulnerability. With the addition of Facebook’s code, Yelp’s hole could be exploited to let an attacker automatically identify Facebook users as well. More recently, two new partners were added to the program: Rotten Tomatoes and Scribd. Soon after the announcements, similar problems were found in each of these sites. Ironically, Rotten Tomatoes’ pages were generally secure against HTML injection, but a third-party widget loaded by the site introduced a vulnerability.

HTML injection on one site threatens information and actions available to users of that site. But with so many websites sharing data between users and other companies now, one vulnerability may allow access to multiple services. And the problems don’t stop with the browser – injected code can try exploiting other issues that lead to compromising a user’s operating system. Meanwhile, the spread of mashups shows no signs of slowing. In fact, this past week Facebook’s COO Sheryl Sandberg predicted that within a few years, nearly all websites will automatically adapt to a visitor’s interests. Yet that sort of functionality requires identifying a visitor’s interests somehow, and Facebook’s instant personalization is one example of how that’s possible.

Securing a Web with so much data getting passed around is not an easy task. Douglas Crockford, a leader in the JavaScript community, has recently advocated that browser makers stop work on HTML5 and instead focus on building a more secure framework for handling scripts. Yet it’s more likely we’ll see a universally personalized Web before we see such functionality become mainstream, meaning web developers need to keep paying close attention to possible HTML injection issues. Preventing such vulnerabilities in an application would require more than a simple blog post, but fortunately many resources exist online, and the team at Gemini is ready to help you secure your code. In the meantime, I hope that the buzz about Twitter’s worms and problems with instantly personalized sites help draw more attention to HTML injection as the Web continues to expand. Hopefully future developers will learn from these stories and reduce their frequency in the future.