Google Indexes XSS on FBI.gov
Today another thread started on sla.ckers.org discussing how Google has continued to index working XSS exploits. This might not sound like news because I’ve discussed it before. This time it’s different. eyeced pointed out that this time Google has indexed not just any XSS but XSS in FBI’s website.
Last time Cory from Google said, flippantly "Is XSS not part of “all the world’s information?” ;)" and to that I responded, “if that were the case, then you’d bring back all the currently disabled Google dorks, no?” (He did not respond - big surprise).
I would expect this to vanish quickly, but the point is the same. If someone can search for an XSS exploit so easily, or be inadvertently taken to a valid looking URL that actually performs an XSS attack, that makes Google’s search results far more dangerous to consumers. They cannot trust that the page they are visiting will be benign, even if it is on a trustworthy domain (like FBI.gov). If the exploit had been loaded with a keyword that someone not looking for an attack vector might have searched for this could be easily used to phish, steal credentials or worse in a very believable way. Ouch.
January 12th, 2007 at 9:08 pm
another xss bug in Department Justice:
http://justice.gov/cgi-bin/outside.cgi?javascript:alert(’XSS)
January 14th, 2007 at 3:30 pm
Quoting RSnake: “They cannot trust that the page they are visiting will be benign, even if it is on a trustworthy domain (like FBI.gov).”
This is exactly what the problem is about! There’s a saying “On the Internet, Nobody Knows You’re a Dog.” which means that you can never be absolutely sure that someone is who he says he is, therefore there are major trust issues. Do you trust your company? Do you trust your bank? Do you trust your government?
Many have been done and many are still being done to ensure fool-proof identification & authentication methods. PKI is a great thing towards that direction.
The thing is that the home page of government.domain.gov may indeed be trustworthy but what about the pages in the back or dynamic ones?
For example I use noScript Firefox Extension to block most javascripts as a precaution. A year or so ago I used to allow the entire domain of a site I knew and trusted. Later I realized that if there was an attack from that domain it wouldn’t be because they were evil or because they deliberately left it go by (maybe they did). Security flaws that don’t affect performance exist until someone exploits them therefore you can never be sure. Deciding to blindly trust a site is a hard thing to do.
What I’m saying is that we should really reevaluate our relationships of trust. Maybe RSnake focused on the fact that XSS attacks for major sites can be found on google but I am more concerned that they do exist in the first place!
January 14th, 2007 at 3:32 pm
Damn damn damn! Forgot to close (or mistyped the closing tag) and my entire post is one big URL
Please fix it. My intent was to add a link to “On the Internet, Nobody Knows You’re a Dog.”.
Thanks
P.S.: RSnake, maybe it’s time for a WYSIWYG
January 14th, 2007 at 4:33 pm
Hahah… fixed it for you. WYSIWYGs are for newbs.
No stress, we all mistype HTML at times.
But, yes, I’d rather there be no XSS to begin with, but I’d really love it if search engines didn’t point me at potentially malicious web-pages.