Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Irony

My good (and hilarious I might add) friend Arian Evans from Whitehat Security sent this link out to a few people. Arian has a flair for the comedy - you’d just have to spend some time with him to really understand what I mean. The link made me laugh and thereby I am now sharing it with you. The link is to a QuickPlace XSS filter protection on IBM’s website. The irony here is that the link describing the virtues of XSS filtering is vulnerable to XSS. Oh what sweet irony.

Of course, it’s not really a huge deal, so much that it really is kind of embarrassing and exactly the reason why you should have someone who knows what they are doing looking at your security. In this case the XSS was injected into the xml:lang=… parameter. There’s a first! It’s an easy one to fix, and I’m sure it will be gone soon enough, but the irony almost made laugh so that I almost spit water out of my nose when I saw it. The moral of the story? Make sure to check your site for the vulnerability you claim to be able to prevent in your products.

14 Responses to “XSS Irony”

  1. phaithful Says:

    “the irony almost made laugh so that I almost spit water out of my nose when I saw it.”

    That’s awesome… :)

  2. dre Says:

    I made a similar mistake recently, which was caught here:
    http://michaeldaw.org/papers/hotlink_persistent_csrf/

    While updating some rough thoughts on the OWASP page, I made the mistake of dropping some URL’s into the wiki editor. One happened to be an image. I thought nothing of it, and mostly forgot about even creating that page. Then I saw that blog post (Google Alerts told me about it), so I quickly added some pre tags to prevent the hotlink.

    Scary thing is that it probably still exists through the wiki diff and history entires. Check it out for yourself here:
    http://owasp.org/index.php/Phoenix/ToolsProfile
    You’ll also want to check out my tools page, which isn’t really a WIP - it’s a great list of Web Application assessment tools and software.
    http://owasp.org/index.php/Phoenix/Tools

    It makes me wonder more about how difficult it is to secure and ensure privacy using even today’s cutting-edge software. The michaeldaw website recently spun off some research in blog security (the Blog Security Blog)… and we all know how classically secure many forums software packages are…

    But we can certainly add wiki’s to that list, with a special note to all of concepts mentioned in my comment here… editing/diffs/history can all be very dangerous when you consider hotlinking, which makes Wikipedia and similar very scary indeed.

    Also - the XSS w0rm video on milw0rm.com (all properly named and hosted) demonstrates some Web2.0wned concepts against meebo which opened my mind to some very interesing ideas. When Web 2.0 and fat apps meet together, all sorts of interesting things can happen. Maybe you’ll hear more about this once I put some research into it. Meebo is one of the only Web 2.0 apps that interacts with a popular set of fat apps, so I’ll have to find at least one more example.

    Imagine owning meebo’s DOM and not only collecting buddy lists (as the author describes) but also pushing exploit payloads to fat apps (e.g. the recent Yahoo messenger bug). Web 2.0 just enabled another new vector for attack!

  3. Daniel Says:

    Arian is the funniest man in security, point!!

    Having spent loads of time with him, hell it’s hard enough not to end up crying at some point in the evening.

    Next time you see him, ask him about the hotel lobby in Washington, with a certain man and his leg :0)

    That incident will go down in appsec history!!!

    Daniel

  4. Giorgio Maone Says:

    You didn’t notice the screenshot at http://noscript.net/features#xss since March the 20th, did you? :)

  5. hackathology Says:

    hahahah

  6. RSnake Says:

    Giorgio - that’s awesome, I had missed that, hahah… I saved it.

    Daniel - I’m not sure I heard that one - is that the one about the guy urinating on another guy? If that’s the one, yes, I nearly died laughing.

  7. Torstein Says:

    Hah! You’ve got the digg.com frontpage.

    Congrats :)

  8. Giorgio Maone Says:

    …and it’s the weirdest digg.com frontpage I’ve ever seen: looks like IBM is using a botnet to bury down every single comment, instead of fixing the bug :D

  9. seosnafu Says:

    http://www-1.ibm.com/support/docview.wss?uid=swg21233077&loc=

    :p

  10. RSnake Says:

    Wow… cool! I had no idea we were even dugg. For some reason noscript decided to block digg’s scripts. I must have inadvertently blocked it at some point. I’m on a business trip that will last a month, so I didn’t notice any increase in traffic.

  11. cenourinha Says:

    Great!

    558 digg’s and counting…

  12. Arian Says:

    Oh, wow! I didn’t know that was on no-script. Brilliant.

    And yes: the hotel lobby incident in DC is in fact the same affair that features the one-and-only *Urinator* in action. It was a quite a stream of entertainment that night.

    I feel like I have little to contribute these days though. Comedy Central has been hijacked by Cenzic’s blogs and our Double-Trap XSS friend.

    I hear Cenzic has a new Whitepaper coming out called “Where the Hidden Form-Fields Live”. Really looking forward to that! Great Stuff Guys!

    Hope to see everyone soon somewhere–preferably featuring adult beverages and brainless hot chicks, but then again, I guess the latter is pretty much what I do every night, so some change might be good…

  13. B-Con Says:

    It’s the 18th (three days into this) and the exploit still goes unpatched. :-P

  14. kFuQ Says:

    June 22 — xss page is gone, but sploit is still there