OWASP and reflected XSS
Did you know that both bees and ants evolved from wasps or wasp-like ancestors? That most wasp species are solitary, and don't form hives? That the earliest fossil wasps found lived in the Jurassic period? That some of them prey on Tarantula spiders? That the smallest known insect (smaller than some amoeba) is a wasp, yet the biggest wasps can have wingspans of over 11 cm? Well, now you know.
As interesting as wasps are, not everyone likes them. However, everyone working with computer security should appreciate the resources the Open Web Application Security Project (OWASP) provides. It is an unbiased source of information, advocates open standards, and provides many tools for testing and education. One resource it is known for is the OWASP Top Ten list of web application security risks - very relevant in our line of work.
Cross-Site Scripting (XSS) is currently number seven on the Top Ten list. It is a very common attack that usually targets the web browser, and can allow session stealing and account takeovers, or even worse. Reflected XSS is a form of XSS where the attack payload is typically stored within a web link, e.g. in a spam email or a web comment, and the victim is tricked into clicking the link. The link can point to a non-malicious site, like your own, but when clicked by the victim the payload code will run in the victim's browser, using the victim's session and access credentials on your site, while sending information back to the attacker.
Responsible disclosure is the best practice to avoid dangerous information falling into the wrong hands at the wrong time. (Sidebar: Security at eZ Systems is divided into product security, which I work on, and corporate security. Sometimes they overlap, when we use our own products in corporate services. Though if you report an issue to us, you don't have to worry about this distinction. We'll take care of it.)
Karlsson had discovered that one of our services was vulnerable to reflected XSS, and it was serious. User input to an HTTP GET parameter was not filtered as it should have been, any content was accepted. We all know this should not happen, but sometimes a bug slips through the cracks, despite thorough reviewing and testing.
The vulnerable service was running on eZ Platform, but the actual vulnerability was in an internal bundle we have not released publicly. Within an hour of the notification, corporate security had localized the problem, the fix was completed and deployed later the same day. Karlsson kindly confirmed that this was so on his end as well, and we could all breathe easier.
Closing the hole
Avoiding XSS issues boils down to perhaps the most central tenet in computer security lore: Do not trust user input. This is much like how you might think twice about eating something if you didn't know what it contained or who had made it. You can prevent XSS by filtering input and escaping output. Frameworks can help with this, as some of them do it for you. Symfony Twig is one example.
Automatic code scanners exist that can catch some of these vulnerabilities by analysing your source code. There are also penetration testing tools that can run automated attacks against your running service. The OWASP Zed Attack Proxy (ZAP) is one such. Security companies like Omegapoint provide services such as auditing, consulting, training and testing, to help you avoid getting stung.
You may also get such a message from a security company one day. Be very grateful when this happens, because they have done you a great service. It's hard to believe, but some people and companies react with anger, suspicion and even lawsuits. Don't be that person. Responsible security experts make the web safer for everyone.
Omegapoint's Vision is to secure the development of our clients.
It delivers custom-tailored solutions and consultant services for clients that value security, quality and risk control.
Its business area Security delivers fully secure IT solutions, security testing and expert consulting services within the areas: Risk & Security Management, Secure Architecture & Applications and Secure Infrastructure.