Well, thanks to the keen eyes of fellow higher ed tweeter @gilzow for spotting the article, plenty of these guys could tell you just how frustrating XSS attacks can be. There’s simply no avoiding the fact that the more dynamic and complex our higher ed sites get, the more prone we are to these exploits. Be it clever linking, actual injections, or brute force attacks on the systems that run things (admitted not XSS in that case), this problem is compounded by the fact that we rarely have large offices staffed with the best of the best in application security testing before pushing out products for users. In many cases, these systems aren’t even complete, but rather “just work.” And even worse, as we outsource for systems like CMSs, some find themselves not only stuck with a system that they didn’t write, but budget cuts may be forcing them to limit the amount of support that they get.
The above article is talking about the usage of XSS attacks to inject links into pages on trusted web sites. They were looking at sites in the UK using a pretty basic Google search. But fear not, we can apply these exact same technique to .edu domains in the US.
Scary, huh? What, you didn’t think we were immune, did you? Luckily, it appeared that most of the sites that show up early in the Google search have already fixed the injections. But the injections were there long enough to get picked up by crawlers, which in and of itself is enough to do a little damage. Just to give you a short list of some of the sites I saw affected (note that I tried to make sure to not include sites where these links were clearly coming from spam of a user forum):
- Brigham Young
- Lancaster Theological Seminary
- Arizona State University
- University of North Carolina at Charlotte
- Arkansas Baptist (right on the home page)
- Mount Olive College
- Grace Bible College (user is actually hijacked and forwarded to a 3rd party site)
- Ross University
- Sierra Nevada College
And then I got tired of following links. Some of these have been fixed, some have not. Actually, the further into Google you go, the worse it gets in terms of pages that just flat out redirect you, no questions asked, so an online pharmacy site. Odds are, there are some porn links out there doing the same. I would also mention that more than once I saw links involved that were coming out of a Moodle install. And another thing to note that I didn’t really pull into the list above were schools with things like forum and wiki spam that showed up in the search results. That’s not XSS, that’s just annoying automated spam posting into an open system for the most part, but annoying no less.
The lesson? Be vigilant. Odds are, if you think your site and pages are secure, they aren’t. So have someone else try things out. Make friends with people on Twitter who will donate five minutes to try and do creepy things to pages. XSS is not something you just have to put up with, it can be prevented! Make Google your friend too, and try some of the common searches mentioned above on your site. I was happy to find no such content anywhere on our site. If you need some resources to help yourself out, take a look at:
- XSS Cheat Sheet
- Understanding XSS to prevent it
- Cross-Site Scripting explanation at Wikipedia
- Whitehat Website SecurityStatistics Report (PDF)
- Testing for XSS
- Preventing XSS with code review
- Video demonstrations of XSS
- XSS Explained
Photo Credit: CC BY-ND 2.0 w0arz