XSS Vulnerabilities Can Be Used to Hack Servers
Recently there has been some controversy surrounding ScanAlert's HackerSafe program with respect to its position on sites with XSS (cross-site scripting). This Information Week article gives the background. Essentially, ScanAlert believes that XSS vulnerabilities are only a threat to clients and/or their web browser.
In the article, the following statement is made:
Pierini maintains that XSS vulnerabilities aren't material to a site's certification. "Cross-site scripting can't be used to hack a server," he said. "You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."
Claiming that XSS can't be used to hack a server is just a semantic distinction. Of course, ScanAlert has to take that position otherwise they would appear to selling snake-oil site protection. I'm not passing any judgement on ScanAlert's mindset, but I would like to point out the XSS can be used to hack servers.
Any web-browser based attack that could be launched by an attacker could be re-packaged as a XSS scripting payload. Here are a few possible examples of using XSS to attack a server:
- Brute-force login credentials
- Server port-scanning
- Data retrieval through SQL injection (SQLI)
When a user visits the site, the XSS script payload would be launched and run in the context of the original site. Obviously, the same origin protections allow the user's browser to connect back to the site, communicate with it via XMLHttpRequest, and potentially establish Java network sockets using LiveConnect. Clearly, these are all attacks against the server.
An attacker could remain extremely stealthy while conducting reconnaissance or attacking the server. By using many individual client web browsers as attack agents, the attacker never needs to connect to the site directly. With the addition of a third-party command and control site to coordinate across many clients, a user's web browser could be used to scan a single port on the server, attempt to login with a few user-names or passwords, or retrieve a single row from the database using SQLI.
The reconnaissance or attack may go completely unnoticed, because by distributing the activity across a wide number of clients, it has been spread out both in time and space. It would appear as a bunch of little, organic attacks not as a big, coordinated one. Heuristic based IDS, IPS or DLP protections may never fire if the attack is subtle enough.
These aren't any new ideas (see "10 Quick Facts..." in this paper). Really these are the same old XSS attacks against LAN clients, but targeting the originating server instead. Just something to keep in mind when someone claims XSS can't be used to hack a server.
And for more excellent commentary see Jeremiah Grossman's comments as well as Jericho's (from attrition.org).