Introducing Meta-Information XSS
A few months back I was playing around with DNS text records and started thinking about what I could include in them. Given that so much of my time is spent with web application security, my first attempt was a simple XSS. Then I just needed a web page to display the information, I started looking at websites that allow you to perform DNS resolution and websites that verify SPF filters. None of these websites filtered the data. This lead me to start looking at other types of meta-information (or metadata) we access, manipulate and view on a daily basis but never really consider as potentially harmful. Other places that came up included: Whois data, SSL Certificate info, and Server Banners (SMTP/HTTP). I'm sure there are others but these are the ones I looked at.
As I was looking into contacting the various websites, I started thinking about how you could classify this type of XSS. While data has to be provided in some of the requests, you aren't providing the attack, so it's not really reflected. At the same time nothing is stored on the server to be displayed to future users (at least nothing malicious), so it's not really persistent. It's also definitely not DOM based. That lead to the conclusion that this needed a new classification and I decided to go with Meta-Information Cross Site Scripting or miXSS (pronounced my-XSS).
When you think about meta-information, you're talking about data that describes data. If you consider a domain name to be a piece of data, then the whois information (owner, contact, etc) is describing that piece of data. The same is true of SSL Certificates, banners, and DNS TXT entries. So combining it with XSS seems to make the most logical sense when naming this attack type.
I contacted the affected sites that I'd come across, I wasn’t really sure what to expect as a response. I had about a 50% response rate and I was really happy with the replies. Most of them were surprised that something so obvious was missed and wasn’t discussed anywhere.
I'm not saying that this type of attack is new and unique, in fact when I discussed this with RSnake he pointed me to a post on http://sla.ckers.org/forum/ that referred to XSS via whois.
A number of readers are likely to look at this and say, "Nothing new here, what's the point?" and I'd be willing to bet those people work in security and saw this and had a "that's obvious" moment but when you think about it, security mailing lists and conferences are often full of those moments.
I don't think this information is necessarily important for security professionals, I see it as being more important for developers and sys admins. We always say "sanitize user input", and in this case the user input is clean but we need to sanitize all information coming in. This is touched on by OWASP but when I read the documentation I get the feeling that many people will still read it as "sanitize user input".
I discussed this with colleagues here at nCircle and they had never seen it before and were intrigued by it. I also presented it at TASK (local security user group) and the feedback was great, a lot of people mentioned they found it interesting.
A number of the sites that I've contacted have been patched, and three of them allowed me to cite them. Kudos to WhatsMyIP.org, Ring of Saturn Internetworking, and SSL Shopper for quickly fixing the issue. Attached to this post, you'll find the presentation materials I used at TASK, along with a small white paper on the subject which includes examples.
In the end, I think by naming this, we're giving it a means for more people to become aware of it, and ultimately awareness leads to security.
| 
| 
|
Permalink
| Comments (4)
| TrackBacks (0)
