Cross-site scripting (XSS) is a frequent topic on security forums because
it is a common web application flaw that can lead to variety of unpleasant
surprises. One of the more frequently seen abuses of an XSS flaw is in the
aid of a phishing attack. With the advent of Extended Validation (EV)
certificates coupled with the accompanying browser UI changes, some XSS attacks will
become much more powerful.
By now, most users are familiar with SSL certificates, which are used to
authenticate one or both sides of an HTTPS connection to the other. EV
certificates are a step up from a
more pedestrian SSL certificate as the recipient must undergo more scrutiny from the
certificate authority (CA) before being granted one. We covered EV certificates in more
detail in November 2006, but they are just now starting to be installed
the problem a few weeks ago with regard to sourceforge.net. Sourceforge is one of
the 4,000 or so sites with an EV certificate, but it also has an XSS
problem. So anyone using the site for XSS purposes now gets the benefit of
the higher trust that is supposed to be embodied in an EV certificate.
Browser vendors are being encouraged to highlight the EV certificates in
their UI so as to give users more confidence in those sites. The most
recent Firefox 3 betas as well as IE7 are highlighting the site name in
green in the address bar to denote this higher trust. Unfortunately, the
extra validation does not extend to testing the site for XSS flaws, which could
leave users easily fooled.
A phishing attack could use an XSS flaw in a search box or error message, for
example, to add content to the appearance of a site. That content is really coming
from the XSS attack but it would appear under the "green means go" address
bar for the EV certificate-protected site. That content could include a
login screen that sent the credentials elsewhere or a cookie stealing
attack for session hijacking. For any site with sensitive information, XSS
attacks are already a problem, EV certificates just add another mechanism
for exploiting the user's trust.
Much like the padlock icon that appeared many years
ago to denote a "secure" (really, just encrypted) connection, this new green address bar indicator is
somewhat difficult to explain. Based on the vetting process for EV
certificates, there should be a real entity behind an EV
certificate—or at least there was one at the time of
issuance—but it is by no means an endorsement of the security of everything on a web
page that has one. It is, like the original padlock, more nuanced than that.
Unfortunately, users are not good at security nuances. They want yes or no
answers to "Is this site safe?"; that answer is nearly always "maybe" or
perhaps "probably". At one time, the padlock icon was seen as a "yes" answer;
now the green address bar may take its place. Somehow users need to be
taught to look beyond simple answers and websites need to clean up their
act so that their users are not scammed.
The number of sites with XSS
problems is staggering (a look at xssed.com
is instructive) and new ones crop up all the time.
In many ways, XSS is an attack against users rather than directly against a
site. This may make it less of a priority to fix than a direct attack,
like a SQL injection, might be. That is very unfortunate for their users, especially if
they have a shiny new EV certificate.
to post comments)