Thursday, December 18, 2008

Web Attacks: AMEX, Facebook XSS, Clickjacking

Cross-site scripting (XSS) is nothing new and affects many web sites, but American Express and Facebook were reported hit this week in separate incidents.

The Register reported the American Express issue and detailed a lot of bureaucratic foot-dragging that prevented it from getting fixed right away. The Holistic Security blog had some more details, but neither posting explained exactly what happened other than to say the exploit could have lead to the theft of login credentials by cookie hijacking.

The XSS vulnerability on Facebook was posted on xssed, a blog dedicated to uncovering XSS exploits. Details are in The Register and SC Magazine.

In another, all-too-common web exploit, called clickjacking, links to malicious code are embedded in Flash on banner ads. This article by John Strand on SearchSecurity does a nice job of explaining clickjacking, how it differs from XSS and a related exploit, cross-site request forgery (XSRF) and how it can be prevented by appropriate web usage policies rather than implementing a technical control.

The idea is that if an employee is visiting a non-work related web site, they could be penalized for wasting time web surfing, an activity prohibited by the company's security policy.


Blogger Rafal Los said...

@"IT Security Guy"...

- ClickJacking is hardly "all too common" in fact - it's an attack no one that I know of in our community has seen being exploited in the wild? If you have some actual data please do share it with the community

- Can you explain how "appropriate web usage policies" can prevent ClickJacking? I've spent the last few months writing and telling people there is one "prevention" - FireFox w/NoScript

- The last paragraphs worries me because it's demonstrating your mis-understanding of the most recent security exploits. If the "mass SQLi on corporate websites", recent IE exploit, or some of the other public exploits of the past few months have taught us anything it's that it's not just "fringe" sites that are being targeted by hackers. To the absolute contrary - hackers are now exploiting sites like (I'd love to see someone tell me a legitimate reason for blocking this site from a corporate location) to deliver their exploits and malware.


11:48 PM  

Post a Comment

<< Home