attacks Target Web
Server Logic and Prey
on XcS Weaknesses
By Helen Wang
A system Is secure only if the entire system is secure.
While this may sound obvious,
achieving total security throughout a
system is rarely trivial when you consider many real-world systems are constantly evolving. In the following paper, “The Emergence of Cross Channel
Scripting” (XCS), Hristo Bojinov, Elie
Bursztein, and Dan Boneh highlight
The systems examined in the paper
are embedded Web servers that have
become prevalent for system management and configurations of consumer
electronic devices like digital photo
frames, wireless routers, and network-attached storage (NAS) appliances.
Web applications have long suffered cross site scripting (XSS) vulnerabilities. XSS vulnerabilities of a
Web application allows an attacker to
inject attacking scripts into the Web
application and then the attacking
scripts execute with the privilege of
the Web site on browsers. A particularly damaging type of XSS is persistent XSS in which the injected script
persists beyond a browsing session
and across different browsing users. For example, the infamous Samy
worm exploits an XSS vulnerability in
MySpace.com and the attacker (Samy,
in this case) injected a script as part of
Samy’s (persistent) user profile. People who viewed Samy’s profile found
their profiles infected as did the viewers of their profiles, and so on.
The XSS problem is amplified in the
embedded Web server setting where
Web servers co-locate with other ser-
vices, sharing the underlying device
resources, like the file system. For ex-
ample, several NAS appliances both
expose a Web interface for system
management and allow file uploading
through FTP, SMB, or a P2P service.
Because the file system is shared be-
tween the Web server and these other
file uploading services, an attacker can
upload a file with a specially crafted
file name that contains a malicious
tor of the device configures the device
through the Web interface, the mali-
cious file is loaded in the address bar
The cross site
problem is amplified
in the embedded
Web server setting
co-locate with other
the underlying device
the file system.
sumption that the global state (such as
the file system) is shared with others.
To make things worse, if any of the
services has a security hole, all services can be affected. Here, the authors
talk about reverse XCS vulnerabilities
where a Web server’s XSS vulnerability
can cause private data from other services to be leaked.
Based on these keen observations,
the authors uncovered real-world XCS
vulnerabilities in a slew of embedded
systems, including several NAS appliances, lights-out management systems (LOM), and photo frames. The
authors also explore cellphone-based
XCS where the Palm Pre is vulnerable
to an XCS attack that injects its payload
through a calendar title or content.
The authors note some initial directions for defending against XCS,
mostly along the lines of preventing
information leakage by restricting the
destinations of the outgoing network
messages. This is indeed an interesting direction. The heart of the problem here is to construct such a policy.
To me, a more fundamental solution
would be to address the root cause of
the problem and eliminate any state
sharing of independently designed services. If cross-service sharing is needed, the service designer must enable
such sharing explicitly.
By highlighting the vulnerabilities
that still exist, this paper offers a valuable lesson in—and interesting read
helen Wang ( email@example.com) is a senior
researcher leading the security and privacy research
group at Microsoft research, redmond, Wa.