Cross-site scripting enabled on 1000 major sites – including financial sites
Tue 23 Feb 2016
A CloudFlare engineer has discovered that 1000 of the top one million websites, including bitcoin holding sites and trading sites, are running a default setting that enables the biggest security menace on the internet – cross-site scripting.
Now CloudFlare engineer and former LastPass employee Evan Johnson has made a post detailing his examination of the top 1 million Alexa sites for evidence of compromised settings – and has found that about 1000 of the sites in the list are capable of being compromised because of running a header called Access-Allow-Origin.
‘I scanned the alexa top 1million for this misconfiguration and well over 1000 sites have misconfigured this header to be equivalent to a wildcard. These sites include bitcoin holding sites, stock trading sites, and…just everything…’
Johnson found the vulnerability whilst working on a legitimate use of domain-communication called Cross Origin Resource Sharing for the Stripe API. He includes an example (see image right) of how a CURL-enabled script could exploit the setting on a compromised server, though he does not mention whether ABC news (the subject of the script) are used as a mere hypothetical example.
The Access-Control-Allow-Origin header which Johnson claims the vulnerable websites are outputting is concluded with a wild-card asterisk, meaning that the sites in question are giving full permission for cross-domain communication via venerable protocols such as SOAP/AJAX XML exchanges.
As Johnson points out, there are valid uses for enabling cross-domain scripting, and a legitimate service exchange, for instance for Twitter or other syndication methods, seems likely to be the reason the sites in question are allowing other domains to access data. Though the author does not discuss it further, it’s possible that the more sensitive sites he claims are subject to the vulnerability have enabled the header in order to exchange data with entities such as apps.
The wild-card in the ACAO header is the kind of thing developers are supposed to remove after general functionality is established. In practice so many procedures get broken when attempting to define permissible domains that unanticipated delays in this regard can combine with looming deadlines to leave devs relying on ‘security through obscurity’.
Johnson notes that not all of the 1000+ sites he found running ‘Access Control Allow Origin: *’ are practically exploitable, but that many were. He does not mention if the financial sites he found running the header are among them. He also emphasises the enormous security risks that are enabled by a potential exploit of the header – particularly if a victim is already logged-in to a sensitive service.