Cross-Site Scripting Strikes Again
Posted by hyperguard on April 8, 2010
A new type of cross-site scripting (XSS) attack that exploits commonly used network administration tools could be putting users’ data at risk. Recent research by nCircle, provider of vulnerability management and compliance auditing solutions, outlines a new category of attack called “meta-information XSS” (miXSS), which could be difficult to detect. Tyler Reguly, lead security research engineer, states in his whitepaper that the attacks are taking the meta-information provided by various services and displaying it within the rendered Website.
Currently, there are three types of XSS attacks: reflected, persistent, and DOM-based. According to the whitepaper, reflected XSS refers to an attack that occurs when user input is reflected back at the user. Persistent XSS attacks store user input, letting it affect a broader scope of visitors. DOM-based XSS is an attack that modifies the Document Object Model directly without requiring data in the HTTP response.
Reguly says the XSS vulnerability could become a growing threat in the future since these Web-based tools are often used to quickly resolve network administration issues. New types of XSS attacks being found stresses the importance of shielding applications with a distributed web application firewall (dWAF) to protect against them.