Cross-site Scripting Attacks

A number of our sites have come under cross-site scripting attacks in the last few days. From reading other blogs this seems to be a pretty widespread wave of automated attacks, not specifically targeted at any of our sites.

Cross-site scripting is a technique used to either compromise the databases that lie behind many modern websites or trick the website into displaying some malicious code.

These attacks are pretty easy to carry out, as they only require changing some parts of the URL that visitors use to access your site. The URL is often used to pass parameters which carry information between parts of the site - for example in a Content Management System, the url might carry a parameter like 'articleid' to indicate the page to be displayed e.g. www.mycms.com/showpage.cfm?articleid=12367 Because the URL can be so easily changed, web developers need to validate all the data that comes from the URL to make sure it is what they expect before they start using it.

In this case, to confirm that 'articleid' is a number - unfortunately this can sometimes be overlooked in the heat of development. An attacker could alter this URL parameter to include an additional database command or link to a potentially dodgy site, e.g:

www.mycms.com/showpage.cfm?articleid=12367';DELETE FROM articles;

If the articleid parameter is not just a number, we can assume that someone is fiddling with the URL and take appropriate action. Fortunately we develop our sites using industry standard security techniques so none of our websites seems to have been penetrated, but if you have a site developed elsewhere, it may be worth checking with your developers that they are aware of the issue and have taken appropriate steps.

This series of attacks was a good reminder to us though to go back and re-confirm that our code wasn't vulnerable - and also confirmed to us that the time spent securing sites is never time wasted.