Upon reading this week’s feeds, we have been faced with two cases in which a simple XSS may become an immeasurable loss for the companies involved.

In the first case, the site belonging to a company which offered a model SaaS software (Software as a Service) had its service/software disfigured through a XSS, i.e., every customer who accessed the interface at that moment saw (instead of beautifully made graphics), a message requesting the correction of  flaw, on behalf of system’s users.

Here it becomes difficult to measure value of XSS, as the values of the services rendered by service-now.com are unknown to us, as well as the quantity of users who probably saw the modified screen,–however, to have their dominium and site published on a professional site of renown as well as having their future customers see the disfigured site, for sure, do represent a great loss.

After seeing the post below would you make available to the mentioned company your data and requirements?  Do you question the security of the online services they use?

The post about security flaw of  service-now.com can be read on:  http://holisticinfosec.blogspot.com/2009/05/eweek-hypes-secure-saas-without.html

Another interesting case involving a XSS flaw noticed in this week was the Strong Webmail’s contest ( http://www.strongwebmail.com ). The contest challenged hackers to find out flaws in their webmail system, paying 10 thousand dollars to winners (http://www.strongwebmail.com/secure/email/contests/hack).

The system added a new security engine where, in order have his/her authentication, the user would receive digits to complete authentication via mobile phone. However, taking advantage of a XSS flaw, the challengers sent an e-mail message to company’s CEO and sequestered his account, thus gaining access to it and logically without using PIN.

Here follows some posts with comments on this subject  “When a XSS is worth 10 thousand dollars”: http://www.cgisecurity.com/2009/06/when-xss-can-cost-you-10000.html .  Also what has been mentioned on zdnet: http://blogs.zdnet.com/BTL/?p=19318

How much did such flaw (or XSS in question) cost? Nominally ten thousand dollars but what about company’s image? The costs of a negative repercussion in the media may result insurmountable.

The appearance of  XSS on the site is something one cannot tolerate nowadays (XSS is one of the flaws we often find when performing scanning routines using the  N-Stalker Web Application Security).

It is worth reminding all developers or security professionals that the OWASP TOP10 ( http://www.owasp.org/index.php/Brazilian#Tradu.C3.A7.C3.A3o_OWASP_TOP10 ) classifies the XSS as TOP 1 . Although it is a flaw considered as client side, since it requires, in most cases, a vector or third party for attack, as it can be easily exploited. There is an excellent thread in pt_BR, in OWASP-BR ( https://lists.owasp.org/pipermail/owasp-brazilian/2009-May/000589.html ) about “Is XSS  really a vulnerability?” .

Therefore, beware against attacks exploiting Cross-Site Scripting (XSS) vulnerabilities, as you system may have other hidden flaws. This may bring traumatic consequences to your company’s image and data security.

N-Stalker Research Team