[This was originally published on attrition.org. This is a rebuttal piece to eBay’s Sub-Domains Vulnerable to XSS …again (2010-08-27) by @wh1t3rabbit (Rafal Los).]
Sometimes, old attack vectors re-appear in places we wouldn’t expect as security professionals. The re-emergence of XSS (Cross-Site Scripting) on eBay’s domains isn’t something you’d expect to see from a company that works so hard to rid their site(s) of one of the most common web-borne vulnerabilities. So why does it happen?
Yes, why does it happen? Searching xssed.com for “hp.com” shows 15 results for hp.com and subdomains. Three of those are in the main http://www.hp.com site, reported on 12/02/2012, 23/07/2009, and 03/04/2008. If only HP had access to a web app scanner and some source code auditing software! Remember, glass houses, throwing stones, and white rabbits.
The attacks are even of the super-basic <script>alert(‘XSS’)</script> variety which every web application security scanner on the planet should find by now.
You mean like the 23/07/2009 defacement of www.hp.com or the 03/04/2008 defacement of www.hp.com that each used the super-basic variety, which every security scanner on the planet should find by now?
So what’s the problem? Clearly you won’t find many people who will say that eBay doesn’t take their security seriously. My educated guess, based on what other companies I’ve worked with have experienced, is that the main domain gets all the attention and everything else is just secondary.
That certainly explains why the h30429.www3, h41174.www4, h30406.www3, www12.itrc, h41111.www4, www11.itrc, h30267.www3, invent9k.external, and h30046.www3 sub-domains of HP were ignored perhaps. But why were docs, search, and licensing vulnerable? Those are fairly significant domains in the world of HP you’d think.
Of course, this is all speculative but I suspect there is a good bit of truth here. You know what I’m talking about because as you read this you’re probably facing the same problem.
Perhaps, but YOU and HP are facing the same problem.
The true solution comes from understanding how information security best practice (the kind that will actually help reduce risks) can be woven into the fabric of the business model and existing SDLs. The solution involves education, process development, organizational change, risk management, and yes – it involves tools and automation. It’s about ALM. If you’re not working with all those components – good luck.
Can we then infer that HP is not working with all of those components?