Wednesday, 13 May 2009
XSS for Fun (and profit?)
« Iron Chef Interviews Part 2: Sean Fay | Main | Busting the Fortify Myth »
I recently read an article in 2600 magazine about how
to make quick money by exploiting XSS vulnerabilities in a retail website. In
short, XSS vulnerabilities can enable an attack to alter the price of an item
displayed on a reputable website. At first glance this appears harmless since
the attacker can't actually purchase the item at the modified price. However,
by printing out the page showing the modified price and requesting a price
match at a competing store, the attacker can leverage this technique to
acquire goods at radically discounted prices.
Beyond the fact that retailers are losing money because their competitors have lousy websites, this technique is interesting because it leads to fraud that is incredibly hard to detect. First of all, the print contains a seemingly legitimate URL from a competitors’ website. Second, even if the employee who grants the price match is suspicious, the attacker can trick him into confirming the fraudulent price by asking him to visit the specially crafted URL that replicates the cross-site scripting attack. The really nasty thing about this is that the software vulnerability (XSS) is costing another company, a competitor in fact, money so there's very little motivation for the vulnerable website to fix this particular problem.
Beyond the fact that retailers are losing money because their competitors have lousy websites, this technique is interesting because it leads to fraud that is incredibly hard to detect. First of all, the print contains a seemingly legitimate URL from a competitors’ website. Second, even if the employee who grants the price match is suspicious, the attacker can trick him into confirming the fraudulent price by asking him to visit the specially crafted URL that replicates the cross-site scripting attack. The really nasty thing about this is that the software vulnerability (XSS) is costing another company, a competitor in fact, money so there's very little motivation for the vulnerable website to fix this particular problem.
Technorati Tags: xss
Posted by at 12:00 PM in Fortify
[Trackback URL for this entry]
I'm a bit confused by this post. It's trivial for an attacker to screenshot the application, and modify the price in Photoshop, then print. Exploiting this application via XSS is the hard way.
However, reflective XSS that modifies the price and is posted around the net - well, that would be more compelling if current browser trends like ie8 didn't stop reflective XSS so well.