Wednesday, August 23, 2006

Web security is completely broken

This was my first thought when a friend of mine, Dennis Groves, asked my opinion on the current state of web application security. In light of the recent research by myself and several other experts, JavaScript Malware breaks all the security models to the point where its very VERY difficult to protect yourself or your websites, even if your one of the people in "the know". Leaving 90% of people out there without adequette security. This is why its vital that developers and information security professionals learn about these new attacks and understand how it impacts them.

Don't believe for a moment SSL, firewalls, patching, anti-virus, anti-spam, anti-phishing solutions, two-factor auth, or anything else like that helps. Clicking on the wrong link or visiting a website at the wrong time (especially popular websites) and you could be infected. The fact that 9 out of 10 websites has a cross-site scripting (XSS) vulnerability make the situation just that much worse!

As much as I am a vendor who assists organizations secure their websites, I'm also a user. I buy, bank, post, comment, read, and perform other online activities just like everyone else. What worries me is that once JavaScript Malware owns my browser, and I have no idea when that happens, it litterally has more control over my browser than I do. I am powerless should the JavaScript Malware instruct my browser to:
  • Hack someone else website
  • Port scan and hack intranet websites
  • Access illegal content on the Web
  • Transfer money out of my bank account
  • Display a fake login page to steal my passwords
  • Steal my keystrokes
... there is no end to the evil...

Fortunately the black hat community has not yet begun wide-scale exploitation, YET. But they are researching, communicating, experimenting and fine tuning their own code. Don't believe me? Just have a look at who's most interested in XSS. New malicious attacks will happen, its just a matter of time and a question of how bad.

So now what?

For website owners, the bottom line is your going to have to find and fix your XSS vulnerabilities before the bad guys exploit them. And they are looking, that I know for sure. Users, turning off JavaScript is an option, even though its not a great one. Doing this will break many websites we all visit and become annoying, but hey, it might be worth the trade-off due to a lack of better options.

As for myself, I periodically switch between researching new attack and defense techniques. Attack research has surged forward and we have a good idea of where the edge is. I'll be going back to researching defense strategies and seeing what new effective approaches will mitigate today's risk.


Anonymous said...

Is it possible to write a browser plugin that scans JS for malware (ignoring obfuscation for now) and blocks it?

Jeremiah Grossman said...

I think its possible and a good implementation to begin with. To my knowledge no one has done it, at least nothing that addresses today's JavaScript Malware research.