Many websites have a WYSIWYG editor.
You may not even realise that you are using one, but – if you think about it – chances are that many of the sites that you visit allow you make forum posts, publish blog entries, post private messages, update wiki entries, submit support tickets, create signatures or leave comments.
All of these are very likely to incorporate some rich content elements.
Sure, it’s very nice to be able to embed images, or format your text with italics and hyperlinks, but is this flexibility unwittingly leaving a door open for attackers?
Security researcher Ashar Javed raised the issue in a talk entitled “Revisiting XSS Sanitization” at Blackhat Europe last week.
Javed, who has previously been awarded bug bounties after finding vulnerabilities on popular websites, used a simple methodology to test the web-based WYSIWYG editors used on many sites.
His plan? To see if he could trick a WYSIWYG editor into popping up a message-box containing the number “1” rather than sanitized content.
Some of the websites Javed examined relied upon third-party editor libraries and could potentially be being used on millions of other websites. All it would take was for one such editor library to have a vulnerability and attackers could have a field day.
It is some concern, therefore, to learn that Javed discovered that many WYSIWYG online editors proved to be vulnerable to cross-site scripting (XSS) attacks.
Commonly, web-based WYSIWYG editors were vulnerable to mischievous injections when it came to inserting and editing images, embedding URLS, uploading files and videos.
One of the problems that Javed identified was that the developers of WYSIWYG editors think it is the responsibility of those developing the website or back-end server-side systems to perform the sanitization. Meanwhile, time-strapped website developers who pull a WYSIWG editor off the shelf and plug it into their site are imagining that all the hard work has been done for them.
Javed’s solution is to develop a so-called “Unbreakable sanitizer/filter” that does the tricky job of making sure content entered into WYSIWYG editors is safe – and cannot be used to exploit an XSS vulnerability.
Javed ran an open challenge for two weeks, inviting anyone to attempt to bypass his filter with an XSS attack. During that time there were over 78,000 attempts recorded from 1035 unique IP addresses but nobody has managed it so far.
More details of Javed’s research can be found in this white paper [PDF] and in the slides he presented at Blackhat Europe.
If your company has a website, or relies upon a web application, that you think might be at risk be sure to take a long hard look at it and ensure that you are properly sanitizing its input and output to prevent a malicious attacker from exploiting any weaknesses.
- Why Cross-Site Scripting Always Matters
- Friends Don’t Let Friends Mix XSS and CSRF
- Analysis For phpMyAdmin-XSS-CVE-2014-1879
- All in One SEO Pack WordPress Plugin Vulnerabilities
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed and Shellshock vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].