` _____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation (c) 2014
Published Report: 25/02/2014
Credits: Advanced Information Security Corporation, USA
Severity: Critical
Type: Web Application / Reflected Cross-site scripting attack.
CVSS: 7.0 , (OWASP TOP 10)
Author: Nicholas Lemonias.
Background
==========================================================================
British Sky Broadcasting Group plc. (commonly known as BSkyB; trading as
Sky) is a satellite broadcasting, broadband and telephone services company
headquartered in London, with operations in the United Kingdom (UK) and
Ireland.
Formed in 1990 by the equal merger of Sky Television and British
Satellite Broadcasting, BSkyB is the largest pay-tv broadcaster
in the UK and Ireland with over 10 million subscribers.
BSkyB is listed on the London Stock Exchange and is a constituent of the
FTSE 100 Index. It had a market capitalization of approximately £14.32
billion (US$23 billion) as of 30 September 2013 on the London Stock
Exchange. 21st Century Fox owns a 39.14 per cent controlling stake in the
company.
Affected Domain: www.Sky.com <http://www.sky.com/> / British Sky Broadcasting Group
plc.
Description
==========================================================================
The problem persisted in a shopping basket application.
Reproduction of the issue, concluded to the execution of third-party,
heterogeneous code, defying user->vendor levels of trust, with direct impact
to product confidentiality, integrity and availability of information;
as per best security practice (ISO 27001) and (BS7799).
Proof-Of-Concept 1
==========================================================================
http://www.Sky.com/ireland/error/invalidbasket/index.html?
invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b<http://www.sky.com/ireland/error/invalidbasket/index.html?invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b>
Timeline
==========================================================================
[+] 31 of January, 2013 - First contact.
[+] 3rd of February, 2013 - Second report.
[+] 10th of February, 2013 - Third report. (No answer to our requests for comment).
[+] 25th of February, 2013 - Disclosure.
Remediation / Consultation
==========================================================================
The recommendations made to The British Sky Broadcasting Corporation is
to consider encrypting the view state of the application.
Furthermore to implement a stronger Cross-Site Scripting protection.
XSS filtering was not properly applied, and meta character filtering
permitted untrusted third-party code, to be executed.
Furthermore, a malicious users could take advantage of such instances, as noted
in malware and virus propagation cases, and thus with great impact to systems
of strategic and political importance.
My consultation to the British Sky Broadcasting Corporation was therefore, to deploy an
immediate security risk assessment and to revisit
upper-level security policies; in accord to best security practice,
(ISO 27001) and (ISO 27002), and the implementation of an effective ISMS with adequate security metrics.
Cross Site Scripting attacks are present when a website allows the
injection of malicious data from a malicious user. The information is often
gathered in the form of a hyperlink. The affected hyperlink is
often disseminated either through email, social networking websites, forums
or other online sources. A malicious adversary could take advantage of this
vulnerability, for the mass exploitation of unsuspecting users, through
malware and virus propagation. A malicious user can use defects in the
encoding methods, so that the payload is further obfuscated.
Appendices
============================
A. Suggested the filtering of meta characters.
B. Suggested the use of appropriate server encoding of application output.
C. It is noted that an XSS attack could embrace mass user attacks.
Phishing and theft of confidential information such as credit cards, passwords,
and stored accounts.
D. AIS Corp. consulted for a full risk assessment and revisitation of security metrics during the
embryonic stages of the SDLC.
References
============================
[1] OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
[2] OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
[3] Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.
** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practice.
[Copyright Advanced Information Security Corp ©, 2014]`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation