Lucene search
K

British Sky Broadcasting Group Cross Site Scripting

🗓️ 26 Feb 2014 00:00:00Reported by Nicholas LemoniasType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 39 Views

British Sky Broadcasting Group plc. faced a critical Reflected Cross-site scripting attack in the shopping basket application, impacting user confidentiality, integrity, and availability of information. Incidents were disclosed and recommendations for encryption of the application's view state and stronger Cross-Site Scripting protection were made

Code
` _____ .___ _________  
/ _ \ | |/ _____/  
/ /_\ \| |\_____ \  
/ | \ |/ \  
\____|__ /___/_______ /  
\/ \/ Corporation (c) 2014  
  
Published Report: 25/02/2014  
  
  
Credits: Advanced Information Security Corporation, USA  
  
Severity: Critical   
  
Type: Web Application / Reflected Cross-site scripting attack.  
  
  
  
CVSS: 7.0 , (OWASP TOP 10)  
  
  
Author: Nicholas Lemonias.  
  
  
Background  
==========================================================================  
British Sky Broadcasting Group plc. (commonly known as BSkyB; trading as  
Sky) is a satellite broadcasting, broadband and telephone services company  
headquartered in London, with operations in the United Kingdom (UK) and  
Ireland.  
Formed in 1990 by the equal merger of Sky Television and British  
Satellite Broadcasting, BSkyB is the largest pay-tv broadcaster  
in the UK and Ireland with over 10 million subscribers.  
BSkyB is listed on the London Stock Exchange and is a constituent of the  
FTSE 100 Index. It had a market capitalization of approximately £14.32  
billion (US$23 billion) as of 30 September 2013 on the London Stock  
Exchange. 21st Century Fox owns a 39.14 per cent controlling stake in the  
company.  
  
Affected Domain: www.Sky.com <http://www.sky.com/> / British Sky Broadcasting Group  
plc.  
  
  
  
Description   
==========================================================================  
The problem persisted in a shopping basket application.  
  
Reproduction of the issue, concluded to the execution of third-party,  
heterogeneous code, defying user->vendor levels of trust, with direct impact  
to product confidentiality, integrity and availability of information;  
as per best security practice (ISO 27001) and (BS7799).  
  
  
Proof-Of-Concept 1  
==========================================================================  
http://www.Sky.com/ireland/error/invalidbasket/index.html?  
invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b<http://www.sky.com/ireland/error/invalidbasket/index.html?invalidBasket=true&rp=javascript%3aprompt%28907029%29%3b>  
  
  
Timeline  
==========================================================================  
[+] 31 of January, 2013 - First contact.  
  
[+] 3rd of February, 2013 - Second report.  
  
[+] 10th of February, 2013 - Third report. (No answer to our requests for comment).  
  
[+] 25th of February, 2013 - Disclosure.  
  
  
  
Remediation / Consultation  
==========================================================================  
The recommendations made to The British Sky Broadcasting Corporation is  
to consider encrypting the view state of the application.  
  
Furthermore to implement a stronger Cross-Site Scripting protection.  
XSS filtering was not properly applied, and meta character filtering   
permitted untrusted third-party code, to be executed.   
  
Furthermore, a malicious users could take advantage of such instances, as noted  
in malware and virus propagation cases, and thus with great impact to systems  
of strategic and political importance.  
  
My consultation to the British Sky Broadcasting Corporation was therefore, to deploy an  
immediate security risk assessment and to revisit  
upper-level security policies; in accord to best security practice,  
(ISO 27001) and (ISO 27002), and the implementation of an effective ISMS with adequate security metrics.  
  
  
Cross Site Scripting attacks are present when a website allows the  
injection of malicious data from a malicious user. The information is often  
gathered in the form of a hyperlink. The affected hyperlink is  
often disseminated either through email, social networking websites, forums  
or other online sources. A malicious adversary could take advantage of this  
vulnerability, for the mass exploitation of unsuspecting users, through  
malware and virus propagation. A malicious user can use defects in the  
encoding methods, so that the payload is further obfuscated.   
  
  
Appendices  
============================  
A. Suggested the filtering of meta characters.  
B. Suggested the use of appropriate server encoding of application output.  
C. It is noted that an XSS attack could embrace mass user attacks.   
Phishing and theft of confidential information such as credit cards, passwords,  
and stored accounts.  
  
D. AIS Corp. consulted for a full risk assessment and revisitation of security metrics during the  
embryonic stages of the SDLC.  
  
  
References  
============================  
[1] OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011  
  
[2] OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]  
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.  
  
[3] Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:  
http://msdn.microsoft.com/en-us/library/ff649310.aspx.  
  
** This vulnerability report is posted for the wider benefit of the  
security community, as is and without any warranties, including the  
warranty of merchantability and capability fit for a particular purpose.  
The information is posted under the FOI as per best security practice.  
  
  
[Copyright Advanced Information Security Corp ©, 2014]`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation