AT&T Cross Site Scripting

Type packetstorm
Reporter Nicholas Lemonias
Modified 2014-02-27T00:00:00


                                            ` _____ .___ _________  
/ _ \ | |/ _____/  
/ /_\ \| |\_____ \  
/ | \ |/ \  
\____|__ /___/_______ /  
\/ \/ Corporation 2014 (c)  
Published Report: 27/02/2014  
Credits: Advanced Information Security Corporation, USA  
Severity: High/Critical (OWASP TOP 10)  
Type: Web Application / Cross-Site Scripting .  
CVSS: 7.0  
Author: Nicholas Lemonias. (Information Security Expert)  
Affected Domain  
Domain: <> <> (AT&T  
Corporation) former  
American Telecommunication & Telegraph  
AT&T Corp., originally the American Telephone and Telegraph Company, is the  
subsidiary of AT&T that provides voice, video, data, and Internet  
telecommunications and professional services to  
businesses, consumers, and government agencies. During its long history,  
AT&T was at times the world's largest telephone company, the world's  
largest cable television operator, and a regulated  
monopoly. At its peak in the 1950s and 1960s, it employed one million  
people and its revenue was roughly $300 billion annually in 2006.  
In 2005, AT&T was purchased by Baby Bell SBC Communications for more than  
$16 billion ($19.1 billion in present-day terms). SBC then rebranded itself  
as AT&T Inc.  
Today, AT&T Corporation continues to exist as the long distance subsidiary  
of AT&T Inc., and its name occasionally shows up in AT&T press releases.  
In 1880 the management of American Bell had created what would become AT&T  
Long Lines. The project was the first of its kind to create a nationwide  
long-distance network with a  
commercially viable cost-structure. The project was formally incorporated  
in New York State as a separate company named American Telephone and  
Telegraph Company on March 3, 1885.  
Starting from New York, its long-distance telephone network reached  
Chicago, Illinois, in 1892.  
The problem concluded to reproduction of third-party heterogeneous code.   
Proof-Of-Concept 1  
The variable 'tagtype' is vulnerable to a reflected cross-site scripting.  
Injection Fragment:  
Proof-of-Concept: 2  
Description: A confirmation window would prompt the user for a password.   
Defacement of the website could also occur through an 'Image  
onload event'  
e.g: IMG onload="JavaScriptCode".  
Responsible Disclosure Timeline  
[+] 8th of August 2013 - Vendor communication.  
[+] 8th of August 2013 - Vendor acknowledgement of the problem.  
[+] 11th of August 2013 - Feedback request on remediation procedures.  
[+] 9th of December 2013 - Problem Mitigation.  
[+] 27th of February, 2014 - Public Notification  
Recommendations for QoS and Security Compliance  
The recommendations made to AT&T Corp were therefore:  
To consider encrypting the view state of the application.  
Furthermore to  
implement a stronger Cross-Site Scripting protection.  
Apparently XSS filtering is not properly applied, and meta-character  
filtering allowed data input over the HTTP protocol to inject third-party  
untrusted code, in JavaScript, Active-X and Visual Basic Script.  
Please note that malicious users could take advantage of such instances, as  
we have seen in malware and virus propagation instances - with a severe  
to systems of strategic and political importance.  
Our consultation to AT&T Corp, has therefore been, for a full and urgent  
security risk assessment, as outlined in (ISO/IEC 27001), (ISO/IEC 27002),  
and (ISO/IEC 27005), and the effective enumeration and revisitation of upper-level  
security policies.  
Dissemination of threats are often gathered in the form of a hyperlink,  
either through an e-mail message, social networking websites, forums and  
other online sources. A malicious adversary could take advantage of this  
vulnerability, for:   
a. the mass exploitation of unsuspected users, through malware and virus  
propagation instances. A malicious user could take advantage of defects in the  
encoding methods, so that the propagation is further obfuscated.  
A. We consulted AT&T Corp to consider the filtering of meta-characters.  
B. We consulted AT&T for a comprehensive review of   
server-level encoding of application output.  
[1] OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE], 2011  
[2] OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE], 2013.  
[3] Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:  
** This vulnerability report is posted for the wider benefit of the  
security community, as is and without any warranties, including the  
warranty of merchantability and capability fit for a particular purpose.  
The information is posted under the FOI as per best security practice.  
[Copyright Advanced Information Security Corp (c), 2014]`