By: ThreatLabz

Vulnerable By Design...no, Really

Advertising

Part of my responsibilities at Zscaler is to look through our log files in order to spot strange and unusual requests (new malware, botnets, etc.), questionable surfing trends, and other sorts of data-mining security goodness. And unfortunately, I routinely come across requests such as these:
Guilty.party.unnamed.com/static/sc_trans2_blue_li-350x250-1l-eng-nul.swf?clickTag=JAVASCRIPT:DL_GotoSurvey();&clickTag2=JAVASCRIPT:DL_Close();
Guilty.party.unnamed.com/global/video/JSinclude_flash.asp?ct=&src=%3Cscript%20src%3D%27http%3A//ad.doubleclick.net/adj/xxxxxxxx/wnvideo%3Bpos%3Dpre%3Bsz%3D2x2%3Bxx%3Dxxx%3Brn%3D39%3Btile%3D15%3Bord%3D0123456789%3F%27%3E%3C/script%3E
Guilty.party.unnamed.com/topshowstory_topad.php?script=<script%20language='javascript'%20src='/js/bannerscriptmp3internal2.js'></script>
Guilty.party.unnamed.com/video/<script%20type="text/javascript"%20src="http://some.other.party.com/adsc/d495261/7/498588/randm.js"%20/>&rndNum=99812610
Guilty.party.unnamed.com/ifr.php?x=%3Cscript+type%3D%22text%2Fjavascript%22%3E%3C%21--%0Agoogle_ad_client+%3D+%22pub-9310xxxxxxxxxxxx%22%3B%0Agoogle_ad_width+%3D+468%3B%0Agoogle_ad_height+%3D+15%3B%0Agoogle_ad_format+%3D+%22468x15_0ads_al_s%22%3B%0A%2F%2F2007-10…
Anyone familiar with web security will likely see immediately that these requests essentially carry cross-site scripting payloads. But these are not an XSS attack against a user; I’ve traced all of these (and many, many more), and they are, in fact, required to happen that way by a legitimate web site. That’s right folks: there are sites passing Javascript in URL parameter fields on purpose. Most of the URLs I've discovered that have XSS by design typically fall into one of two types: advertising syndication, or passing HTML into a SWF. All of the above URLs exhibit one of those two types. The last listed URL probably gets the 'Hall of Shame' award, since the ifr.php was designed to return arbitrary content that is meant to be used in an Iframe.
But XSS is just the tip of the iceberg; check out these requests:
Guilty.party.unnamed.com/globalpages/search-results.asp?SQLStmt=SELECT+KEY%5F%2C+AD%5FNO%2C+AD%5FNAME%2C+TYPE%2C+SPECIAL1%2C+SPECIAL2%2C+SPECIAL3%2C+SMALL%5FIMAGE%2C+personalizable+FROM+graphics+WHERE+%28%28type+%3D+%27PhotoFile%27%29+AND+%28color+%3D+%27Color%27%29+AND+%28keywords+LIKE+%27%25wedding%25%27%29%29+order+by+date%5Fadded+desc&showpage=3&…
Guilty.party.unnamed.com/common/sessionshare.aspx?context=flash&debugSQL=SELECT+top+20+%2A%2C+round%283959+%2A+acos%28++++++sin%2842%2E944498%2F57%2E3%29+%2A+sin%28%28google%5FLatitude+%2B+0%2E0001%29%2F57%2E3%29+%2B+++++++cos%2842%2E944498%2F57%2E3%29+%2A+cos%28%28google%5FLatitude+%2B+0%2E0001%29%2F57%2E3%29+%2A+++++++cos%28%28google%5FLongitude+%2B+0%2E0001%29%2F57%2E3+%2D+%28%2D85%2E617924%29%2F57%2E3%29%29%2C+2%29+as+Di
Are those full and partial SQL queries/clauses in the URL parameter fields? Why, yes they are! These sites actually pass the SQL query strings in as request parameters. Now, perhaps these sites have absolutely perfect database security, the web scripts use a read-only account DB account, and SQL access is restricted to a limited view of the table...meaning the web script isn't exploitable to do much beyond just read the already-public read-only data from a single table. But my bet is that isn't the case.
There are lots of other pretty scary requests out there, but it's hard to tell whether they are really exploitable or not by just looking at the URL (and I'm not about to go and perform an unauthorized security assessment on these public web sites). Here are some of the suspicious ones, for your entertainment:
Guilty.party.unnamed.com/XXXXXXLight.asp?request=%20shopping&Engine=http%3A%2F%2Fguilty.party.unnamed.com%2F&PartnerId=138&CssStylesLocal=c%3A%5Cinetpub%5Cwwwroot%2Flight%2Fskins%2Fembed_it_1_1.css&…
Guilty.party.unnamed.com/includes/include_once.php?include_file=http://some.other.party.com/sugar/1.gif?/
Guilty.party.unnamed.com/campaigns/showban.php?CD=B&M=1&D=&cb=<?php%20print%20(rand());?>
I'm sure I'll be posting more in the weeks to come. There doesn't appear to be a shortage of new examples...
Until next time,
- Jeff

Learn more about Zscaler.