With the ransomware attack on the NHS dominating the news headlines this week, here’s – at last – some good news related to cyber security.
Back in February I launched a Bug Bounty competition to encourage school students to responsibly disclose any bugs, vulnerabilities or problems with the site rather than maliciously exploit them.
I’m not able to afford the hefty cash prizes offered by some tech firms when people disclose a bug, but I do always send out some freebies to reward anyone who finds and reports a problem with the site, along with a certificate, as a mark of respect which can hopefully help kickstart a future career in information security.
Today, a talented young student from Fulford School has submitted a bug report identifying a XSS vulnerability in create.withcode.uk. This responsible disclosure has led to the bug being fixed without any damage done. Thank you!
For those that are interested, I thought I’d write up what a XSS attack is; what damage they can do; how they work and how you can prevent them from causing any damage on your website.
What is XSS?
XSS stands for Cross Site Scripting.
Scripting means running code.
What are the dangers?
- Read personal information stored in site cookies (such as name, username or site preferences)
- Steal your authentication token (to allow someone else to login as you)
- Hijack your user account (e.g. to post a message as you on that site)
- To redirect you to another website (e.g. to display adverts)
- Alter the functionality of the site (e.g. to add / remove / change site features)
- Use your computer to take part in a DoS or DDoS attack (to overwhelm a web server with too much traffic that it becomes unusable)
create.withcode.uk is deliberately designed not to store any personal data or have user accounts so none of the above were a serious concern, but it’s never good to leave a vulnerability open once it’s been discovered.
How does XSS work?
Any website that allows the user to type in user data is potentially vulnerable. That means any website that has a text box for user input, or accepts any input from a file, cookie, URL parameter similar could potentially be compromised by a XSS attack.
For example, a webpage that asks someone their name then says a personalised hello could be attacked if someone enters their name as <script>alert(“do something nasty here”);</script>
How can you prevent XSS attacks?
The trick to preventing XSS is to filter out any <script> tags (or other similarly dangerous tags) by filtering any user input to blacklist anything that looks suspicious or whitelist only the type of data that you know you can trust
Blacklist: A list of data that you want to prevent
Whitelist: A list of data that you want to allow
The most common way to do this is using a RegEx (Regular Expression) on anything that you display in the browser that you don’t fully trust. A RegEx lets you search for data so that you can remove it or replace it with whatever you choose.
A good web designer shouldn’t trust any data that comes from an external source (another server / user) and so they should assume that any way of entering in data might be a possible source of malicious code to be filtered appropriately.
XSS attack vector: text, html or user input deliberately designed to execute code on a web page
Example XSS attack
The student who detected the vulnerability in create.withcode.uk realised that whilst most user input was correctly filtered, error messages were not properly filtered and so were a potential avenue for a XSS attack. He demonstrated how this could be used to:
- Change all of the toolbar images at the bottom of the site
- Embed a game into the site
- Change the text in the editor
- Redirect the user to a random python script
This vulnerability has not caused any data on the site to be compromised (create.withcode.uk doesn’t store any user details) but it has now been fixed thanks to the responsible disclosure. I’ll send out a small reward tomorrow to the student in question and hope that they continue to develop and use their skill to do the right thing both legally and morally!
We certainly need more people willing and able to find and help fix vulnerabilities in computer software.
The wrong thing to do would have been to maliciously exploit the vulnerability to cause damage. The right thing to do was to share the discovery sensibly so that it can be fixed. This is exactly what the student in question did. Well done 🙂
Report a bug
If you think you can find a bug in create.withcode.uk I’d love to hear from you.
You can report a bug here in return for a small reward, certificate and my respect & gratitude!
Reporting bugs responsibly helps keep websites secure and is a great way to gain experience in the field of information security.
In the meantime, I hope create.withcode.uk continues to be a useful – and safe – resource to anyone wanting to write, run, debug and share python code in your browser.