How Serious are XSS Threats for .edu’s?

Well, thanks to the keen eyes of fellow higher ed tweeter @gilzow for spotting the article, plenty of these guys could tell you just how frustrating XSS attacks can be.  There’s simply no avoiding the fact that the more dynamic and complex our higher ed sites get, the more prone we are to these exploits.  Be it clever linking, actual injections, or brute force attacks on the systems that run things (admitted not XSS in that case), this problem is compounded by the fact that we rarely have large offices staffed with the best of the best in application security testing before pushing out products for users.  In many cases, these systems aren’t even complete, but rather “just work.”  And even worse, as we outsource for systems like CMSs, some find themselves not only stuck with a system that they didn’t write, but budget cuts may be forcing them to limit the amount of support that they get.

The above article is talking about the usage of XSS attacks to inject links into pages on trusted web sites.  They were looking at sites in the UK using a pretty .  But fear not, we can apply these exact same technique to .

Scary, huh?  What, you didn’t think we were immune, did you?  Luckily, it appeared that most of the sites that show up early in the Google search have already fixed the injections.  But the injections were there long enough to get picked up by crawlers, which in and of itself is enough to do a little damage.  Just to give you a short list of some of the sites I saw affected (note that I tried to make sure to not include sites where these links were clearly coming from spam of a user forum):

  • Princeton
  • Cornell
  • Columbia
  • Brigham Young
  • UCLA
  • Lancaster Theological Seminary
  • Arizona State University
  • University of North Carolina at Charlotte
  • Arkansas Baptist (right on the home page)
  • Mount Olive College
  • Grace Bible College (user is actually hijacked and forwarded to a 3rd party site)
  • Ross University
  • Sierra Nevada College

And then I got tired of following links.  Some of these have been fixed, some have not.  Actually, the further into Google you go, the worse it gets in terms of pages that just flat out redirect you, no questions asked, so an online pharmacy site.  Odds are, there are some porn links out there doing the same.  I would also mention that more than once I saw links involved that were coming out of a Moodle install.  And another thing to note that I didn’t really pull into the list above were schools with things like forum and wiki spam that showed up in the search results.  That’s not XSS, that’s just annoying automated spam posting into an open system for the most part, but annoying no less.

The lesson?  Be vigilant.  Odds are, if you think your site and pages are secure, they aren’t.  So have someone else try things out.  Make friends with people on Twitter who will donate five minutes to try and do creepy things to pages.  XSS is not something you just have to put up with, it can be prevented!  Make Google your friend too, and try some of the common searches mentioned above on your site.  I was happy to find no such content anywhere on our site.  If you need some resources to help yourself out, take a look at:

  • XSS Cheat Sheet
  • Understanding XSS to prevent it
  • Cross-Site Scripting explanation at Wikipedia
  • Testing for XSS
  • Preventing XSS with code review
  • Video demonstrations of XSS
  • XSS Explained

cc How Serious are XSS Threats for .edus? photo credit: w0arz

10 Responses to “How Serious are XSS Threats for .edu’s?”

  1. Says:

    Alright, Cornell representing!

    But seriously, the phrase “just work” is near and dear to my heart. A large part of my job is figuring out how to deliver applications that are secure and don’t break for the price of a “just works” application. It is indeed a challenge :)

    • Says:

      Exactly. Making things work and doing things right are two totally different things, and doing it right takes far more time. Most of us are so pressed for time day to day though that the minute something is working, someone pushes us on into something else. Tough area to compromise. Then who’s fault is it when things break or are exploited?

      • Says:

        I see two core areas where the problem starts in an institution:

        1) “Let’s hire some students. They’re good at this technology stuff.”

        That’s interesting, because they wouldn’t hire students to do their job…

        2) The lack of collaboration/communication between divisions/departments/units/people in institutions.

        How many people who had their site hacked asked others how it should be done?

  2. Says:

    Well, whenever there is a place for spammers to put a link, then they will find a way to gain backlinks to get traffic to their own pages. I do not agree that this is the best way to get traffic, but I guess desperate times cause for desperate measures. Google is beginning a stickler on who can receive a backlink and even what backlink is counted. I would never use an edu. site though to put in a link because….well it is just plain wrong. Of course, Google will find out about this and de-value the links anyway (meaning they won’t count towards any search engines traffic). I think actually that Google is already doing this.

  3. Says:

    Charlie brings up an excellent point. Too many times, we (the global “we” as well as MU specifically) hire students to do some of “this web stuff” for us. All too often, those students are untrained/inexperienced in web security issues. They tend to install the latest “gadgets” without any thought of security. Charlie and I have worked together numerous times on sites inside the domain that are serving up online pharmacy ads. Most times, these are sites that were set up by a student using some piece of free software (wordpress, phpBB, etc), that is now abandoned and hasn’t been kept up-to-date.

    It’s not that student workers are bad, but they are transient. The only have so much vested interest in the site they are working on. And there’s nothing necessarily wrong with free software; you just need to realize that it mostly likely DOES have vulnerabilities and that you HAVE to keep it up-to-date.

    Especially in light of tight budgets, we, as web devs, are going to have be vigilant in demanding that we be given time to make sure that the things we build/use are secure. It is very tempting for upper management to see savings by nixing the security aspects of development. But how much is your institution’s online reputation worth? Do you really want to risk your school’s website ending up on the front page of digg and fark for serving up “hot teen sex xxx” and “cheap viagra”

    Higher Ed organizations are a magnet for phishers, spammers and other “bad guys” because we carry a certain level of intrinsic trust, and we have access to MOUNTAINS of valuable data. You wouldnt believe the number of schools websites that I have come across that easily dump out personal information (SSNs, birth dates, passwords, etc) with no hacking involved.

    Micheal is correct in that you do not have to put up with security vulnerabilities. If you are developer, get out there and learn how to code securely (there are TONS of free resources for you use). If you are using other people’s software, subscribe to the various vulnerability notifiers (milw0rm, bugtraq, SecurityDot, XSSed, etc) and stay on top of updates.

    For those in the midwest, HighEdWeb and the University of Missouri are hosting a regional Web Dev conference on July 28th: I’ll be presenting on XSS at 3:30 and would be happy to discuss security issues with you.

  4. Says:

    Your posts are great! Please keep

  5. Says:

    You guys are awesome :) keep up the good work.

  6. Says:

    Nice Post! very informative

  7. Says:

    There is a way to search people profile by email or username, follow my homepage

  8. Says:

    The threats of Chross-Site Scripting are often overlooked. Businesses, educational institutions and even banks alike. A collegue of mine tested danish banks and found several vulnerabilities on their sites. Somewhat scary. Perhaps you could make a living out of educating educators? :)