Research and Advances
Computing Applications Research highlights

Technical Persepctive: Attacks Target Web Server Logic and Prey on XCS Weaknesses

  1. Article
  2. Author
  3. Footnotes
Read the related Research Paper

A system is secure only if the entire system is secure.

While this may sound obvious, achieving total security throughout a system is rarely trivial when you consider many real-world systems are constantly evolving. In the following paper, "The Emergence of Cross Channel Scripting" (XCS), Hristo Bojinov, Elie Bursztein, and Dan Boneh highlight this problem.

The systems examined in the paper are embedded Web servers that have become prevalent for system management and configurations of consumer electronic devices like digital photo frames, wireless routers, and network-attached storage (NAS) appliances.

Web applications have long suffered cross site scripting (XSS) vulnerabilities. XSS vulnerabilities of a Web application allows an attacker to inject attacking scripts into the Web application and then the attacking scripts execute with the privilege of the Web site on browsers. A particularly damaging type of XSS is persistent XSS in which the injected script persists beyond a browsing session and across different browsing users. For example, the infamous Samy worm exploits an XSS vulnerability in and the attacker (Samy, in this case) injected a script as part of Samy’s (persistent) user profile. People who viewed Samy’s profile found their profiles infected as did the viewers of their profiles, and so on.

The XSS problem is amplified in the embedded Web server setting where Web servers co-locate with other services, sharing the underlying device resources, like the file system. For example, several NAS appliances both expose a Web interface for system management and allow file uploading through FTP, SMB, or a P2P service. Because the file system is shared between the Web server and these other file uploading services, an attacker can upload a file with a specially crafted file name that contains a malicious JavaScript. Later, when an administrator of the device configures the device through the Web interface, the malicious file is loaded in the address bar and the malicious JavaScript executes.

For a device with such co-location of services, even if each of the services is secure on its own, running them together creates new security holes because each service has not had the assumption that the global state (such as the file system) is shared with others. To make things worse, if any of the services has a security hole, all services can be affected. Here, the authors talk about reverse XCS vulnerabilities where a Web server’s XSS vulnerability can cause private data from other services to be leaked.

The cross site scripting (XSS) problem is amplified in the embedded Web server setting where servers co-locate with other services, sharing the underlying device resources, like the file system.

Based on these keen observations, the authors uncovered real-world XCS vulnerabilities in a slew of embedded systems, including several NAS appliances, lights-out management systems (LOM), and photo frames. The authors also explore cellphone-based XCS where the Palm Pre is vulnerable to an XCS attack that injects its payload through a calendar title or content.

The authors note some initial directions for defending against XCS, mostly along the lines of preventing information leakage by restricting the destinations of the outgoing network messages. This is indeed an interesting direction. The heart of the problem here is to construct such a policy. To me, a more fundamental solution would be to address the root cause of the problem and eliminate any state sharing of independently designed services. If cross-service sharing is needed, the service designer must enable such sharing explicitly.

By highlighting the vulnerabilities that still exist, this paper offers a valuable lesson in—and interesting read about—system security.

Back to Top

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More