Cross-site scripting (XSS) vulnerabilities are nasty problems that allow attackers to inject client side script into Web pages.
According to the Open Web Application Security Project (OWAS), because a browser thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Which is why news that two leading software providers, SAP and Salesforce, have discovered and fixed XSS problems is both alarming — that they existed — and reassuring.
–Researchers at Elastica Cloud Threat Labs found a vulnerability in a subdomain of Salesforce used for blogging purposes. “This vulnerability in “admin.salesforce.com” could have been exploited by attackers to hijack Salesforce accounts or to distribute malicious code to the users,” the vendor reported.
(Researchers were able to create this look-alike salesforce login page and inject it into a vulnerable app)
While Salesforce was told more than a month ago about the vulnerability, it took some prodding before the company acted. Apparently it didn’t think the problem was severe because it wasn’t in the main “salesforce.com” website. After Elastica send a reminder, Salesforce patched the hole.
–SAP issued fixes for 22 vulnerabilities, the biggest number — eight — dealing with cross-site scripting issues. (Th next biggest category was information disclosure bugs). The August patch day page has few details about the fixes, but according to ERPscan, which sells security solutions for SAP and Oracle systems, the patches fix an XSS vulnerability in SAP Afaria 7.
Other major vulnerabilities patched include a Remote Command Execution vulnerability in SAP ST-P, a Reflected File Download vulnerability in NetWeaver AFP Servlet, and a Running Process Remote Termination vulnerability and an incorrect system configuration vulnerability in SAP HANA,
(This SAP graphic breaks down patch categories issued this week)
Infosec pros and developers who want more detail can consult this OWAS cross-site scripting prevention cheat sheet, with eight rules to follow.