Cross Site Scripting (XSS) is a big concern these days. Below is an article that describes in more detail how XSS attacks work. Two ways to mitigate these is static code analysis and Web application firewalls. The first, code analysis, would be a good way for eWeek to scan and check their advertisers’ content.
A Web Developer’s Guide to Cross-Site Scripting
http://www.sans.org/reading_room/whitepapers/securecode/a_web_developers_guide_to_crosssite_scripting_988
At eWeek.com, malware was inserted into advertising on the web page. If a user clicked on the ad, it would “redirect the user to a malicious Web site through a series of IFrames. The new URL led to an adult Web site, which attempted to load a PDF that exploits a known Adobe vulnerability. The vulnerability affects versions 8.12 and earlier and has been patched” (B Prince 2009)
The company caught the problem and although indicating that it was not a problem of their own, they would take measures to see that this would not happen again. They did not state the measures that will be taken but some measures that can help prevent this are as follows.
-
Web Vulnerability Scanner which will scan for potential weaknesses on the page.
-
Encode output based on input parameters
-
Filter input parameters for special characters
-
Filter output based on input parameters for special characters
-
By filtering it allows you to remove special characters that may allow malicious scripts to run and URLEncodeing and HTMLEncodeing, you can prevent malicious script from executing
Although eWeeks webserver was not broken into I feel it should be responsible for the content it chooses to display. Therefore they should have checked the page and its advertisers content to make sure it was secure. By following some of the methods listed above would have been a proper step. CSS has been cited as one of the more prominent web attacks, so when doing business on the web the company should have been aware of this and made it a priority to scan the content for vulnerabilities. I should hope that eWeek implement some of the techniques mentioned in its process when presenting web content.
http://www.eweek.com/c/a/Security/Attackers-Infect-Ads-With-Old-Adobe-Vulnerability-Exploit/
http://www.eweek.com/c/a/Security/Attackers-Infect-Ads-With-Old-Adobe-Vulnerability-Exploit/
Posted by