Spooks website made basic blunder in XSS testing

A simple security testing error made the MI5 website vulnerable to cross-site scripting.

The recent revelation that the website of MI5 (Military Intelligence, Section 5), was open to cross-site scripting (XSS) caused some embarrassment but no damage. If the U.K.'s security agency and intelligence services, however, can make such a basic security error on its website, how sure can ordinary companies be of their own sites?

The flaw in MI5's armour was spotted by Team Elite, a group of so-called "grey-hat" hackers who had already discovered similar flaws in the site run by the World Health Organisation.

Team Elite sent a proof of concept to the people at MI5, informing them that the search box on its site was vulnerable to both cross-site scripting and to IFrame injection. The hackers also helpfully showed screenshots of each type of exploit to show the effect. Contrary to lurid tales in some tabloid newspapers, no damage was done and no information was stolen.

According to Matt Hampton, chief technology officer at security service provider Imerja Ltd, the flaw would not have exposed the details of people visiting the MI5 website directly. "Someone would have to go to another site hosting a malicious link saying something like 'Go to MI5 website', and click on that," he said.

Cross-site scripting attacks insert malicious code into a link that appears to be from a trustworthy source. Hampton explained that the cross-site weakness was non-persistent, and could only be exploited by opening malformed URLs.

Non-persistent XSS vulnerabilities can be used to carry out phishing attacks or distribute malware. Using the MI5 flaw, an attacker can inject an IFrame into a page, which can then load malicious code from a third party domain based on the src= attribute. The attacker can then link to the vulnerable page located on the legitimate domain.

According to Hampton, the failure to test for cross-site scripting was a "basic lapse in security testing." Companies with websites, he said, can download free tools from the Internet to test for XSS. "There are plenty of free XSS testing tools you can download. It can be a fairly automated process," he said. "There are companies that will do remote scanning of your website for you."

He added that coding infrastructures such as PHP and ASP make it so easy to create and alter a website that security is often either not understood or is added as an afterthought.

"With PHP and ASP, it is so easy to put up a website. People just want to get something working very quickly, and think about putting the security in afterwards," he said.

In the case of MI5, he said, "it could be that someone did an upgrade and forgot to test it."

When SearchSecurity.co.uk tried the MI5 website on Friday, all attempts to use the Search window generated a momentary Error 404 window (for item not found), causing the user to return to the home page.

Read more on Web application security