The Unsecured State Part 1 - UK Parliament XSS Flaw (Disclosed & Fixed)
This is part 1 of a series of blog posts looking at the security of the UK Government's web infrastructure.
The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people.
That's why it's so depressing to see such a basic error as this XSS flaw in their search engine.
What Is XSS?
Briefly, some websites will let you display or run arbitrary code on them if you input that code in their search box. (It's a bit more complicated than that - but it'll do for an executive summary.)
By searching for the text
<em>test
We can make the rest of the page display in italics.
This is because the page sees the <em> tag and echoes it back as part of the HTML.
What else can we do?
If we want to be cheeky - we can add iframes and YouTube videos onto the page.
So, if the page will display any code we tell it, can we make it run JavaScript? Yes.
Searching for a string like
<script>alert("hello");</script>
Hey presto, we can "decorate" this page with text, images, video, run JavaScript on there - using Firefox.
Now, what's interesting is that the iframe and JavaScript attacks don't work in the Chrome web browser.
Chrome has a reasonably good Anti XSS filter which strips out most JavaScript and iFrames (although it can be bypassed).
However, Chrome and Firefox both let through seemingly benign text formatting tags, as well as the more dangerous image and HTML5 video tags.
Putting It All Together
OK, so we can have a bit of mischief - but is that all that the bad guys can do? No! Even if they can't run JavaScript, they can still run pretty convincing adverts, or direct people to install malware, or a whole host of other nasty things. Because the domain is parliament.uk it carries with it a significant level of trust.
Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound - everything they need for a scam.
Or, perhaps they are evil. They can send an email to every MP saying:
Please Reset your password - visit http://....
Before you know it, they've gathered the Minister for Administrative Affairs' private details and are plundering Sir Humphrey's vaults.
Yeah, the above doesn't look brilliantly convincing - but would you trust your MP to notice the discrepancies?
Mitigating
The simple rule is that you should never ever print out the content that the user has searched for. If you have to, make absolutely sure that you escape all the characters and enforce strict limits on the number of characters returned.
Browsers should get better at detecting this. While Chrome rightly blocks the iFrame and JavaScript - it thinks text, images, and videos are safe. They're not. In the above examples, the XSS code is echoed in the HTML Title, as well as the URL bar. It should be fairly obvious to the browser that this is an unusual state of affairs.
Disclosure
- This XSS flaw was responsibly disclosed to the UK Parliament on Friday 7th February 2014.
- On Tuesday 11th of February they confirmed that a fix had been put in place.
- The UK Government bug bounty was paid on.... Oh... my mistake...
Dom says:
Nice job. Good job you wear a white hat. That this web 101 stuff can get a release at the highest levels scares the hell out of me. They can pay $100 for an automated service to test each page for vulnerabilities and send them a report for gods sake. If they haven't the capability to write a secure search script - use Google's free search - they know how to code.
Maybe the zombie hordes have already infected the web monkeys 🙂