This is part 1 of a series of blog posts looking at the security of the UK Government’s web infrastructure.
The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what’s happening in the Commons and the Lords, and is run by some really clever people.
That’s why it’s so depressing to see such a basic error as this XSS flaw in their search engine.
What Is XSS?
Briefly, some websites will let you display or run arbitrary code on them if you input that code in their search box.
(It’s a bit more complicated than that – but it’ll do for an executive summary.)
By searching for the text
We can make the rest of the page display in italics.
This is because the page sees the <em> tag and echoes it back as part of the HTML.
What else can we do?
If we want to be cheeky – we can add iframes and YouTube videos onto the page.
Searching for a string like
However, Chrome and Firefox both let through seemingly benign text formatting tags, as well as the more dangerous image and HTML5 video tags.
Putting It All Together
Using XSS a spammer can place an HTML5 video selling their wares with an apparent Parliamentary endorsement. They can add links, images, sound – everything they need for a scam.
Or, perhaps they are evil. They can send an email to every MP saying:
Please Reset your password – visit http://….
Before you know it, they’ve gathered the Minister for Administrative Affairs’ private details and are plundering Sir Humphrey’s vaults.
Yeah, the above doesn’t look brilliantly convincing – but would you trust your MP to notice the discrepancies?
The simple rule is that you should never ever print out the content that the user has searched for. If you have to, make absolutely sure that you escape all the characters and enforce strict limits on the number of characters returned.
In the above examples, the XSS code is echoed in the HTML Title, as well as the URL bar. It should be fairly obvious to the browser that this is an unusual state of affairs.
- This XSS flaw was responsibly disclosed to the UK Parliament on Friday 7th February 2014.
- On Tuesday 11th of February they confirmed that a fix had been put in place.
- The UK Government bug bounty was paid on…. Oh… my mistake…