I am an SEO engineer at heart. Always on the lookout for opportunities from which links and/or citations can be gleaned. Often, while looking for link placements I find sites with security vulnerabilities. I always try to work with affected sites to help secure the attack vector with mixed results. More often than not the sites get patched and everyone is happy. Sometimes I get ignored. Sometimes I get a generic "we will fix it" reply but the exploit gets ignored. The site in question passes the information stored on its site onto several authoritative websites in the UK, some of which are the biggest news organisations we have…
XSS Is Bad
XSS in Scoot.co.uk
There are multiple vulnerabilities in dashboard.scoot.co.uk subdomain. Scoot then passes this easily exploited information onto many other website, some of which include the most popular UK news services. This data passes, unvalidated, through sites to which they offer an intergrated business directory.
What is the problem?
The implementation is simple and lasting. The attack vector is classed as a "persistent XSS" or "stored XSS" exploit and is found in many input fields of the dashboard.scoot.co.uk subdodomain. The website contains many vulnerabilities but this article focuses on the stored XSS problem. The attack flow is simple: create a free business listing, add a gallery image, insert your malicious code, wait 2-3 minutes and it's live.
An easy way to obfuscate the code is to use the second gallery image as the exploit will be hidden from initial view is present in the page source, being executed as a result.
The main culprit is an unvalidated title attribute for the gallery images. The input field allows arbitrary code to be inserted. Below is a proof of concept code:
"></a>XSS HERE<a title="
For reporting purposes I used the following:
"></a><img src=x onerror=prompt(/XSSPOSED/)> <a title="
The image below shows the entry point.
Below are examples of the Scoot XSS vulnerability passing the insecure data onto....
Preventing XSS exploits is simple and can be done in one line of code. Using htmlentities with ENT_QUOTES to encode quotes and UTF-8 to convert text.
I have emailed, called, and begged Scoot to fix this issue as I use thier services. Each time I was told "we will look into it", or "it's a feature" from confused sales staff. Several attempts to contact the relevant person about this situation have gone unresolved. It appears they care more about up-sales than security.
- 14 December 2012. Initial email ignored.
- 01 June 2013. Confused but lengthy phone call. Ignored.
- 01 December 2014. Two phone calls ignored. Reply was "we will look into it"
- 17 April 2015. Final email to Scoot. Public disclosure.
- 19 April 2015. Reply from developer. Issue being worked on.
- 23 April 2015. Patch rolled out to fix all effected systems.
This vulnerability has been fixed.
The developer worked hard to implement a fix quickly and, obviously, cares about the service they provide. The issue with website security is getting through sales representitives. Developers tend to be helpful and expedite a resolution. I just wish there was a standardised process for such matters. My free account was also upgraded for a year as a thank you.