You may have gotten lucky this time….

As you might picked up in the news, two 14 year old students found a XSS vulnerability in a popular HTML comment box. Hackers Karim Rahal and Ibram Marzouk found multiple cross-site scripting vulnerabilities in the component. Rahal was able to bypass the developer's cross-site scripting filters using double > and < tags and closing attributes with a semicolon.

"/>.<<img src=x onerror=alert(1)//\"&gt;>&lt;&gt;

With a simple Google search, it became clear that about 2 million sites were using this component and were vulnerable. Through a bug bounty program, the developers of HCB were contacted and after a couple of hours the XSS issue was fixed.

Google showed about 2million websites were affected.

So if you use this component, you are lucky that the issue was fixed. The comment box runs on the HCB severs, so it is not included in your source code. But what if a library or framework you use in your software has a new vulnerability? Do you know about it? Do you get informed?
Your luck could run out pretty fast!

This is why Software Development Life Cycle (SDLC) is of great importance. It is not only a way on how to develop/test your product, new features, bug fixes,... but also on how you check and manage your security.
In a secure SDLC, the example of a vulnerable library is addressed. When a vulnerability is found and reported, a CVE issue is created. You can validate in public database if your framework/library version has security issues.
These type of checks should occur automatically and frequently in your integration build. This way you can act more quickly on newly found vulnerabilities.
Customers often ask us to give them a good reason to do this.
Well, here are at least three good reasons:

  1. OWASP Top 10 issue A9 - Using Components with Known Vulnerabilities
  2. Your code evolves, security evolves and hackers evolve at least twice as fast... More and more issues are found, be aware of these issues so you can counter them ASAP.
  3. The GDPR regulations, coming in May 2018, enforce strict security on data and privacy. If you are hacked and can't prove you did security-by-design, the minimum fine is 20 million Euro.

ZIONSECURITY is aware of all these issues from a developer as from a security review/pen test experience. For several clients we did custom SDLC implementations and reviews. We are currently working on specific review/implementation procedures and plans to tackle problems in your software development and also possible GDPR issues.
So don't count on luck, be prepared!

Add comment