Security enthusiast and grey hat hacker R. Milad Hosseni, a student at Queensland University of Technology in Brisbane Australia, has notified the educational institution of the presence of a cross-site scripting (XSS) flaw that affects its public website.
“XSS vulnerabilities are the most common and also the most dangerous types. XSS attacks can change the structure of the site, they can be used to steal client cookies (that client could be the administrator, so not only dangerous on the client side),” Hosseni explained.
We’ve also asked him to explain how an attacker could leverage the flaw in this particular situation to cause damage. Here's what he said:
The affected URL can be manipulated and sent to the staff via email. With proper XSS malware code, cookies/session of that staff can be collected. Using a script, this info can be sent to the attacker's provided email address. The staffers then can be redirected to somewhere else on that site within seconds and not notice.
The collected info can be reused easily again by the attacker. Using this gives an attacker ability to do what the staff could to, in our case altering student's marks, viewing student's profiles and much more The entire university can be easily in risk.
Staffers with I.T. skills can be fooled just as easily, as the affected URL is part of the university they would trusted with no doubt. The rest of injected code can be encoded so it can’t be read out by just looking at it.
The vulnerability has been reported to the university’s staff and will be addressed shortly.
As always, the main reason for which this article is published is to encourage security enthusiasts to practice responsible disclosure, instead of leaking data from sites and causing unnecessary damage.
Via: Student Notifies Queensland University of Technology of XSS Flaw
Tidak ada komentar:
Posting Komentar