Hackers Feel Fallout From XSS Postings

It was no XSS attack, but it was a close call just the same this weekend for the Website run by a group of hackers that's been posting cross-site scripting (XSS) vulnerabilities online. (See Hackers Reveal Vulnerable Websites and Cross-Site Scripting: Attackers' New Favorite Flaw.) One of the sites that sla.ckers named in their list of XSS-vulnerable sites, NukeCops, attempted to have the hackers' Website shut down.

A NukeCops site administrator contacted Sonic, ha.ckers.org's ISP, and asked the ISP to remove the "user" from its service for trying to "exploit" its server. The NukeCops admin, Evaders99, later posted a message on the sla.ckers bulletin board -- where his site's XSS vulnerability had been posted -- explaining the sla.ckers XSS vulnerability probes had appeared "harmful." NukeCops is a message board for PHP-Nuke, a Web PHP- and SQL-based, automated news and content management system.

Rsnake, the founder of the ha.ckers.org site, says his security admin has since smoothed things out with its ISP, so its site is safe for now. "What he [Evaders99] was seeing was not an attack by us, or really an attack at all, but a probe of whether the site was vulnerable to XSS," says rsnake. "NukeCops reacted badly and it nearly took us off the net -- temporarily anyway -- but I think we've settled everything at this point. It was a close one, though."

This isn't the only backlash the group has experienced since it started posting proof-of-concept code on the flaws on its message board. Security companies Acunetix and F5, which the group says also had XSS vulnerabilities, have disputed the sla.cker claims. (See Two Vendors Deny XSS Flaws.) The group responded with more XSS vulnerability posts on the vendors' sites.

NukeCops still isn't happy with sla.ckers' m.o., however. "I do understand the need to notify people about their vulnerabilities," Evaders99 wrote yesterday in his message post on the sla.ckers bulletin board. "But hitting every script on the site with such tests without any confirmation from the site owners to run the scripts is just wrong. It can be taken, in the extreme, as an immediate malicious search for vulnerabilities to exploit -- that is something we are trying to deal with, for the many script kiddies using known robot exploits. These robots are causing massive damage, thus the only response to such measures is to report them directly to the ISP."

Meanwhile, the sla.ckers group is still finding and adding XSS-vulnerable Websites to its message board.

Kevin Overcash, vice president of product management for Breach Security, says the ha.ckers.org finds are just a public glimpse at what happens all the time in underground sites. "The criminal organizations targeting identity theft are meeting weekly, auctioning off credit cards and other privacy information like passport and drivers' license numbers."

"I look at the exposure list as a huge wakeup call for the corporate world," he says. "Almost everyone is vulnerable and the bad guys know about it."

— Kelly Jackson Higgins, Senior Editor, Dark Reading