There are many reasons why Information Security hasnâ€™t had as big an impact as it deserves. Some are external â€“ lack of funding, lack of concern, poor management, distractions from valuable tasks, etc, etc.
But the ones we inflict on ourselves are probably the most irritating. They make me really cross.
We shoot ourselves in the foot by confusing our customers between Cross-Site Scripting, Cross-Site Request Forgery & Cross-Frame Scripting.
â€” Alun Jones (@ftp_alun) February 26, 2016
OK, â€ścrossâ€ť is an English term for â€śangryâ€ť, or â€śirateâ€ť, but as with many other English words, itâ€™s got a few other meanings as well.
It can mean to wrong someone, or go against them â€“ â€śI canâ€™t believe you crossed Fingers MacGeeâ€ť.
It can mean to make the sign of a cross â€“ â€śDid you just cross your fingers?â€ť
It can mean a pair of items, intersecting one another â€“ â€śIâ€™m drinking at the sign of the Skull and Cross-bonesâ€ť.
It can mean to breed two different subspecies into a third â€“ â€śWhat do you get if you cross a mountaineer with a mosquito? Nothing, you canâ€™t cross a scaler and a vector.â€ť
Or it can mean to traverse something â€“ â€śI donâ€™t care what Darth Vader says, I always cross the road hereâ€ť.
Itâ€™s this last sense that InfoSec people seem obsessed about, to the extent that every other attack seems to require it as its first word.
These are just a list of the attacks at OWASP that begin with the word â€śCrossâ€ť.
Yesterday I had a meeting to discuss how to address three bugs found in a scan, and I swear I spent more than half the meeting trying to ensure that the PM and the Developer in the room were both discussing the same bug. [And here, I paraphrase]
â€śHow long will it take you to fix the Cross-Frame Scripting bug?â€ť
â€śWe just told you, itâ€™s going to take a couple of days.â€ť
â€śNo, that was for the Cross-Site Scripting bug. Iâ€™m talking about the Cross-Frame Scripting issue.â€ť
â€śOh, that should only take a couple of days, because all we need to do is encode the contents of the field.â€ť
â€śNo, again, thatâ€™s the Cross-Site Scripting bug. We already discussed that.â€ť
â€śI wish youâ€™d make it clear what youâ€™re talking about.â€ť
Yeah, me too.
The whole point of the word â€śCrossâ€ť as used in the descriptions of these bugs is to indicate that someone is doing something they shouldnâ€™t â€“ and in that respect, itâ€™s pretty much a completely irrelevant word, because weâ€™re already discussing attack types.
In many of these cases, the words â€śCross-Siteâ€ť bring absolutely nothing to the discussion, and just make things confusing. Am I crossing a site from one page to another, or am I saying this attack occurs between sites? What if thereâ€™s no other site involved, is that still a cross-site scripting attack? [Yes, but thatâ€™s an irrelevant question, and by asking it, or thinking about asking/answering it, youâ€™ve reduced your mental processing abilities to handle the actual issue.]
Check yourself when you utter â€ścrossâ€ť as the first word in the description of an attack, and ask if youâ€™re communicating something of use, or just â€śsounding like a proper InfoSec toolâ€ť. Consider whether thereâ€™s a better term to use.
Cross-Frame Scripting is really Click-Jacking (and yes, that doesnâ€™t exclude clickjacking activities done by a keyboard or other non-mouse source).
Cross-Site Request Forgery is more of a Forced Action â€“ an attacker can guess what URL would cause an action without further user input, and can cause a user to visit that URL in a hidden manner.
Cross-Site History Manipulation is more of a browser failure to protect SOP â€“ Iâ€™m not an expert in that field, so Iâ€™ll leave it to them to figure out a non-confusing name.
Cross-Site Tracing is just getting silly â€“ itâ€™s Cross-Site Scripting (excuse me, HTML Injection) using the TRACE verb instead of the GET verb. If you allow TRACE, youâ€™ve got bigger problems than XSS.
Cross-User Defacement crosses all the way into crosstalk, requiring as it does that two users be sharing the same TCP connection with no adequate delineation between them. This isnâ€™t really common enough to need a name that gets capitalised. Itâ€™s HTTP Response-Splitting over a shared proxy with shitty user segregation.
I donâ€™t remotely anticipate that Iâ€™ll change the names people give to these vulnerabilities in scanning tools or in pen-test reports.
But I do hope youâ€™ll be able to use these to stop confusion in its tracks, as I did:
â€śNever mind cross-whatever, letâ€™s talk about how long itâ€™s going to take you to address the clickjacking issue.â€ť
Hereâ€™s the TL;DR version of the web post:
Prevent or interrupt confusion by referring to bugs using the following non-confusing terms:
|Confusing||Not Confusing Much, Probably|
|Cross-Site History Manipulation||[Not common enough to name]|
|Cross-Site Tracing||TRACE is enabled|
|Cross-Site Request Forgery||Forced User Action|
|Cross-Site Scripting||HTML Injection
|Cross-User Defacement||Crappy proxy server|