XSS Goes Presidential

This weekend, presidential candidate, Barack Obama’s Web site was defaced via a Cross Site Scripting (XSS) exploit, effectively redirecting visitors to Hillary Clinton’s Web site. Whether or the Script Kiddie was from the Clinton camp, this should be a wake up call for Web designers to start holding XSS exploits with more priority.

As headlined by Netcraft, a firm that keeps the pulse on Web server configurations across the Web broke this headline: Hacker Redirects Barack Obama’s site to hillaryclinton.com.

Later, a fellow by the alias of “Mox,” posted the details on Obama Community Blogs stating how he/she manipulated the Web site. Before campaign staffers remove it, here is a copy of it:

First, let me explain why I put hacked in quotation marks. It is becaus e what I did was not hacking in the sense that I burrowed into some dusty served and changed the Obama site and stole all your credit card numbers. All I did was exploit some poorly written HTML code.

So, you may be wondering, I never saw this hacking! Well, apparently someone videotaped it. http://youtube.com/watch?v=NKjomr1Afq0. You may also be wondering, how did you get Hillary’s site to appear where Obama’s should be. The answer to that is, through the magical world of Cross Site Scripting. http://en.wikipedia.org/wiki/Cross-site_scripting.

You might be wondering, how did you get xss to work here? First, go to your manage blog tab. Then go to Edit Settings. You see how you can put anything you want as a blog URL? Well, its fixed now, but before you could put in any characters you wanted. Including >, “, and [cut off]

I think their intentions were good, but it’s never appropriate to deliberately ‘hack’ a site to get the attention of a system administrator when it will affect users. If anything, make it do a silent “document.write,” not redirect the Web browser.
Instead, why didn’t he contact an official Obama campaign staffer and have the exploit elevated? Heck, he or she may have been able to be contracted to ensure all user-generated content on the site is properly sanitized from XSS. Now, I don’t think that opportunity exists.
What’s XSS? XSS is a technique of inputting data on a Web application, so it outputs somewhere and can control the end-user with instructions (usually Javascript). Commonly, this can be used to redirect users to a malicious Web site, embed spyware/malware or even rootkits on users. To see some safe examples of XSS’ed compromised Web sites, check out XSSED.com.
Oh, and Hillary Clinton’s Website is vulnerable, too.