Bank’s own developers a much bigger problem than browsers

Banks will imminently be under pressure from regulators, customers, and indeed, fraudsters to eliminate opportunities for cross-site scripting from their sites, following a demonstration that several very widely used banking web sites could act as conduits for fraudsters to solicit and steal their customers' account information.

The weaknesses were published by British web developer and security researcher Sam Greenhalgh, who established his credentials last year by discovering the %01 bug in Microsoft Explorer. Amongst the vulnerable sites are MasterCard and Barclays, which ironically each recently announced initiatives to combat phishing, apparently without ensuring that their own houses were in order.

Greenhalgh's demonstration uses a technique known as cross-site scripting to insert javascript from his own web site into pages generated by an ATM locator on the main MasterCard site. Cross-site scripting (XSS) is a well known technique which involves injecting the text of code to be executed by the browser into urls that generate dynamic pages: attacks have been found by security researchers in a wide variety of products and specific sites over the last four years. The novelty in Greenhalgh's demonstration is the application rather than the technology: the potential of XSS for phishing attacks when used on a bank's site is very clear.

Having the ability to run their code from the financial institution's own site is a big step forward for fraudsters, as it makes their attack much more plausible, and will almost certainly lead fraudsters to seek out banking sites vulnerable to cross site scripting as a refinement on current phishing attacks which depend upon obscuring the true location of a window prompting for bank account authentication details.

The technique works equally well over SSL, and so offers fraudsters the enticing opportunity of having a phishing attack delivered over SSL with the attacker's code being served as part of a url from the bona fide bank's own secure server. Further, if the vulnerable site uses cookies, it may be possible for the fraudster to steal the user's session cookie and hence hijack the user's secure session.

Greenhalgh notes that the issue is not a new vulnerability, but a failure of very widely trusted organisations to defend their customers against what should be well understood risks. Web programmers can prevent most cross-site scripting attacks by validating form input, and ensuring that all user data is correctly encoded before it is displayed or stored. "Never trust user input" is a basic security tenet designed to reduce the risk posed by web forms.

That said, carelessness is human nature, even amongst developers of banking systems. Although cross-site scripting has been a well known technique for over four years, it is an easy mistake for programmers to make, and can be an awkward one to test thoroughly. Moreover the need for iterative refinements to web based systems is much greater than the pace of development to which banks were previously accustomed, and the opportunities for them to introduce errors are consequently greater.

While it is possible to automate testing for system service vulnerabilities, application testing requires expert human involvement for a reasonable degree of assurance. All other things being equal, a specialist security testing consultant will have a natural advantage over an equally capable person working in-house as [s]he will typically test applications from many different organisations, and is in a position to abstract common themes from the wide range of systems they test and the mistakes they encounter - while the same person working in house at a bank would probably test only a single system, or systems based on a single technology.

Moreover, relying on your own testing is akin to marking your own examination paper. The most prudent organisations, even if they are confident that their systems have been written robustly and tested meticulously, will still have their systems tested by an external organisation, which at a minimum delivers an experienced and professional second opinion, and at best saves the day. If there is one single thing that would improve the security of web based banking systems it would be for each country's banking regulators to mandate this approach, rather than leave external testing to the discretion of each individual bank.

Declaration of interest: Netcraft provides exactly this type of application testing.