Is authenticated XSS a problem?
Obviously, see cross-site scripting (XSS) is a big problem on the public Web. But there’s another angle to XSS that no one seems to be talking about – at least I couldn’t find anything on it. It’s the issue of XSS on Web pages that are only accessible when the user is logged in. I see XSS in this context all the time which begs the question: is XSS indeed a “problem” if the user has to login to be on the receiving end of the exploit? Many developers I’ve worked with don’t seem to think so, but as of late, I’m forming a different opinion on the issue.
For starters, XSS on any page – whether or not authentication is required – clearly indicates an input validation issue. But that doesn’t automatically make it a security problem. So maybe it’s just a lower priority “best practice’ that’s being overlooked? But we can’t stop there. If you dig in further and think about some real-world scenarios I truly believe this is something that can be a big problem if we don’t address it.
Looking at certain authenticated XSS scenarios there’s no doubt that it can be exploited if all the right things fall into place at the right time. For instance, a user who’s logged into an application with a XSS flaw somewhere behind the login prompt. Assuming the user’s session hasn’t timed out, he could click a malicious link elsewhere that points back to the XSS hole and could end up falling victim to the exploit.
Another example would be in a business environment that uses single sign-on (SSO) across multiple applications. A user logs into one application and his authenticated session is passed along behind the scenes to subsequent applications he connects to. In this situation, the user is not prompted to login again, and thus, automated XSS could be carried out. In reality, this would likely be something that’s perpetrated by a malicious insider working for a large corporation or government entity. However, this attack could also be carried out in situations where SSO is implemented among multiple sites where, say, only key business partners and customers are granted access. So, what are your thoughts? Is this a problem or should we only worry about public-facing XSS exploits that don’t involve user authentication?
If it is indeed a problem, what do we do about it? Depend on SSO systems to detect and block XSS? Re-prompt users for their login credentials when they’re crossing over to another domain? Use a WAF?
I know these are hypothetical cases where the likelihood is minimal. But an elevated impact does still exist so we can’t ignore the issue altogether.