A couple of weeks ago, a few high-profile sites were hacked. The sites were properties of CNET Networks (ZDNet Asia, TV.com, News.com, and mySimon.com), TorrentReactor, and possibly others. The hack consisted of injecting an IFRAME tag into Web pages, and the IFRAME led to malicious content.
According to Dancho Danchev, who discovered the problem (see the URL below for more information), more than 100,000 Web pages were affected at the sites I mentioned. While news of these hacked sites spread rapidly, they certainly weren't the only sites affected.
I ran a query at Google and within seconds discovered that University of Pittsburgh, North Carolina State University, and the heavily trafficked Internet Archive (archive.org) were also infected--to name only a few. To see the extent of the damage yourself, type "intitle:iframe src" in the Google search field. To see if Google has indexed any of your sites' pages as being affected, type "site:yourdomainname in the Google search field. You can visit Google's Advanced Operators page at the URL below for more help with the intitle: and site: tags.
This particular attack takes advantage of sites that don't sanitize user-supplied input, typically entered in a Web form. In these instances, the hacker enters a search query string along with the text of an HTML-based IFRAME tag. The sites' search engines cache the query string and the query results without removing unwanted content, such as HTML. As a result, the user-supplied query string (which contains HTML) becomes part of the cached Web pages. When someone lands on an affected cached page, the IFRAME injects unwanted content onto the page that could lead to malicious content. Compounding the problem further, the cached pages show up in search engines, which of course can lead to widespread infection.
In "Online Fraud Continues to Escalate" (February 20, at the URL below) I wrote about online fraud as reported by Cyveillance. The company had issued a report that stated that of all the phishing pages discovered in first quarter 2007, 34 percent were hosted on compromised existing Web sites. The recent widespread injection of IFRAME tags goes to show just how easily a site can be compromised. If you haven't scanned your sites for vulnerabilities, you should probably get started right away.
Back in November 2007, I wrote about a comparative review of Web security scanners conducted by Larry Suto, an application security consultant. You can read about that report at the first URL below. Suto examined three commercially available Web application scanners: NT OBJECTives' NTOSpider (at the second URL below), Watchfire AppScan (at the third URL), and SPI Dynamic's WebInspect (now known as HP WebInspect, at the fourth URL). Suto found NTOSpider to be the superior product.
Last week, I learned that NT OBJECTives and eEye Digital Security have teamed up. eEye is now using NTOSpider as the core of its newly launched Retina Web Security Scanner (RWSS--at the URL below). I recently spoke with John-Marc Clark (VP of marketing at eEye) and JD Glaser (CEO at NT OBJECTives), and they told me that going forward, NT OBJECTives will handle the evolution of NTOSpider and that eEye will continue it to use as the basis for future upgrades to its RWSS product.
Clark said that eEye sees a significant demand for Web scanners, thus the company's entry into the field. Right now, RWSS is strictly a software offering. However, sometime in the next several months, the company will make RWSS available as a plug-and-play appliance. In the more distant future, the company might also offer RWSS as a Web-based managed service. Given what Suto found in his comparative analysis, eEye's RWSS product could be a strong solution.
There are certainly other Web scanning tools available for your consideration. Some of the tools I know about are listed below:
Nikto 2 (open source)
Pantera (open source)
Wapiti (open source)