Most public-facing Websites allow at least some form of user-generated content. A Website might for instance, allow users to post product reviews, or it may include some sort of discussion forum. In any case, there are several ways in which seemingly harmless user-generated content can actually pose a threat to either your security or to your customers’ security.
When it comes to user-generated content, the threat that people are probably most familiar with is code injection--where a user enters executable code into a text input field. This particular risk has been so well documented that nearly all commercial web software guards against it. However, although modern safeguards have made it far more difficult for a malicious user to launch executable code through an injection attack, code injection (or, at least, string injection) is still being used in other ways.
If you look at Figure 1, for example, you can see a comment that was left on a WordPress site. This comment contains embedded malicious links. Of course, content filtering engines and mandatory moderation can easily put a stop to this sort of thing. However, I have seen malicious users embedding links within their user names. Not only do some scanning engines fail to check user name fields, but I have actually seen forums render a preview of these types of links.
The Registration Process
Most sites that allow the use of user-generated content require that the user complete some sort of registration process, starting with the creation of an account used to access a site. Although the account itself is usually harmless, bad actors have increasingly been exploiting site registrations for social engineering purposes.
There are a couple of things that bad actors will do when attempting to exploit a site’s registration requirements. First, they will usually try to do something to call attention to themselves. For example, they might embed HTML code into the user name field to change the font in which their user name is displayed. HTML code might also be used to make their user name show up in bold type or in a different color. Regardless of which method is used, the goal is to make the user name stand out so that it appears different from the site’s other users.
The second part of the process is for the bad actor to choose a misleading user name. Names like Admin or Administrator are usually taken, but names such as Support, Billing or Customer Service are often readily available.
By choosing an official-looking user name and doing something to cause that user name to be rendered in a way that is different from other user names, the bad actor may try to convince other site users that he or she works for the site. With this new identity, the bad actor is free to begin “helping” customers.
I have addressed malicious links and official looking accounts, but these two exploits can also be combined. I recently saw an especially alarming example.
Palo Alto Networks recently announced that it had collaborated with GoDaddy to remove 15,000 subdomains. Attackers compromised numerous GoDaddy hosting accounts and then created subdomains within the compromised accounts. These subdomains were then populated with fraudulent or perhaps even malicious pages.
My own account was not compromised, but I will use myself as an example, just to illustrate how everything comes together. My primary domain name is BrienPosey.com. With that in mind, imagine that someone compromised my account and created a subdomain named Support.BrienPosey.com. Just to make things interesting, let’s also assume that a visit to Support.BrienPosey.com reveals a request for a credit card number.
The person who set this up might then go to the legitimate site’s discussion forum and create an account called Support. That person might then browse the discussions within the site, looking for people who are experiencing some sort of technical problem. Upon finding such a post, the bad actor could chime in on the discussion as “Support” and say something like, “If you are still having problems, then go to support.BrienPosey.com.” Assuming that the fake support page looked like the rest of the website, unsuspecting victims might pay a “support fee” without even realizing that they were on a malicious page.
The really scary part of this exploit is that a subdomain has the same root name (in this case, BrienPosey.com) as the legitimate site. It would therefore be nearly impossible for visitors to the site to determine that are being directed to a malicious page.
Banning user-generated content is not an option for most sites, so it is important to take steps to prevent your site from being overrun by those who exploit user forums and other facilities via user-generated content features.