After the heise Security editors informed the Federal Office of Economics and Export Control (BAFA) last Wednesday of the second cross-site scripting (XSS) vulnerability within two weeks, they now want to commission a comprehensive security review of their website .
In conversations and e-mails with heise Security, BAFA employees from IT and the press office emphasized that the authorities take security deficiencies – as well as the security of potentially sensitive data from citizens – very seriously. In addition to the regularly performed internal security reviews, incident-related help has been requested from experts from the Federal Office for Information Security (BSI) to examine the website for potential weaknesses and to receive help with preventive protection against future threats.
BAFA is in close contact with the BSI, which is the central authority for information security in Germany, “in close contact with the organization of its own security architecture.” Depending on the occasion, the BSI primarily offers so-called for federal authorities IS penetration tests and web checks (“IS” stands for information security).
Further vulnerabilities are very likely
About the first vulnerability found by a reader with the pseudonym [PG]ikk0 discovered, heise Security reported last Tuesday. It made it possible to inject your own (potentially harmful) code into the BAFA website according to the following scheme:
Just a few hours later, a second reader contacted us (@totz_sec), which, as he wrote to us, had found a second XSS vulnerability “in less than 5 minutes” that worked according to the same scheme. The PoC URL looked like this, whereby (not only) the content of the alert box is interchangeable:
Both cases are so-called reflected or non-persistent XSS attacks. In such attacks, malicious code is not stored on the web server, but written to the local “copy” of the website and executed when the page is viewed. Attackers could have replaced the alert boxes from the links above with their own code and sent the prepared URL via phishing email, for example, in order to display their own content in the context of the BAFA website and, for example, to access data using self-created forms.
The similarity between the two vulnerabilities suggests that other similar attack options exist (or exist).
Conclusion = positive with room for improvement
BAFA-IT reacted very quickly to the second incident: We informed the authorities on Wednesday afternoon, and when we called up the PoC URL the next morning, the error had already been fixed. Overall, the agency seemed grateful for the advice; communication with the responsible staff was friendly and uncomplicated.
Apart from the fact that websites by federal authorities should ideally be well secured from the outset, the positive conclusion can be drawn that reporting the gaps in a specific case actually benefits the security of future website visitors. And that as a result not only a partial patchwork was carried out, but an all-round check was initiated.
From the perspective of readers who prefer to pass on gaps found to federal authorities via heise Security instead of appearing in person, another general innovation would be desirable. Namely a binding Vulnerability Disclosure Policy (VDP) in order to create a clear legal framework and in this way to optimally protect vulnerability finders. And maybe, according to the discoverer of the second BAFA-XSS hole, also a bug bounty program of the federal government.