Threats behind Wordpress.com: Link Injection

I am an enthusiastic ownerof a Wordpress.com blog, and those of you who use thath blogging platform like me would admit the utility of the stat counter. Infact it provides you a pretty detailed record of in/out http traffic of your blog: search engine keywords, most viewed articles, (...) and referers. Most of you could have already guessed what i'm going to tell you, but let's explain a bit what referer is.

When you browse the web, even if this is completely transparent to (most of )users, there is a continuos exchange of meta data between your web browser and the server in which the website is hosted. Tecnically speaking, browser and server send and receive requests. These requests contain headers: fields defining characteristic of the sent data, in particular the referer contains the url of the previous web page from which a link led the user to the current page.


In this way the referer tell us which pages are currently linking to our weblog so we can check who's talking about us.

Beyond this advantage there is a big pitfall: Storing and showing the referer expose the application to potential threats such as Cross Site Scripting and more silently to an unusual threat that i decided to call Link Injection (I say that "I decided" because i have not found any literature about this kind of issue yet).

Wordpress.com seems to filter user input properly to protect users against XSS and code injection, but it does not provide any protection against link injection!

HTTP Referer can be easily modifyed : I used to do with the firefox extension Modify Headers or with the fantastic Webscarab a powerful framework from OWASP; the easiness of this attack makes its power, here's a possible scenario:

The attacker knows the url of victim's blog, so he write a script to send http requests on it. Let's say that the victim's blog is not very popular so a dozen visits to his blog from the same source could make him curious; the attacker knows that, or maybe he decide the number of requests to send by probabilistic considerations. In this way the victim will follow the injected link . That link could represent an infected page or something else.

Unfortunately there isn't an easy way to avoid this kind of threat without compromise the efficiency of the service, personally i would remove the anchor tag from referers and i'd put a little "Warning" near them.


Insecurity Of Referer checking services

I recently wrote on my italian speaking blog about insecurity of referer viewing services. In particular i wrote about link injection on wordpress.com administration page (maybe i will translate it in this blog). From that article i started thinking about : How bad guys could use this vulnerabilty to threat good guys? I had a first answer googling!

The second link i get from google searching "show your referer" is wwwDOTshowskyDOTcom (i dont want to link it because it may fuck up you browser). That site shows your referer, WOW what a miracle of scripting, but it also Store latests referer, without filtering input, this means Persistent XSS.

While i am writing this lines, surfing that site means be greeted by a few alert('xss'), but i don't know what could become in the future :)

This is a perfect example of "too much trust on user" and lack of input filtering.