XSS And Management Workstations

XSS And Management Workstations

Hello my kind readers! This week I will be talking about XSS (Cross-site Scripting) what it is, what it means to the often forgotten Management Workstations, and what you can do to prevent XSS attacks no matter who you are!

What is XSS?

XSS (or Cross-site Scripting) attacks have the ability to not just make the effected computer part of a botnet. It has the potential to steal credentials, spy on your activities, further infect your computer, expand to other machines in your network, and more. XSS attacks occur when hackers embed malicious scripts into a form that goes to a website. The result is that malicious code is stored on the website and gets run locally when a user goes to the website. This is often done without the user’s knowledge.

What Does This Mean for IT?

Most of the time IT personal read forms and other documentation. in order to find solutions to technical problems. This is completely normal, and is often the go-to technique if the answer is not immediately obvious.

It is also common practice that IT will have a special “management” network along with several management workstations. These workstations are granted access to the plethora of management interfaces for servers and networking equipment on the network. Having a separate network and computer for this purpose is considered a “best practice” in many enterprise products.

These management systems should never be connected directly to the Internet (other then to receive updates). Exceptions can be granted for updates by finding and entering the update server addresses into a firewall rule. However, such security practices requires several additional steps and have can be hard to diagnose if improperly configured.

Let’s be Frank

Let’s face it: most people are not going to bother to do that. I’m sure that many of these management workstations are often left connected to the Internet unrestrained. Without much stopping the machine from phoning-home to a unknown third party. A common indicator of compromise.

To make matters worse, oftentimes IT staff are unlikely to consider that their own workstation could be infected. We often assume that we know what we are doing and that such infections couldn’t possibly happen to ourselves. But we are all human, we make mistakes, we don’t notice things. It doesn’t matter how experienced you are, XSS scripts can run on your computer without you ever knowing.

Following that same line of thought, it’s also safe to say that most management workstations are going to double as a research workstation. No matter experience level, we all agree that it’s far easier to work on one computer then two at the same time. Even if it is against best practices.

Don’t Believe me, Just Watch

While I can’t give you the full details of the 2019 CCDC Regional competition (which I still consider one of the most rewarding experiences in my life). I can promise you that it was very common for people to use one of the competition workstations (or worse yet, servers) in the competition environment to do research. It seemed like that was the first thing people would do if they where given a system with a GUI. People would try to look up the documentation for something.

Needless to say that this rarely worked out well for them. The Red Team had poisoned the upstream competition DNS servers very early on in the competition. And the machines that tried to reach out to a search engine like Google immediately get infected with malware. This was not something that effected me or the rest of my team, as we knew better, but it was definitely one of the topics of interest at the after-engagement meeting.

Keep in mind this is the CCDC Regional competition, these are teams made up of some of the best of the best IT students in the country. It’s almost a guarantee that most people in IT are going to be worse then this (unfortunately). IT staff are going to use management workstations and servers to do research, that’s just the reality of the situation. Let’s not forget that one of the reasons why Microsoft introduced Enhanced Security Configuration and turned it on by default on all Windows Servers since 2003 was to prevent people from looking at porn on their server!

Clearly, even IT staff don’t always think rationally.

So What Can I Do?

If you are a web developer, make sure you read up on XSS and make sure that you always use common sanitization methods in order to prevent

The first thing you should do is limit your management workstation’s access to the Internet. Only allow the machine to download updates and access your networking gear. No more, no less.

The next thing is to make sure that your workstation is connected to your companies SIEM (if you have one). I cannot iterate this enough, system logs is your friend. If you don’t have a SIEM and you are using Linux, you can simply view the files in /var/log using your favorite text editor. If your on Windows; good ‘old Event Viewer.

You also want to make sure you use something like NoScript to protect the browser on your research computer. Basically what NoScript does is it blocks scripts from running in your web browser until you tell it to. I’ve done another post about this if you would like to read more about it.

Lastly, if you use Windows Server for your management workstation. Make sure you have Internet Explorer Enhanced Security Configuration (IE ESC) enabled.

Leave a Reply