
Widespread XSS Vulnerabilities in Ad Network Code - finnn
http://randywestergren.com/widespread-xss-vulnerabilities-ad-network-code-affecting-top-tier-publishers-retailers/
======
inian
We conducted a similar experiment on the top 1000 websites and found 820
unique DOM-Based XSS vulnerabilities in these sites! You can find out more
about our techniques in our paper here
[http://www.comp.nus.edu.sg/~enricob/2015/fse15-main.pdf](http://www.comp.nus.edu.sg/~enricob/2015/fse15-main.pdf)

~~~
baby
So basically the top 1000 (alexa?) is completely broken and insecure?

~~~
inian
yup pretty much. We managed to report and fix some bugs though. But it is
pretty hard to get the point of contact person for some websites.

~~~
devopsproject
Do tools like ublock and adblock protect end users?

------
pdkl95
Douglas Crockford warned[1] us many years ago that mixing Javascript from
multiple sources was fundamentally unsafe. The security model of the
Javascript and the DOM was never designed for isolation within a page. If
you're including Javascript from a foreign domain in the page, you're giving
them access to any data in the page (and allowing stuff like this XSS
problem). In most cases, this is irresponsible.

[1]
[https://www.youtube.com/watch?v=qfBL2sc2zUU](https://www.youtube.com/watch?v=qfBL2sc2zUU)

(re: Google Gears stuff in that talk - remember when the talk was given)

------
rurounijones
More requests to more code by more parties inherently increases attack surface
area.

As a user why should I allow this for something that provides me no value
(ads, tracking, js comment systems that I dont care about etc).

I can see why some people use noscript religiously and whitelist when needed

~~~
annnnd
What I am missing in NoScript is ability to allow 3rd party scripts (say
"google.com") but _just for this domain_. If I allow facebook.com, I want it
whitelisted only on its own domain, not elsewhere.

~~~
dandelion_lover
You should try augmenting NoScript with RequestPolicy.

~~~
annnnd
Thanks, looks awesome! I'll try it out...

------
dexwiz
Is there anything that could fix this? Off the top of my head, browsers could
encode the results of any functions that get the URL. But after
encoding/decoding requests/responses and unknown server logic, the encoding
may be removed.

~~~
toast0
If you do ad placements with iframes, that can mitigate some vectors, but then
it is very hard to have full screen takeovers or many other hideous things
that seem to make advertisers happy.

~~~
pki
html5-sandbox or iframe will have you terminated from adsense, at least. don't
know about the others.

~~~
aikah
> html5-sandbox or iframe will have you terminated from adsense, at least.
> don't know about the others.

Really? what's the justification for that policy? You'd think ad networks
would want ads to be safe for users.

~~~
AkariTakai
Probably cross-domain abuse. I'd imagine there's a few edge cases that result
in behavior Google doesn't want for ads. For example, double serving,
accidental clicks, ad obscuring, etc.

Their FAQ does mention that they'll grant exceptions though.

------
gcb0
won't affect Yahoo.com, even they show ads from that network, because it is
one of the few publishers using
[http://www.iab.com/guidelines/safeframe/](http://www.iab.com/guidelines/safeframe/)

------
manigandham
Unfortunately - this is because the ad industry has way too many vendors
(almost 0 effort required to get some shady network off the ground trafficking
in bad ads) with sloppy code and bad tech.

Similar to many other industries that operate without many standards or
QA/enforcement.

------
beedogs
As if I needed another reason to block javascript and advertising.

