Monday, January 21, 2008

Do you have to fix XSS vulns to be PCI Compliant? ScanAlert Says No

I was reading Jeremiah's blog about ScanAlert's Response - ScanAlert - XSS is not our problem

I had blogged earlier about Should ScanAlert be revoked of their PCI Scanning abilities?

The interesting thing here is that if Hacker Safe is not detecting XSS attacks and I can bet they would not be detecting SQL injection attacks as well. So, what part of web application attacks are they trying to detect? I guess none. Which is OK as long as they don't claim they do. Oh wait..this is what they mention on their website

During this testing phase, all HTTP services and virtual domains are checked for the existence of potentially dangerous modules, configurations settings, CGIs and other scripts, and default installed files. The web site is then "deep crawled," including flash embedded links and password protected pages, to find forms and other potentially dangerous "interactive elements." These are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection. Both generic and software specific tests are performed in order to uncover misconfigurations and coding error vulnerabilities.

Well..I don't know what to say here..Let's assume for a second, that they don't detect these vulns..which is OK. Hey!! I am not going to tell ScanAlert what they should and should not do. Its their business. If they don't want to detect XSS or SQL injection, its fine by me. They can say that "HackerSafe" is not going to detect XSS vulns as they are not considered a serious risk. My question is, if they are not detecting XSS vulns and PCI standard says "Web sites should not have XSS vulnerabilities" then can ScanAlert provide a PCI compliance certificate? If they can, then why penalize the merchants?

On the other hand, Lets say if they do scan and detect XSS and SQL injection vulns, then all the websites mentioned on and which have hackersafe logo on them should not have a PCI Compliance certificate from ScanAlert. Since PCI requirement Section 6.5.4 and 6.5.6 very clearly mentions that XSS and SQL injection vulnerabilities should be detected and fixed before a website becomes PCI certified.

I don't think ScanAlert team understands web application security properly based on some of the comments made by Joseph Pierini, director of enterprise services for the ScanAlert's Hacker Safe program. Here are a few of them below.

“Pierini dismisses the suggestion that certifying a site as "Hacker Safe" when it remains vulnerable to XSS attacks could be confusing to consumers. "

Forget about consumers for a second and talk about the website owners. Does a site which is certified as Hacker Safe is by default PCI compliant or a site can be hacker safe but not PCI compliant? I don't think they differentiate between the two.

“He insists that the meaning of the certification is clear and notes that his company's scanning service reports the XSS flaws it finds to its clients.”

So, if ScanAlert has notified its clients that they have XSS flaws in their system, and the clients have not fixed them, I am assuming then those clients are not PCI compliant and ScanAlert would not have issued them a PCI certificate. If they did, then why penalize the clients alone and not ScanAlert as they knowingly gave a certificate to the clients when they had open vulnerabilities in their system.

“Cross-site scripting can be used to do a variety of things, but it's all on the client side. And that's an area that we don't have control over."

This is exactly the kind of problems merchants are facing. If the PCI ASV doesn't understand XSS attacks or other web application attacks, then how are they going to educate the merchants and as a result, the vulns are left open and exploited by the bad guys. The ASVs wash their hands and merchants gets penalized. I think its time the ASVs are held liable too for their ignorance or incompetence.

Other suggested readings.

Who are the real culprits for PCI compliance?

Many 'Hacker Safe' Web Sites Found Vulnerable

Group Tags More 'Hacker Safe' Sites

Re: [ISN] Many 'Hacker Safe' Web Sites Found Vulnerable

ScanAlert - XSS is Cool with Us

An open letter to Ken Leonard, CEO ScanAlert


Andy Steingruebl said...

To be pedantic for a minute - ScanAlert can't grant a PCI certification - that comes from the CC vendors themselves.

Additionally, as much as the PCI standard requires 100% compliance with it via its wording on the surface, I'm guessing that what the assessor is actually checking for is tracking of issues, and fixing as they come about. Otherwise at any point in time you could find a new issue, be in the process of fixing it, and fail an assessment....

Anurag Agarwal said...

well, the ASV can provide a report to the company confirming that they are compliant, which in itself is sufficient for the companies to think that they have done the job required.

As for your second point, there is a difference between auditor and assessor. Auditor is what keeps track of issues and fixes, etc but assessor just scans and submits the report. ScanAlert is an assessor not an auditor.

Random InfoSec Guy said...

Thats awesome! I know PCI Co is working on having some minimum baselines for ASVs - and your post about ScanAlert's response is just the ammo we need to push for that!

Anonymous said...

"Do you have to fix XSS vulns to be PCI Compliant? ScanAlert Says No"