360XSS: Mass Website Exploitation via Virtual Tour Framework for SEO Poisoning

By /

Listen to this Post

Hackers are exploiting a reflected XSS vulnerability in the “Krpano” VR library across hundreds of websites for SEO poisoning. The vulnerability, CVE-2020-24901, allows attackers to inject malicious scripts into websites using the Krpano framework. Google crawls these infected pages, unknowingly indexing attacker-controlled content, which leads to SEO poisoning. This results in affected sites hosting indexed redirects to spam, malware, and phishing pages.

Full breakdown of the attack:

🔗 [Blog: https://olegzay.com/360xss/]

Practice Verified Codes and Commands:

1. Detecting XSS Vulnerabilities:


<h1>Using OWASP ZAP to scan for XSS vulnerabilities</h1>

zap-cli quick-scan --spider -r http://example.com

2. Preventing XSS in Web Applications:

<!-- Example of sanitizing user input in HTML -->

<

script>
function sanitizeInput(input) {
return input.replace(/<script.<em>?>.</em>?<\/script>/gi, '');
}
</script>
  1. Using Content Security Policy (CSP) to Mitigate XSS:
    [http]

Example of a CSP header in Apache


Header set Content-Security-Policy “default-src ‘self’; script-src ‘self’ https://trusted.cdn.com;”

[/http]

4. Checking for Vulnerable Libraries:


<h1>Using npm to check for vulnerable packages</h1>

npm audit

5. Removing Malicious Scripts from Infected Pages:


<h1>Using sed to remove malicious scripts from HTML files</h1>

sed -i '/<script.<em>malicious.</em><\/script>/d' /var/www/html/*.html

What Undercode Say:

The exploitation of CVE-2020-24901 in the Krpano framework highlights the persistent threat of XSS vulnerabilities in web applications. As web architectures evolve, so do the methods of exploitation, making it crucial for developers and security professionals to stay vigilant. Implementing robust security measures such as Content Security Policy (CSP), regular vulnerability scanning, and input sanitization can significantly mitigate the risk of XSS attacks.

In addition to the technical measures, it’s essential to keep all software and libraries up to date. Regularly auditing your codebase and dependencies can help identify and patch vulnerabilities before they can be exploited. Tools like OWASP ZAP and npm audit are invaluable in this process.

For those managing web servers, configuring security headers like CSP and X-XSS-Protection can provide an additional layer of defense. Monitoring server logs for unusual activity and employing web application firewalls (WAFs) can also help detect and block malicious traffic.

In conclusion, the fight against XSS and other web vulnerabilities is ongoing. By adopting a proactive approach to security, leveraging the right tools, and staying informed about the latest threats, we can better protect our web applications and users from exploitation.

Further Reading:

References:

initially reported by: https://www.linkedin.com/posts/oleg-zaytsev-rd_cybersecurity-xss-seo-activity-7300557570270806017-QFwF – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image

Related Posts: