Recently I was having a go with the CT Plus (Guernsey Buses) online journey planner.  They’ve now added live bus tracking, which makes the site a lot more useful.  However, during my testing of the site I noticed what I thought might be a security vulnerability.

TL;DR;

The website buses.gg had a HTML injection vulnerability that could be exploited simply using a specially crafted link to the website.  This could be distributed as a link on social media, emails, other websites, etc.

screenshot 4

After reporting to CT Plus, they took swift action to address the vulnerability.  This is my public disclosure of the vulnerability so that other may learn from this issue.

Being a conscientious software developer, I immediately decided that the best course of action was to confirm that this could potentially be exploited and then inform the bus company of my findings and allow them an opportunity to fix the issue.  At the time I informed them I half expected my warning to be either completely ignored to dismissed as a non-issue.  To my surprise they took it seriously and within a couple of days the website had been updated to try and close the security hole.

Unfortunately, the change to the website only half resolved the issue.  My guess is that the developers we told “there’s a problem with X on the website – fix it!”.  The developers did that but couldn’t be bothered to check whether the same issue affected Y and Z.

What was the vulnerability?

The issue I discovered falls into a family of vulnerabilities generally known as HTML Injection.  It can occur when a website developer displays any content on the website that can be sent to the website by the user.  Generally, when a website displays this type of content it is possible to defend against HTML Injection but sometimes developers are lazy and just assume that content received from users will not be malicious.

HTML injection vulnerabilities are related to other types of vulnerabilities such as Cross-Site Scripting (XSS).  Modern browsers provide some level of defence against XSS attacks.  Both Chrome 49 and Safari 9.1 on MacOS protected the site against simple XSS tests but I believe that users with older browsers, or a more sophisticated attack, could have exposed as XSS vulnerability.

How did I find it?

In this case, I stumbled across the issue simply because I was typing too fast and made a spelling mistake.  Whilst entering a bus stop name I didn’t notice the mistake but on the results page I spotted the mistake in the output.  This immediately indicated that the input may not be validated.  Additionally, I noticed that the spelling mistake was also displayed in the browser address bar.

screenshot 1

The fact that the input is passed to the results page in the URL immediately raises a red flag.  To test whether there is a vulnerability, all I needed to do was change the bus stop name in the address bar and hit enter:

screenshot 2

Bingo!  Next is a test to see if we can inject some HTML into the mix:

screenshot 3

In this case, instead of sending simple text to the results page, I’m sending the following piece of HTML:

<b><i>bob</i></b>

Now, not only is the text “bob” displayed on the page but I have also managed to get it displayed in bold and italics using some HTML.  This confirms that the site is vulnerable to a HTML injection attack.

How bad could it really be?

In this case, the HTML Inject vulnerability is one of the worst kinds.  The page is taking content form the URL and outputting it directly on the page.  This means that anyone that provides a link to the page can inject content into the page.  With a little bit of knowledge, someone could replace the entire content of the page.

Don’t believe me?  Well this is what I was able to come up with in about 5 minutes:

screenshot 4

This uses the following simple piece of HTML code:

This just sets the background to an image of a lion and hides all other content on the site.  A malicious attacker could inject just about any content into the site, e.g. links to malware and viruses.

The URL looks like this:

http://buses.gg/journey_planner_results?leaving=guernsey%3Cstyle%3E%0Abody%20%7B%0A%20%20%20%20background-image%3A%20url(%22https%3A%2F%2Fimages.unsplash.com%2Fphoto-1458724338480-79bc7a8352e4%3Fcrop%3Dentropy%26fit%3Dcrop%26fm%3Djpg%26h%3D950%26ixjsv%3D2.1.0%26ixlib%3Drb-0.3.5%26q%3D80%26w%3D1375%22)%20!important%3B%0A%7D%0Abody%3E*%7B%20display%3A%20none%3B%20%7D%0A%3C%2Fstyle%3E

How to protect against it?

Website Developers

The first level of defence for this kind of vulnerability lines firmly with the developers.  When creating a website, or any other kind of application, always code defensively.  Software developers should always assume that someone it going to try and exploit vulnerabilities for malicious purposes.

The basic assumption is to not trust any user input.  In this case the developers assumed that the users would always enter a value the matches the name of a bus stop.  This assumption isn’t limited to input that the users can type into but also any input fields, even check boxes and selection drop-downs.

This can be defended against in the following ways:

  1. Client side validation when submitting a form
  2. Server side validation when processing the data
  3. Using HTML encoding when outputting user input

Website Owners

The next level of defence lies with the website owners (which may be the developers but in this case is CT Plus).  The owners should never assume that the developers have created a site that is free from security vulnerabilities.  The best way to make sure your website is secure is to enlist the services of a third-party Penetration Testing firm.  These are ethical hackers that will test the website and report any vulnerabilities so they can be resolved by the developers.

The website should also take any reports of security vulnerabilities from website users seriously and act on them promptly.  On this point I have to praise CT Plus.  Within two days the developers had updated to the website to close the security vulnerability as it related to the Leaving From and Going To fields.

General Public

The final level of defence is with the everyone else.  There’s some increasingly nasty malware out there which can easily be spread through seemingly reputable websites.  It is therefore important to make sure that you have:

  1. high quality and up-to-date anti-virus/malware protection on your computer.
  2. the latest security updates installed on your computer.
  3. the latest versions of your browser software installed on your computer.

CT Plus Response To Disclosure

When I first discovered the issue I was a little apprehensive about alert CT Plus to the issue.  Working in the IT industry I am aware of the level of ignorance to computer security amongst the general public.  I am aware of previous IT security disclosures in Guernsey that haven’t been very positively received.  Would CT Plus dismiss the issue, or would they over-react and call in the authorities?

To the credit of CT Plus, they reacted in an ideal way.  They accepted that there was an issue and raised it with the developers, forwarding them with the details I provided in my initial assessment.  The issue was addressed within a tight timeframe, although the fix is somewhat lacking in finesse but at least it works!

I would have preferred a little more engagement with CT Plus over the matter.  There some other issues with the site that  I’d like to discuss with them at some point but at least the main security issue has now been resolved.