ScanAlert's "Hacker Safe" badge not so safe and PCI compliant

Written by DP

Monday, 21 January 2008

Security analyst Russ McRee from Seattle, has posted on his blog why "Hacker Safe" certified websites are not so safe. He has proved against McAfee's statement about the service, which says about web application scans: "the web site is then "deep crawled," including flash embedded links and password protected pages, to find forms and other potentially dangerous "interactive elements." These are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection..."

Watch his proof here and read more on his blog... ;)

In a follow up blog entry about the issue, Russ McRee has provided a 100% valid argument questioning the validity of the "Hacker Safe" label: "many sites take credit cards online and are thus required to comply with PCI DSS 1.1. If a website is vulnerable to XSS, THE COMPANY IS NOT PCI COMPLIANT."

His argument is based on the following extract from the PCI DSS Validation Requirements for Approved Scanning Vendors (ASVs)v 1.1 document:

On page 26:
"6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs)
6.5.3 Broken authentication and session management (use of account credentials and sessioncookies)
6.5.4 Cross-site scripting (XSS) attacks

Funny thing is McAfee maintains that XSS vulnerabilities are not significant for the certification because their service is intended to verify web server credit card storage security.

We have provided Information Week - for this article - with a list of 62 XSS vulnerable sites which carry the "trust your privacy to us" badge:

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.