Attackers wanting to steal your information online are some of the most creative people alive. It’s amazing how many ways they can come up with to steal your information. One of those ways is through a technique called cross-site scripting or XSS for short.
To explain XSS, you need to know how web applications receive input from users. When’s the last time you filled out a form on a website? All of the time, right? That is a typical attack vector for XSS attacks. Typically, a user will input their name, address, etc. into a form, the server in the backend then accepts that information and places it into a database.
But if the web application doesn’t have appropriate protections in place, or doesn’t scrub the input before adding it to the database, attackers can instead run a script (most likely Javascript) which your browser executes and performs whatever actions the attacker wants.
For example, another way that an XSS might work is when a website has a page that retrieves information from a database and displays it on the page. Perhaps to generate the HTML for a page, a backend process creates HTML like this:
print "<html>"
print "<h1>Most recent comment</h1>"
print database.displayRecord
print "</html>"
Normally, the page would display a record from the database on the web page. However, if the attack places a script call somewhere in that page like this:
print "<html>"
print "<h1>Most recent comment</h1>"
<script>doSomethingEvil();</script>
print "</html>"
They may be able to execute code in your browser to send your credentials to a different server than what you intend. This is XSS. The attack is running a script from another “site.”
MOVEit Transfer Protection
Now that you have a basic understanding of XSS, how does the XSS protection feature work in MOVEit Transfer 2018 SP1? As of SP1, MOVEit Transfer automatically includes built-in XSS protection.
As with any web application, MOVEit Transfer 2018 accepts input from the user. Just having this feature opens makes MOVEit Transfer 2018 susceptible to XSS but as of Service Pack 1 (SP1), there is a new HTTP directive (response header) for the web service in (Settings -> System - HTTP Headers: Security Headers). MOVEit Transfer now has an “Include X-XSS-Protection Header” option.
The “Include X-XSS-Protection Header” option ensures that the Internet Explorer, Chrome and Safari browsers filter out or block injection of Javascript or popups. This small feature in SP1 is a big win for MOVEit Transfer’s security stance. This header allows the WebUI to completely block pages that exhibit some signature of XSS.