Cross Site Scripting (XSS) Software Attack

Jim_Walker · October 27, 2020, 8:58am

Companies House allows the characters “<” and “>” to be present in company names, which open doors for XSS attacks. I recently discovered the company 12956509 which is registered with Companies House. The full company name is as follows:

Redacted

If websites are not encoding the < > characters correctly (many aren’t) and displaying the company name, the visitor’s browser will load the JavaScript file “HTTPS://MJT.XSS.HT”.

Example:
DO NOT OPEN THE LINK BELOW ON YOUR BROWSER. THE XSS ATTACK IS NOT PROTECTED ON COMPANIES HOUSE.

Please review your regulations regarding what characters can be used in registered company names.

Thanks

frank · October 19, 2020, 11:48pm

The name of this entity was flagged as a Broken Company Name issue yesterday but Jim’s point may cast the registration in a very different light.

dmw · October 20, 2020, 6:27am

Thankfully the script appears to be a “white hat” hacker proof-of-concept, but it is a warning of problems ahead if you don’t encode <> correctly. The director of this company has 2 other directorships as shown here, and I suggest that you reach out to him:
https://webb-site.com/dbpub/positions.asp?p=18888999

MArkWilliams · October 20, 2020, 8:51am

Thank you all for your communications.
We are investigating.

voracityemail · October 20, 2020, 1:58pm

Not strictly on this topic but might be worth mentioning the following - if nothing else to remind people to check their own parsing and security. It’s still not uncommon to find issues with this across an application…:

(The following is a small selection of “varieties” - some have appeared elsewhere on this forum, see later)

10542519 - ; DROP TABLE “COMPANIES”;-- LTD - A classic! - ; DROP TABLE "COMPANIES";-- LTD - Overview (free company information from Companies House)
11678385 - BETTS & AMP; TWINE LTD - HTML entities - the name as you receive it via the API actually has no space between the & and the “AMP;” but (a) you can’t type that straight in here as the forum converts to a single “&” and (b) looks ok on the CH site (so - as mentioned before / above - CH may not have this right) - BETTS & TWINE LTD - Overview (free company information from Companies House)
08804157 - SAFDASD & SFSAF ’ SFDAASF" LTD - Backslashes and quotes - SAFDASD & SFSAF \' SFDAASF\" LTD - Overview (free company information from Companies House)

A good collection appear in this thread:

michaeltandy · October 22, 2020, 8:31pm

Yeah, that was me.

I notified enquiries @ companieshouse by e-mail (ticket NUM1788023X) and also the NCSC (Ticket #1010635 ) because publicly disclosing the finding on a forum like this didn’t seem very responsible. But now you’ve disclosed it for me, so here we are!

I am in the process of contacting every website that has triggered my script which has a readily available contact for submitting security issues, or a hackerone account or similar. Alas, the sort of websites that have XSS problems rarely list IT security contacts.

The character set allowed in company names is dictated by legislation - I doubt the people with the power to change legislation are reading messages on this forum. And alas I could not rename my company even if I wanted to - for some mysterious reason, Companies House are unable to issue an EWF access code to me.

rmcneil · October 23, 2020, 8:11am

We are aware of this company and the potential implications of the name and were in the process of contacting you to discuss.

We should be able to resolve any issue with authentication codes relatively quickly and I’m happy to pick that up directly with you. I will send you my contact details.

frank · October 23, 2020, 2:12pm

The schedule of special characters appears to be a Statutory Instrument that I believe can be amended at Ministerial level without the need for a primary legislation change. Can this happen “bottom up” with Companies House requesting a suitable change or would some external pressure be needed / welcomed?

Frank Murphy

https://statbooks.co.uk/

awilliams · October 27, 2020, 7:26pm

https://benhoyt.com/writings/dont-sanitize-do-escape/

Restricting the set of allowed company name characters (and also forcibly renaming this company) is a bodge of a solution to this problem which is caused by developer negligence.

@michaeltandy has done the right thing here (with responsible disclosure) and given all of these third party data ingesters a wake up call.

Frankly everyone responsible for a site that was vulnerable to this should be embarrassed that they weren’t doing proper output encoding (as HTML character entities in this case), embarrassed that they had no strict Content-Security-Policy in place and embarrassed that (most likely) they had to be told about this by a third party.

Come on, it’s 2020. Preventing stored XSS is basic stuff. And it’s not just XSS that should be a concern, as has been pointed out elsewhere in the thread, there are company names with SQLi payloads inside. Company names are user input and should be treated as such.

pjsg_ch · October 28, 2020, 8:13pm

As the poster above notes – this is 2020. XSS errors are not acceptable. Just fixing one field (the company name field) does not give me any confidence that Companies House has done the right thing with all the other fields. I’ve set my name to include < and > and we’ll see if it gets improperly escaped anywhere…

If they can’t get the basics right, then there is no hope for the complicated stuff.

chxmlgateway · October 29, 2020, 9:36am

Hi

These company names look like an attempt at SQL-injection:

08768324 DROP TABLE CONSULTANTS; LTD
10542519 ; DROP TABLE “COMPANIES”;-- LTD
12640701 DROP TABLE USERS LTD
SC656788 ROBERT’); DROP TABLE STUDENTS; LIMITED
08350415 SELECT STAR FROM LIMITED

Regards

Mark