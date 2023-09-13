Security researchers have found eight serious cross-site scripting (XSS) flaws in Azure HDInsight, a big data processing service powered by open-source technologies like Apache Hadoop, Spark, Hive and Kafka running on Azure. The flaws could have allowed attackers to inject and execute malicious scripts in visitors’ browsers.

“All XSS vulnerabilities posed significant security risks to data integrity and user privacy in the vulnerable Apache services, including session hijacking and delivering malicious payloads, putting any user of the Apache services at risk, including Apache Hadoop, Spark, and Oozie,” researchers from Orca Security said in their report.

The flaws were privately reported to Microsoft and were fixed last month. However, the presence of eight such basic web flaws into a service run by one of the largest tech companies highlights the need for organizations to be proactive in their defenses and not take the security of third-party services for granted.

Reflected and stored cross-site scripting

XSS is one of the most common and well-known types of web vulnerabilities. It is the result of poor sanitization of user input — usually in some sort of web form — that allows the input to contain JavaScript that would be served back to a visitor’s browser. Malicious JavaScript code that executes inside a browser in the context of a website is very dangerous because it has access to the user’s authenticated session. Such attacks can either result in the user’s browser performing actions on the site that the user didn’t intend — session piggybacking — or in the theft of the session cookie or tokens itself.

There are two types of XSS flaws: reflected and stored. Reflected XSS vulnerabilities are exploited by adding the malicious JavaScript payload as a parameter to a vulnerable URL. A victim would have to click on the specially crafted URL sent by the attacker to trigger the malicious payload execution inside their browser. If they navigate to the target website directly, they wouldn’t receive the payload. In other words, reflected XSS exploitation requires user interaction.

Stored XSS issues are more dangerous because the attacker only needs to exploit a vulnerable field once to permanently inject the malicious code into the web page. This code would then trigger every time the page is visited later by other users, without any additional interaction required such as clicking on a specially crafted URL.