XSS worm

An XSS worm, sometimes referred to as a cross site scripting virus,[1] is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that propagates among visitors of a website in the attempt to progressively infect other visitors. They were first mentioned in relation to a cross site scripting vulnerability in Hotmail.[2]

Contents

Concept

XSS worms exploit a security vulnerability known as cross site scripting (or XSS for short) within a website, infecting users in a variety of ways depending on the vulnerability. Such site features as profiles and chat systems can be affected by XSS worms when implemented improperly or without regard to security. Often, these worms are specific to a single web site, spreading quickly by exploiting specific vulnerabilities.

Cross-site scripting vulnerabilities are commonly exploited in the form of worms on popular social or commercial websites, such as MySpace, Yahoo!, Orkut, Justin.tv, Facebook and Twitter. These worms can be used for malicious intent, giving an attacker the basis to steal personal information provided to the web site, such as passwords or credit card numbers.

Examples

Several XSS worms have affected popular web sites.

Samy worm

The Samy worm, the largest known XSS worm, infected over 1 million MySpace profiles in less than 20 hours. The virus' author was sued and entered a plea agreement to a felony charge.[3]

Justin.tv worm

Justin.tv is a video casting website with an active user base of approximately 20 thousand users. The cross-site scripting vulnerability that was exploited was that the "Location" profile field was not properly sanitized before its inclusion in a profile page.

The "Location" profile field was sanitized when included in the title of a profile page but not within the actual field in the page's body. This meant that the authors of the worm, in order to achieve stealth to boost the lifetime and spread of the worm, had to automatically remove the XSS payload from the title of the page from within the worm's code, which was already hidden by comments.

After proper development of the worm, it was executed approximately Saturday, 28 Jun 2008 21:52:33 GMT, and finished on Sun, 29 Jun 2008 21:12:21 GMT. Since the social website that was targeted was not particularly active (compared to other popular XSS worm targets), the worm infected a total of 2525 profiles within roughly 24 hours.

The worm was found a few hours before it was successfully removed, and based on data that was recorded (due to the worm's original intent for research purposes) the worm was able to infect uninfected profiles after they were sanitized forcefully by developers of Justin.tv. The worm was sanitized once more after the vulnerability was patched, and it was able to be removed easily. However, this shows the ability for the worm to adapt and spread even after counter-attack.

Other particular factors which are indicated by the graphs and data released by attackers include social activity and lack of new, uninfected users during periods of time.

Orkut "Bom Sabado" worm

Orkut, a social networking Site, was also hit by a XSS worm. Infected users receive a scrap containing the words "Bom Sabado". Google has yet to comment on the situation.[4]

References