Javascript worms

1
Javascript worms
The next step in the evolution
By Benjamin Mossé SecPro
2
Synopsis

• Introduction to cross site scripting
• Permanent XSS
• Javascript worms up to now
• A fresh technique remote request
• Profit of APIs to build worms
• Protecting yourself
• Conclusion

3
Introduction to XSS

• The most common web vulnerability
• Allows client side script injection (html,
  javascript, vbscript, etc.)?
• The target executes the malicious code
• There isn't any magic solution against it

4
Introduction to XSS (cont.)?

• Javascript is the language used to exploit this
  vulnerability
• Before 2005, the XSS wasn't considered critical
• Wrong idea you can only steal cookies with it
• 2005 Ajax, possibility to create http requests

5
Introduction to XSS (cont.)?

• 3 different types
• Non permanent
• Permanent
• Dom-based
• A JavaScript exploit would work the same with
  every of them

6
Permanent XSS

• Stays on the website permanently
• Known also as Persistent
• The JavaScript exploit is stored (e.g Database,
  RSS)?
• Affects every person visiting the infected page

7
Permanent XSS (cont.)?
Vulnerable site
Insert malicious code in a form
Website saves the script into the database
Hacker
Infected site
Users getting exploited
Users
Database
8
Samy is my Hero

• Infected MySpace and took it down
• Most famous Javascript worm
• Spread through a permanent XSS
• Made users perform malicious commands using Ajax
• Users would re-infect their account

9
Samy is my Hero (analyse)?
MYSPACE.COM
Worm site on MySpace
Users
The infected page makes the users infect other
pages on the website THE WORM IS SPREADING
EVERYWHERE
10
Javascript worms assets

• Very hard to detect
• Very stealth runs in the background don't
  modify your web page
• It's not the pirate who performs the attack but
  an exploited user
• Can spread very quickly
• Up to a certain point it's impossible to trace
  back the pirate

11
Using Ajax

• Perform http requests on the infected website
• NO REMOTE REQUESTS, only works on the same domain
• Hacking possibilities make target do request he
  didn't intend too (e.g. password modification,
  delete account, change email, change secret
  question, exploit SQL injection, exploit remote
  code execution, spread the worm, deface website
  ...)?

12
A fresh technique remote requests

• Is it really impossible to make remote http
  requests with Javascript? -gt NO!

GET request methodologies
- Append an image in the page (e.g. ltimg
srchttp//www.target.com/page.php?varvalue
/gt)? - Append a frame in the page (e.g. ltiframe
srchttp//www.target.com/page.php?varvalue
/gt)?
POST request methodologies
- Append a complete form on the page - submit the
form with Javascript (e.g. page.form.submit())?
13
Processing POST requests
var objBody document.getElementsByTagName("body
")0 var form document.createElement("form"
) var form_action document.createAttribute("
action") form_action.value
"http//www.targetonotherdomain.com/page.php"
form.setAttributeNode(form_action) var
input_username document.createElement("input")
var attr_username_name document.createAttri
bute("name") input_username.setAttributeNode
(attr_username_name) form.appendChild(input_
username) objBody.appendChild(form) document
.getElementsByTagName("form")0.submit()
14
GNUCITIZEN AttackAPI

• Hackers' API to build Javascript worms
• Uses Google's APIs to search for targets
• Makes the manipulation of web pages with
  Javascript easy as
• Other features cookie stealing and modifying, do
  CSRF attacks, ports scanner, hijack forms and
  more!
• And much more to come in the next version.

15
Future worms
1
worm
Users visit web page infected with a worm
2
worm
Internet
The worm looks for vulnerable targets on Internet
using the Google API
OTHER WEBSITES
3
worm
The worms uses visitors to infect or attack a
list of websites he found
16
Risk? Consequences?

• Obviously very high!
• Imagine someone finding a permanent XSS on a
  website like MySpace and using the users to lunch
  a attack over others Internet websites?
• Imagine your company website getting target by
  millions of MySpace's users?
• Imagine that when security experts look who hack
  a website they don't found the pirate IP but
  yours?
• What will you do?

17
Protecting your applications
Satisfaction remains a shape of resignation

• Start by educating your programmers to secure
  programming
• Ask for regular security checking of your web
  applications to SecPro

18
Conclusion

• It's now possible to massively attack Internet
  with a XSS vulnerability
• Never underestimate the cross site scripting
  vulnerability again!
• Protect your web application against it, not only
  for your personal security but for the entire
  Internet community

19
Benjamin Mossé

• Security Specialist with SecPro (Melbourne,
  Australia)?
• Researcher programmer
• benjamin.mosse_at_secpro.com.au
• SecPro specializes in penetration testing and
  consulting of web applications security.