- XSS Worm
An XSS Worm, also known as a
cross site scripting viruscite web|url=http://www.bindshell.net/papers/xssv/|title=The Cross-site Scripting Virus|first=Wade|last=Alcorn|date=2005-09-25|publisher=BindShell.net] , is a malicious (or sometimes non-malicious) payload that propagates among visitors of a website in the attempt to progressively infect other visitors. Portal|Computer security|Portal.svgConcept
XSS Worms exploit a vulnerability known as
cross site scripting (or "XSS" for short) within a website, normally infecting users whereas other users can be infected in a variety of ways depending on the vulnerability.Cross-site scripting vulnerabilities are commonly exploited in the form of worms on popular social or commercial websites, such as
MySpace ,Yahoo! ,Orkut , andJustin.tv . These worms can be used for malicious intent, giving an attacker the basis to steal personal information, cookies, and other relevant data regarding the website or the infected visitor.In the case of the Samy worm, the largest known XSS worm which infected over 1 million
MySpace profiles in less than 20 hours, the virus author was sued and entered a plea agreement to a felony charge. [cite web|publisher=Techspot.com|title=Myspace Speaks about Samy Kamkar's Sentencing|first=Justin|date=2007-01-31|last=Mann|url=http://web.techspot.com/news/24226-myspace-speaks-about-samy-kamkars-sentencing.html]XSS worms start with a payload. This payload will normally be placed within sensitive user data or requested from other websites to the author's intent.
General Application
General application of the XSS worm concept includes the infection of profiles, chat systems, and more. Since XSS vulnerabilities vary frequently, most worms will be different and coded specifically for the vulnerability.
XSS worms spread very quickly because their spread is done by the client and the coordination of most XSS worms are done by the server storing the payload because it is vulnerable.
Examples
Other than the Samy worm, several XSS worms have been executed or proofs of their concepts have been released.
Justin.tv Worm
Until the Justin.tv worm was executed by a security team known as TheDefaced [http://www.thedefaced.org/] , knowledge of many factors that affect XSS worms were unknown. [cite news | last = Pagkalos | first = Dimitris | title = Justin.tv non-malicious cross-site scripting worm | language = English | publisher = XSSed | date =
2008-07-08 | url = http://xssed.com/news/75/Justin.tv_non-malicious_cross-site_scripting_worm/ ]Justin.tv is a video casting website, which shows an active user base of approximately 20 thousand users. The cross-site scripting vulnerability that was exploited was caused by the lack of output sanitation within a "Location" profile field.The "Location" profile field would be output sanitized in the title of a profile page, however would be unsanitary within the actual field on any profile. This meant that the authors of the worm, in order to achieve stealth to boost the amount of time and infected profiles they would gain from the worm, had to automatically via
Javascript remove the XSS payload from the title of the page, which was already hidden by comments.The payload itself contained the payload, since the payload was primarily referenced from another website that TheDefaced used for the worm.
After proper development of the worm, it was executed approximately Saturday, 28 Jun 2008 21:52:33 GMT, and finished on Sun, 29 Jun 2008 21:12:21 GMT. Since the social website that was targeted was not particularly active (compared to other popular XSS worm targets), the worm infected a total of 2525 profiles within roughly 24 hours.
The worm was found a few hours before it was successfully removed, and based on data that was recorded (due to the worm's original intent for research purposes) the worm was able to infect uninfected profiles after they were sanitized forcefully by developers of Justin.tv. The worm was sanitized once more after the vulnerability was patched, and it was able to be removed easily. However, this shows the ability for the worm to adapt and spread even after counter-attack.
Other particular factors which are indicated by the graphs and data released by TheDefaced include social activity and lack of new, uninfected users during periods of time.
References
Wikimedia Foundation. 2010.
