The Next Super Worm
I guess I have to play devil’s advocate again but I have to do what I have to do. So here we are, almost two weeks away from OWASP. Me setting in front my PC, laying out some ideas for latter. Two days ago, I started experimenting with some XSS/CSRF vectors and I came up with things I would rather not talk about… at least not now.
One thing I should talk about is pretty much the same old story about how various JSON services help attackers to build quite sophisticated attack infrastructures. I was accused of being too much full-disclosure with my research but again, everyone has a role to play in this game and believe me or not I am one of the good guys.
I will start my discussion by linking to XSSED.com. If you don’t know what is XSSED.com I would suggest to go and check what it does right now. Are you done? OK! To summarize XSSED.com has the largest archive of real, fully working, XSS vulnerabilities available today. They even have a list of XSS vulnerabilities that are found in websites ranked 500 and bellow according to ALEXA. We are talking about high profile websites here people.
Why this database is interesting to attackers? Well, obviously, attackers can use it to phish users and steal important/sensitive information. In a very typical scenario, the attacker will grab a few of these XSS vectors, develop exploits for them, and send them to as many victims as possible. Of course the situation is quite grim. However, it is a lot worse then that. As far as I know Billy Hoffman will give a talk on super worms at BlackHat US07, so I will try not to spoil his fun. However, here is something that I came up with which unfolds the true power of AJAX worms. I would like to show you how devastating they may become in the not that distant future.
Like my previous examples, I am using Yahoo Pipes and Dapper. The first thing an attacker will do, when preparing for an attack with a massive impact, is to obtain the TOP Pagerank List from XSSED.com in a way that can be easily fetched with JavaScript. For that purpose he/she needs to create a simple but powerful DAP which scrapes the second column from the cental table in this page. The DAP produces a simple XML file which looks more or less like the following:
<?xml version="1.0" encoding="iso-8859-1"?>
<elements xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dapper.net/websiteServices/generate-dapp-xsd.php?dappName=XSSEDTOPPagerankReader">
<dapper>
<dappName>XSSEDTOPPagerankReader</dappName>
<dappTitle>XSSED TOP Pagerank Reader</dappTitle>
<urls>
<url>http://xssed.com/pagerank</url>
</urls>
<applyToUrl>http://xssed.com/pagerank</applyToUrl>
<executionTime>0.892</executionTime>
<ranAt>2007-05-29 10:28:35</ranAt>
<encoding>iso-8859-1</encoding>
</dapper>
<items fieldName="items" href="http://xssed.com/mirror/1314/" originalElement="a" type="field">it.search.yahoo.com</items>
<items fieldName="items" href="http://xssed.com/mirror/1310/" originalElement="a" type="field">de.search.yahoo.com</items>
...if you look closely into the XML structure, you will see that the items entries contain information about the domain that is vulnerable to XSS and also the URL that describes that actual vector. The XML file contain more then 300 records but for practical reason I eliminated all entries but only the first two.
Till this point, the attacker has a list of sites ranked 500 and bellow that are vulnerable to XSS. The next step is to extract the actual vector. If you access any of the links listed inside the XML file shown above, you will be taken to the page that contains the XSS vector for the item. In order to extract this vector, the attacker needs to use another DAP which produces a result that looks like more or less like the following:
<?xml version="1.0" encoding="iso-8859-1"?>
<elements xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.dapper.net/websiteServices/generate-dapp-xsd.php?dappName=XSSEDMirrorReader">
<dapper>
<dappName>XSSEDMirrorReader</dappName>
<dappTitle>XSSED Mirror Reader</dappTitle>
<urls>
<url>http://xssed.com/mirror/8484/</url>
<url>http://xssed.com/mirror/8482/</url>
<url>http://xssed.com/mirror/8409/</url>
</urls>
<applyToUrl>http://xssed.com/mirror/1314/</applyToUrl>
<executionTime>0.023</executionTime>
<ranAt>2007-05-29 10:51:38</ranAt>
<encoding>iso-8859-1</encoding>
</dapper>
<submitted fieldName="submitted" originalElement="td" type="field">02/03/2007</submitted>
<status fieldName="status" originalElement="td" type="field">UNFIXED</status>
<domain fieldName="domain" originalElement="td" type="field">it.search.yahoo.com</domain>
<category fieldName="category" originalElement="td" type="field">XSS</category>
<rank fieldName="rank" originalElement="td" type="field">1</rank>
<url fieldName="url" originalElement="td" type="field">http://it.search.yahoo.com/yhs/search?fr=yhs-ipnmrtlei=UTF-8lyt=stp=scriptalert(document.cook ie)/script</url>
</elements>The dangers are obvious. At this stage the attacker has a list of TOP500 websites that are vulnerable to XSS. They can also extract the actual attack vector with another DAP. This is quite bad but it is a lot worse then that. What attackers can do next, is to add all of these XSS vector in a big list that can be easily fetched dynamically when needed. For that purpose, they need a Yahoo Pipe. The Yahoo Pipe that I’ve created to test the idea, fetches the TOP500 XSS list. Each item of this list is annotated with another XML document that describes the actual vector. Because Yahoo Pipes has very powerful caching mechanism, the data (the entries that contain the XSS vectors) is fetched and delivered via JSON almost instantly. Keep in mind that the data fetched from XSSED.com is live and it is updated on a daily basis, which mean that the more XSS vector are contributed to this database, the more sophisticated and dangerous the JavaScript malware will become. Well to the era of the Web Intellect.
Comments
I think that this scenario could only be used for a small worm as the bandwidth of xssed would never handle too much traffic, and we would close the site if it was happening, well thought though. However xssed.com or not, someone would just have to make their own list of xss and include it in the worm, or host it somewhere else, having a list of XSS which are not public would be a lot more efficient than picking the ones on xssed.
So my advice is always the same: secure your webapps, and why not adding the xssed.com archive page to your bookmarks ;)
I agree Kevin,
however, the thing is that although XSSED.com cannot handle too much traffic bandwidth wise, Yahoo Pipes can. With a few pipes, attackers can cache the entire XSSED.com which means that subsequent requests to the site wont be made unless a change is observed since the last time.
The reason, attacker will go for XSSED.com instead of providing their own database is that XSSED has bigger audience and the chances for someone contributing a new vector are higher. Web2.0 is all about segmenting services in small independent but very useful blocks. So, why bother create a new database when you can use whatever is already available online. IMHO, malware code that makes use of various databases online can impact the Web to an extend beyond our imagination.
I agree, well you already explained this problem some weeks ago and i got a bit upset thinking about it, as seeing bad guys using our site is the last thing i’d like to see. But you’re right on this point. I think that your explanation could apply for other kind of vulnerabilities with other web sites (xss but also sql injections/file inclusion with secunia/securityfocus for example, probably a bit more difficult to parse the content).
Hi,
I think a possible solution would be to create a function which converts on the fly a string (XSS vector) to an image. The problem is that if the vector shows up in an image, would be pretty easy to parse it, just like breaking the phpBB captcha - http://blog.phpbb.cc/articles/captcha/. A cracker/parser tool can be programmed to do everything automatically: collect the image of the XSS vector from each mirror, store it in an array, clear the background noise if the images look like a captcha, clean the image fonts and do the matching to the corresponding characters.
Thus a more complicated captcha style image for the XSS vectors, could make their parsing less possible. However, the XSS vectors must be easy to read. Anyway, any person can pick up the XSS vectors from our site, write them down and host them somewhere else - where Yahoo Pipes! is not blocked. What if we block Yahoo Pipes! by modifying our server settings? Then you wouldn’t held us exclusively responsible for the next super worm… :( We blocked access to our content by other Dapper users and blocked the referers from Dapper.net.
What do you think could be the best solution? I would like to know your opinions! :)
Hi Dimitris,
You cannot stop Dapper neither Yahoo Pipes for a number of reasons. The first one is that Dappers is not the first proxy that can be used to fetch the content from your site. For example, attackers can instruct Tidy from W3C to grab the on behalf of Dapper and then let Dapper parse it. In this case you wont see Dapper’s referrer headers nor it’s User-Agent. Any type of proxy can be used: Google Translate, Google Mobile, etc. You cannot block all of them and as such this idea is totally impractical. The same applies to Yahoo Pipes.
The captcha might work but it will make your site unusable and very unfriendly. Users will move to another site and you will loose your ad revenue. Again, this is not something you would like to do.
The problem is not that you guys host a database of XSSed websites. Your database is totally irrelevant for the discussed scenario. Even if you shutdown the service, someone else will open another one. Zone-H has one, not to mention that attacker can simply use Google Base to store their signatures and then recover the records through some cleaver search queries. This means that we can do nothing about it. The situation is what it is and it cannot be changed. This is the natural progression of the Web.
However, the purpose behind this research is to open your eyes and the eyes of the public. The more aware users are, the better.
Hi Petko,
This is true… I certainly agree that we cannot totally eliminate risks that might be caused by the way malicious people use the content on our site. This would affect negatively the usability of our site, decrease the number of visitors, and consequently, as you said, loose our ad revenue. No, thanks! I don’t want such scenario to occur!!! :(. We try to do our best with XSSed, taking seriously in consideration researches conducted by knowledgable security people like you.
With your article and our site, we emphasize to individual site owners and webmasters of high-profiled sites, the importance of securing their web applications. Thus we decrease the frequency of security breaches.
Now, full public disclosure of security vulnerabilities have always been a controversial issue for reasons that are already obvious to you. Some people have sent us an e-mail complaining that we did not contact them to let them know that their site is vulnerable to XSS and publicly archived. I believe that it is the job of the XSS vuln finders/submitters to contact the webmasters/security people of the affected sites, not our job. Due to their forgetfulness, irresponsibility and lack of necessary web application security skill-sets, their sites are now published in the XSS archive. They cannot blame us for public disclosure. We disclose in order to make them more aware about XSS issues and to assist them spot in a timely manner - because of associated critical security risks - XSS vulnerabilities affecting their sites. We achieve that by SEOing the archived sites - check Google: site:xssed.com - and adding an early warning mailing list subscription feature - soon to be added.
We can generate valuable statistics which also reflect how concerned webmasters are about the security of their sites. This will allow us to further study and research the various causes behind a security breach. Are not the machines that are responsible for security risks, but the people who set them up, code and administer them, and the people who use them. Recently some Yahoo people contacted us to notify that their XSS vulnerabilities have been fixed - not complaining at all. This shows that are concerned about security and have a good speed of risk mitigation. It also shows that they care about their PR and value highly any type of security vulnerabilities, such as the underestimated XSS. They don’t want to lose the faith of their customers. Their success depends on the loyal customers who are trusting their privacy to them.
For example, if they don’t fix any XSS vulnerability which may be used for phishing scams, then a lot of “victim” customers will be very unhappy and never use their service again. Of course the customers must become aware about phishing scams. This is Yahoo’s job. It is also the job of the individuals to become vigilant about protecting their personal information when using websites, web technologies, machines, etc.
Finally, I am a site, I got customers, I love them, I am responsible, I maintain my security effectively, I let XSSed know that I fixed the XSS vuln which affected me, I learn from my mistakes and try not to repeat them in the future, I tell more people about XSSed. 8-)
What is your point of view about full public disclosure of XSS vulnerabilities? What do think about my point of view?
This post should be read and feel as my personal opinion rather than an explanation of issues which may be already obvious to some people.
Regards
Dimitris,
thanks for the complete response
Personally, I don’t think that it is correct to disclose vulnerabilities in public websites. The right think to do when you find a XSS or SQL Injection flaw on a public website is to contact the webmaster and in general the people who are responsible for the site maintenance. The situation is a bit different when it comes to software and in general applications, which can be installed on your computer and tested in designed for that purpose testing environments. Again, you should contact the vendor when you discover a vulnerability. In number of cases, depending totally on the situation, you may go and release the issue right away. I’ve done that in the past on a number of cases. However, I have also disclosed vulnerabilities in a responsible way as well.
In respect to XSSED.com, I do not think that you guys are disclosing any vulnerabilities but simple listing, indexing and organizing whatever is already public. According to the British Computer Misuse Act you are breaking the law, though. That of course does not apply to you, however, the point is that you have to be careful with these things because the legal system will get tougher in the future when it comes to IT crimes.
Good article but lol @ the use of the word “vector”
heh :)
pdp,
I agree that indexing SQL injections would be illegal, it would be completly stupid. But indexing XSS is another thing, they do not “attack” the server, but the end users for most of the time. I also don’t think that they can sue us, because there are good ways to defend: for example, the fact that it is legitimate to warn everybody when a danger is “know”. To say the truth, i got this idea to create xssed when one of the zone-h members got his mailbox hacked because of a stupid XSS hole in a Microsoft web site (this was in december 2006), if that hole became public, Microsoft would have fixed it faster, or that user would have behaved more carefully. I believe this was more the fault of Microsoft than his fault, and i believe archiving and publishing is the only way to fight against XSS, i am sure that it will greatly improve our security.
Kevin,
Believe me, I see where you are going and I know and understand your point of view. However, legally speaking, it is an offence. Consult with a lawyer and you will see. I am sure that no action will be taken against XSSED.com right now though, but as I said things will get a lot worse in the future. Keep that in mind.
One last thing; XSS vulnerabilities are just like SQL Injection vulnerabilities and they should be treated with the same respect. Just because XSS affects the client, it doesn’t mean that they are less dangerous. As I mentioned before:
I’m sorry guys, but I do not agree that public disclosure of such details will help at all. In fact, creating a “Top PageRank List”… where does that help? At least, order the XSS list by date and that’s it.
But what you are doing there is exposing other vulnerabilities, something that gentleman don’t do. If you want to do it, at least don’t expose them by “popularity”. That clearly shows that your intentions are not only “to help” but maybe to show off…
Why exposing the “good guys” with such detail? You can simply do as most real security webSites do. Why do you think they behave that way?
Carl.
agree!
We believe that it is significantly helping! It is important to mention that people who are responsible for the websites in that list, are thanking us via e-mails for bringing the issues to their attention. The users of the listed websites can see who cares the most about their security. Anyway, these are the websites with the most users on the web. Thus, we expose the vulnerability details in order to be quickly fixed.
Already most of the *.yahoo.com XSS vulnerabilities are fixed. Of course we are willing to assist the webmasters with fixing the vulnerabilities - for free. :-) This is what the XSS submitters should do!
I agree that we “show off” our skills in indexing and listing affected websites with the most traffic on the web. However, this is not the only thing we “show off”, but also the skills of the XSS discoverers/submitters. Maybe some of them feel uber proud knowing their nick is listed in that list. Good for them. =)
Google’s mission is to organise the very large amount of information available on the web.
We actively take part in that mission by organising information relating to XSS vulnerabilities for the major search engines.
What if someone uses the publicized XSS vulnerability information for malicious purposes?
Well, since the XSS vulnerability details are public, there is little or no excuse for not being able to fix them in a timely manner. Conscious and concerned web companies, their webmasters and web security people, must be looking on the web every minute or second for public security vulnerabilities affecting them.
It is up to the discoverer’s ethical attitudes whether or not to contact the webmasters for flaws.
As I am typing, Kevin is adding a feature to check which websites in the list have fixed the XSS vuln affecting them.
Can you please clarify what most real security websites do? I think they publish vulnerabilities which are either patched or unpatched… Same kind of thing pretty much, no?
Regards
To Dimitris Pagkalos:
I think you are very lenient on yourself… just claiming the easy way out that you are not responsible for warning the affected site. You are also not responsible of providing a place where kiddies can show of their skill in finding XSS vulnerabilities, right? Yet you are all too happy to provide that service. so as that service significantly increases the risk of people being hurt (even though that was never your intention and it might not go away when you stop your service) you should feel responsible for everything you CAN (not must) do… You can help the world to be a better place, just like you unwittingly help make the world a worse place. It certainly is your responsibility to uphold your intentions of helping. Do as much good as possible, help limiting as much bad that result from it…
Or are you seriously going to uphold that you seriously believe all of the XSS vulnerabilities were reported to “the site owners” by the people who report them to you? They help you make a buck on the vulnerabilities, not warning makes you susceptible to conflict of interest…. and to me, your excuse certainly sounds cheap, so maybe you really are? …
Dear Renko,
As you commented, I am not upholding that I seriously believe all of the XSS vulnerabilities were reported to “the site owners” by the people who report them to us. The individual who spotted and submitted to us the XSS flaw, has the ethical option to contact the webmasters in order to let them know about the issue, or even better help them to resolve it. We strongly support that option but cannot force it - just advise. The webmasters of the affected sites can now use the RSS feeds - xssed.com/rss - and the early warning mailing list subscription feature if they want to be instantly notified and thus mitigate possible associated risks in a short time span - of course how quickly they mitigate risks depends on their level of professionalism, customer service, lazyness and other important factors.
Mirroring significantly helps the webmasters and web communities to be notified faster.
We personally believe that your comment is mad. I am convinced that you did not carefully read all the above comments and just falsely filtered out what YOU considered to be the “juice” of this subject matter. Obviously there is a very high possibility that you either fall victim of XSS exploitation and you’re indexed in XSSed, or you’re just jealous that we are making “bucks”. If you are nothing of the above, then you are just a cyber commie… Highly possible as well, since you are now reading this on GNUcitizen.org - no offence pdp, you kewl. ;-)
Nevertheless thank you for giving me once more the opportunity to express my “cheap excuses” - :P - to people like you with an attitude of an accuser - chipmunk!
PS1: I am cheap and we are “unwittingly” hurting people and making the world a worse place - this is almost your whole comment summed up in one line. Now how cheap is this… Lacks of politeness, informative content and good points which influence irony-free web security related discussions - the type of discussions you are not used to.
PS2: We did not hurt any people or animals.
PS3: I hope you received the answer you deserve.
PS4: Next time put your real name… Nothing to be afraid of…
PS5: January of 2015 :)
Best Regards
My real name is Renko. i dunno why you act so upset calling me all the obvious crap.. you know comunism is used in some countries to justify government sponsored killing squads… now i believe you showed your real self. anyway, have a nice time being you :oP
Your real name is not Renko… Maybe your friends call you Renko, and I have nothing to hide Renko. What you believe about someone, keep it for yourself. Your weak assessment of my personality lacks of some serious evidence. Now you just really assumed, and nothing more. Certainly I’ll have a good time being my real self comrade! :P
Anyway, if you have anything more specific to add (relating to this post by pdp and the comments), add it and don’t waste my time with your history lessons. Otherwise don’t just post because you want to have the final word.
D
Dimitris Pagkalos:
Your ego is way to big to be supported by your weak words. anyway…
first of all, my mom and dad called me renko, thats why my friends call me that too now… i dunno what you are getting at with the “use your real name”. i guess you needed some stick to beat me with or something and the name was the best you could find? anyway lets say my name is renko karman (happy now?). hope you see how silly your accusation is about me being afraid to use it in full. you want my email addy too? it’s rkarman@hotmail.com …. (yes of course it’s a spam addy silly… and i didn’t use my real addy since i am AFRAID … of spam …)
second, i never said you phisically hurt animals or humans. i did say you hurt people, by helping kiddies and criminals to steal “personal” info and corrupt computer systems.
then let me also sum up your point of view: “you are not obligated to warn anyone.” it’s your whole statement summed up in 1 sentence and guess what… your statement is also lacking politeness, informative content and good points… bravo!!!
anyway i see you are too happy being you and too dumb to look for something positive in a lil criticism. i guess you are going to give a big answer now, but it won’t help anymore since in your first awnser you already choose what i am to you instead of trying to see how it was possible that i saw things different. but then again, there is also a need for narrow minded people in this world right?
oh dear,
Guess what Renko Karman… I am now going to give a very very big answer! You stimulated my ego you see - YOUR perception of my ego since you know me from yesterday! :P Ego for you means smilies and long replies(excuses as you called mine). You have a very wrong way of perceivings things in general. You have a very wrong way of approaching people too with your poor “lil” criticism, and of communicating with people. If you want please tell me the truth, are you self-taught in IRONIC criticism with no positive context?
As an egoist, I honestly believe that I owe you a better explanation… I did not defend against any accussation. I did not come here to defend the pride of XSSed or any pride. Based on pdp’s scenario, me and Kevin came here to discuss with him and the readers possible ways to prevent it from occuring now and in the future (with more sites indexed in our db). We came also to consider opinions for improving our service. [read old news on our site]
All the discussions were polite, visitors of this blog post exchanged information (opinions and ideas), until you visited here and started throwing your cosmetic adjectives to me: “and to me, your excuse certainly sounds cheap, so maybe you really are?” etc [refer]
We took the initiative to create something for the webappsec community and with the scope of increasing security on the web. This service is up since February 2007. There is currently one “flaw” in its design. What is currently missing is a sophisticated early warning mailing list subscription feature. This feature is currenty being developed. Alternatively there are other methods of notifying webmasters for their XSS vulnerable sites: e-mail, our SEOed mirrors (check with “yoursite.com xss”).
They care about their webappsec? XSS is webappvuln? XSSed deals with XSS? Surely they’ll find us and manually monitor us for their websites. Until the early warning feature is completely coded, we are not going to publish major mirrors without making sure that submitters contacted them. Otherwise we contact them.
Obviously you have misunderstood my comments as excuses from your very first post and did not do your homework. It was this misunderstanding that made you think you are smart enough to sum up my “statement” in one sentence: “you are not obligated to warn anyone.†I never said anything like that my friend Renko Karman. Can you please clarify where your summing up is based? Show me your understanding for once!
You may have a different point of view about something, but you must know that a point of view is always based on your awareness of all or some aspects of that something. In case you did not get it, your point of view was based on incomplete knowledge. Incomplete knowledge usually comes from wrong understanding. Wrong understanding comes because you are dumb - generally speaking, no offense Renko!.
As for the things you never said, it was my mistake to believe that you are quite good at receiving jokes and irony - judging of course from all your offensive type of comments. Treat for treat!
I hope that you understand better now… Cos an answer that long ain’t bullshittin! Aiight? :P <– ego smiley,feeling of defeat. :P
PS1: I wanted to know your name because I like to know with whom I am discussing with… ;) You see… I am part of the “Security Paranoia, keeping us clothed and fed since init().” generation.
PS2: Anything that you might find offensive in this post, I would ask you please to cross it out of your mind. Thanks.
My Best Regards and Wishes for your digital life,
D
And always bear in mind that the harsh judgments/criticisms you make about others, and the way you express them, are about the same things you resist recognizing in yourself. Millions of ppl agree! You can say the same thing for me, but that would just show immaturity since you know who started it all off. Only thing you will succeed is showing once more that you don’t read carefully - thus not understanding well.
D
I just wanted to add a few words here, since I often submit sites to XSSed.com
I report all XSS vulnerabilities I find to XSSed, and I contact the owners of the sites when I have the time and believe that they will care. For example when I find a XSS in Google I know that they will thank me for my help and patch it as soon as possible, but on smaller sites like personal home pages webmasters seldom even respond to my emails.
I think of this as a ‘white-hat sport’, if you can call it that. I can help people to increase their online security, but I also get points on XSSed proving that I do so. It may sound childish to collect points, but it sure works to keep me motivated ;)
Currently I have the highest amount of fixed XSS vulnerabilities of all XSSed submitters, and I’ll try to keep it that way as long as the site stays online.
// Uber0n
It is ridiculous how so many web developers and admins ignore to say on the top of their game by simply doing their homework, for example: checking sites such as XSSed.com, and even zone-H for mentions of their domains.
I have several unfixed XSSes on my page which I have repeatedly warned the owners of the domains about, but they either leave the holes open or plainly, I assume, do not know how to patch vulnerabilities.
Phishing attacks remain the most dangerous, in my opinion, due to the possible payloads.