Scribd
Upload
48 views

Six Degrees of XSSploitation

This document discusses using cross-site scripting (XSS) vulnerabilities in popular websites and software to spread malicious payloads virally by exploiting the network effect. It describes past examples like the Samy worm on MySpace and the JS-Yamaner email worm. The authors propose techniques for combining XSS with native code exploits to propagate malware by "hooking" the browser and spreading to other web applications. They note the potential for such attacks using Internet Explorer vulnerabilities and browser extensions.

Uploaded by

SpyDr ByTe
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

Six Degrees of XSSploitation

This document discusses using cross-site scripting (XSS) vulnerabilities in popular websites and software to spread malicious payloads virally by exploiting the network effect. It describes past examples like the Samy worm on MySpace and the JS-Yamaner email worm. The authors propose techniques for combining XSS with native code exploits to propagate malware by "hooking" the browser and spreading to other web applications. They note the potential for such attacks using Internet Explorer vulnerabilities and browser extensions.

Uploaded by

SpyDr ByTe
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Six Degrees of XSSploitation

Dan Moniz
<[email protected]>
HD Moore
<[email protected]>
Introduction
• Who?
– Two guys who thought this was an interesting
topic
• What?
– Using XSS in concert with ridiculously popular web
content (sites and software) as a viral infection
platform
• Why?
– We’re afraid
XSS Matters
• Rise of social network sites
• Increase in rich content
– JavaScript
– Flash
– Java
– AJAX
• Widely deployed software
samy is my hero
• MySpace target
• Injection via XSS
• Performs both XSS and XSRF attacks
• Payload in the client (browser) is
entirely JavaScript
• Self-replicating code only
– But on a site with ~70 million vulnerable
users!
samy Dissected
• Makes use of CSS style elements in
HTML tags (div) and JavaScript
decimal-to-ASCII conversion to bypass
filters (among other things)
• XMLHTTP works because the user is
already authenticated -- the point is to
automate what the user can do
programmatically
JS-Yamaner
• Yahoo! Mail target
• JavaScript code in an HTML email that
abused onload event handling
• Sent itself to every address in a Yahoo!
Mail user’s address book
• Leaked addresses it found back to a
third-party site
SPAIRLKAIFS
• WMF vuln inside a chewy nougat center
of Flash using luscious JavaScript
cream (geturl)
• Found on MySpace, but not a worm
• 16,000 page views per day per million
users of the web (source: Alexa)
• PurityScan/ClickSpring adware install
• Flash 9 added AllowNetworking flag
Making XSS “Useful”
• Combine XSS injection with native code
exploit payloads
• Propagate via XSS
• Hook into the browser
• Ride into the next web app
• Inspect form variables from IE hooks to
pick XSS exploit
Browser Bugs
• Browser Fun and MoBB
– http://browserfun.blogspot.com/
• MS06-014: MDAC code execution
• IE HTML Help Control COM object
Image Property Heap Overflow (MoBB
#2)
• WMI SDK bug (0-day!)
Native Code Hooks
• Why IE?
– Most deployed platform on earth + most
popular browser on the web = teh win
• Three places to hook into IE
• IE7 kills ActiveX exploits
• Extensions are the ActiveX for Mozilla
and Firefox
Implementation
• Disclaimer
– Suboptimal for real worm
– Hardcoded limitations
• Blog + IE
– Blog comments/posts/trackbacks
– Blog XML-RPC
– IE exploit
– Hooking code
Exploit Lifecycle
• Find vulnerable web content (site and/or
software)
– Preferably something not only popular, but
with a viral growth curve
• One definition of viral: for every 1 user joining
the site, that user will attract 1.1 or more
additional users to sign up, on average
Code Anyone?
• Hooking into IE
• Detect web application in use based on
form variable names
• Use application specific code injection
Thanks!
• Dan Moniz
[email protected]
• http://pobox.com/~dnm/
• http://hundrad.org/

• HD Moore
[email protected]
• http://metasploit.com/

You might also like