Slashdot Mirror
Cross-Site Scripting Worm Floods MySpace
DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.
./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?
So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other
May the threads progress competently.
I once made a comment in the Firefox forums about the difference between the way IE and Firefox interpret web pages. IE believes that everyone is an idiot and will pat the designer on the head and fix the errors without telling you what you did wrong. Firefox on the other hand presumes you are reasonably competent at what you are doing and will let you know when you screw up.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
My proposed "quick and dirty" solution is this.
..... Don't say you weren't warned.");
<script type="text/javascript">
for (i = 0; i < 1000; ++i) {
alert("Disable JavaScript for this site!");
};
alert("OK
</script>
Now you can be sure that {almost*} nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.
* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times. Their computer probably is infected with several viruses already, though.
Je fume. Tu fumes. Nous fûmes!
Which is why I now havein my Apache configuration.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Firstly it's on the same site :).
/>
Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.
Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.
Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.
I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.
e.g.
<shieldson lock="randomstring" allowed="keyword,keyword,keyword"
disallowed material disabled
<shieldsoff lock="randomstring"/>
state restored to before lock
Where keywords:
textonly = just text
basic = basic formatting <em> <b> <i> <strong>
tables = tables
urls= plain <a href=""> no javascript etc
images= plain images, no javascript etc.
java=java
javascript=javascript.
The idea is it will be very hard for the attacker to guess the random string.
Oh well...
I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.
Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).
Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D
responsibility lies at the browser developers' feet.
Users want browsers that will render their webpages, including pages they author themselves. Because the average person is not capable of writing a web page that parses, and many tools for writing web pages generate invalid HTML, any standards-compliant browser will not render most of the web. Try running your own web pages through SP using any W3C HTML DTD and see what I mean.
The situation is an artefact left over like a minefield from the browser war in the '90's. If either Netscape or Microsoft had focused in standards-compliance they would have lost market share. It is likely that both companies were actively trying to break standards as a means of locking in users.
Now that things have settled down Microsoft is the only corporate player with an ongoing interest in locking in users, but users are still going to expect browsers to render everything, no matter how malformed. Users experience any failure to render as a browser problem, not an authoring problem. As such, it is going to be difficult to get the web as a whole to be standards-compliant.
One of the fundamental laws of human behaviour was most clearly enunciated by Han Solo: "It's not my fault! It's not my fault!" We can sit back and say that any user of IE deserves to get burned by exploits, or that anyone authoring an invalid web page deserves to not get page views, but the Darwinian market is fundamentally a mechanism for humans to shift blame for their own failures onto others, and users choose IE and users choose MySpace, so neither browser choice nor website choice will ever be accepted as the cause of user's problems.
Blasphemy is a human right. Blasphemophobia kills.
I have a 3d party site that brands its content for us but does it using and tags. The tag is forbidden by the W3C standard
m l#h-13.2
http://www.w3.org/TR/REC-html40/struct/objects.ht
Notice "Start tag: required, End tag: forbidden"
Which is pretty unambiguous.
That sites response to letting them know that they were putting out "Forbidden" tags was to come up with a "Compatiability Matrix" for which browsers and vesions of browsers would work with there site.
This is unfortunately the attitude of many sites and site designers. If it works for I.E. then we are done. We just docuement the bug with a compatibility matrix and we are golden. The problem here is in the branding, if you have Netscape and some versions of Firefox and a few others, our company logo will not show.
My contention is if you have a product that only works for one browser you have a client server application not a web application.