Via Hacker Webzine -
For those who didn't know it yet, XSS is just bad. But it can be far worse. Usually if not always, many have the firm idea that XSS worms needs to be stored XSS worms instead of reflected XSS worms. This might hold some water, because it contributes to it's persistence. But it isn't necessary. in this article I want to explain why a stored XSS hole isn't mandatory, and that reflected XSS can perform worm like behavior due to the use of CSRF. CSRF is a great way of mixing up or leverage the social engineering part. We as an attacker don't necessarily need to engineer all users to click on a link that looks quite murky. It is possible to let victims infect their own friends. This way, the social engineering is far more likely to succeed. CSRF can help us achieve that goal, to propagate a reflected XSS worm we only have to trick only one person. The rest happens automatically.
Last week a reader named Bart Kerkvliet contacted me about a XSS hole he found in the online social network site called Hyves. Hyves is a very popular website in my country. They have millions of active users including our national president. Bart told me about the XSS vulnerability, and that he contacted Hyves to notify them about the issue. Hyves didn't respond adequately, and he tried again. After some time they decided to fix it. Bart then went back and tried again, and sure they didn't fix it properly. It was still possible to inject Javascript into different search fields. Obviously, it wasn't fixed. Hyves also said that it wasn't that bad after all. They do filter for single and double quotes, so who cares, you can't do anything malicious right? Wrong.
...
To launch the worm we only have to find one victim, we send him or her the link to a silly website. In that website we host a hidden form that makes a POST request to Hyves and the form where the reflected XSS hole is present. The victim doesn't see this happen, since the cookie authentication makes sure he or she is logged in when we submit it through the CSRF request, it becomes a valid request as far as Hyves is concerned and the worm starts propagating in the background. Then the worm posts new links as 'scraps' on his or hers friends profiles. In turn the victims friends will see the link, click on it and are directed to our XSS CSRF server again performing the same action we did with our first victim, and on and on until every user is infected. The only thing we need to be sure of is that friends will click on the link. But hey, it's submitted by one of their friends, of course 50% will click, will they? in any case we now have reflected XSS CSRF worm that can be launched due to a very tiny XSS vulnerability.
No comments:
Post a Comment