Diminutive XSS Worm Contest

January 13, 2008

Apologies for being a bit slow on this - I have a ton of things that I’ve been holding onto until the blog has been working properly, so as I get time I’m writing them up and posting them to the blog.  I feel I’m cheating a little in “back posting” them (setting the date to earlier than when I’m actually posting), but it helps me fill in some of places where I was writing but it had nowhere to go.

Anyway, bear with me while I get these things up, and on with the show.

Over on RSnake’s site, he’s been running the Diminutive Worm Contest.  It’s just wrapped up, and has some controversy around it as well from various places.  I even had emails to me from work asking if it’s “real” (as in work), or a marketing stunt, or worse.

I’ve had the pleasure of meeting RSnake a few times, and there’s no question that he’s a very smart guy, and has a passion for the industry.  He clearly knows that this research could be used in a malicious way, but has weighed this up with what the outcome of the project could be, and made the task as simple as possible in order to avoid all “obfuscation” or “hacks” a lot of worms use to get around site-specific issues like filtering and DOM - which if you’ve ever looked into them is where the vast majority of the effort goes into getting these worms to work.  Just having the code that was posted to the forum is (to my mind) like giving giving someone an ounce of uranium and saying “go make a nuclear bomb” (analogy intended to the commenter that equated this work to “arming people with nuclear weapons“) - it’s just not that easy.

In any case, was it marketing?  Probably yes - there certainly was a lot of press which isn’t a bad thing for RSnake who has his own startup security company (although he’s been posting great material long before SecTheory came about), but that’s cool if something meaningful comes out of it . Was it “real” work, or research?  Hell yeah - we’ve learnt a few things about worms that perhaps we didn’t know before (at least in the wider community).

Here’s some of the things that I’ve learnt through this…

• XSS worms can be very small (161 characters was the “winner”, although there were some even smaller that only worked in certain browser versions).  To see all the submissions, go here.
• Images seem to be a much better/preferred vector than iframes, which in some ways is contrary to what people “think” is the most likely way malicious code is propagated on websites, and is another of those “Danger Will Robinson” moments when we realize that images (tags/uploads/etc) are allowed on a good number of sites (just think about emoticons for example).
• IFrames can be put to good security use in “sandboxing” content/code away from other parts of the site (and other domains) as the same origin policy kicks in.  In IE at least, iframes can also be tagged with “security=restricted” which turns off JavaScript within the frame, making most content safe.
• POST-ing back to the same page is a really easy way of getting a “run-away” worm, if the content is echoed back after submission (think comments form).  XmlHTTPRequest is a good alternative not only because it avoids this problem (the JavaScript on the page doesn’t trigger again), but also the request is “silent” (there’s no page refresh, or the audible “click” a browser makes when forms are submitted, perhaps making it more effective.
• I think this is probably browser-specific, but if you “pre-define” the onload/onfocus/onerror events, the dynamic code of the worm can’t re-define them - effectively removing some of the “hooks” a worm might use to get started.  As pointed out on the forum, it’s not a total defense, but might be considered to close one vector

In any case, there’s a lot more interesting reading in the paper describing the contest and things learnt from it.  If you are into the whole web security field, I’d recommend reading it (and the forum - there’s a lot there, but worth it I feel), as I think we’re going to be seeing a few of these kinds of attacks.

Posted in Security