Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Browsers Gone Bad

XSS can turn your desktop against you, and possibly even implicate you in malware creation

12:35 PM -- The press covered it, the user community rejoiced, but what does it actually mean that the author of the first cross-site scripting (XSS) virus was prosecuted? The first ever XSS worm was called Samy after Samy Kamkar, who wrote the worm to test how popular he could be on MySpace by getting users to automatically add him to their friends list.

After infecting a million users with his worm (the largest infection in history) the exploit was finally halted by the administrators. Samy got barely a slap on the wrist by getting three years of probation and a few months of community service.

Still, it was the first XSS exploit that resulted in the arrest of the author. This case was pretty open and shut. Not only was the worm named after Samy, it was designed to get people to add him as their friend. He even went as far as to post on his Website a long explanation of how the worm worked. So we can be very certain that he was in fact the person responsible. However, the way XSS works, it can use other users' browsers against themselves.

That's right, Samy could have been framed. Not that he was framed in this case, but let's assume for a second that some random person on the Internet went to a malicious Website. Their browser could be sent through a cross-site request forgery to post an XSS vulnerability into the target Website. The target Website now contains a persistent exploit that was posted there by someone who may have never even heard of XSS, let alone wrote it. But because their account was the first Website to have the exploit posted to it, they would appear to be the originator of the worm.

Because the browser only keeps the cache of the sites they have visited for a certain amount of time (and caching can be removed using some header manipulation), it is highly possible that there would be no way to prove they weren't the author of the virus. If the original infection of the worm were more targeted to use the author's name, or otherwise appear to come from that user, it's possible that it would stand up in court. The worst part is that turning off JavaScript doesn't necessarily protect the user, if the server in question allows GET requests to post persistent exploits.

XSS brings a unique depth to exploitation. XSS and cross-site request forgeries allow the attacker to turn people's computers against them, as if the browser were a modern day proxy server.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.