Last week, the Samy Worm gained notoriety as the first Cross Site Scripting worm. The author explained the technical details of the worm here.
The Samy worm is a good study on the challenges black list filters face. MySpace.com, the victim, used a black list filter to counter Cross Site Scripting (CSS) attacks. I guess they knew they were a candidate for CSS attacks as they followed several techniques to counter CSS.
The MySpace black list filtered out the keywords that can carry CSS payloads: <script>, javascript, <body>, onClick, innerHTML, etc. Further it stripped all escaped single and double quotes. It even blocked "onreadystatechange" which is used in more advanced CSS attacks to invoke XML-HTTP requests.
Then, what went wrong? A combination of things, really.
The attacker evaded the filter by splitting the keywords into smaller parts, and then recombining them at runtime. eg. eval('document.body.inne' + 'rHTML') would go unstopped through a black-list on the lookout for innerHTML. At run time, that expression evaluates to "document.body.innerHTML" and can be used from within the script.
Similarly, double-quotes were also embedded in run time by calling a function that converted the decimal value 34 to the ASCII double-quote. The filter would let String.fromCharCode(34) to go through, not realizing that the adversary had sneaked in a double-quote.
Thirdly, the attacker exploited some browsers' leniency in accepting HTML tags. Internet Explorer, for instance allows newlines inside tags. Thus, IE interprets
<java
script>
as <javascript>; the MySpace black-list filter is stricter and does not interpret the two as the same: more tags were sneaked in this way.
Why didn't MySpace just use a whitelist? That's the tricky part. It's difficult to define white lists for free-flowing text boxes that accept a wide range of inputs. And MySpace was faced with just that. For the features MySpace offered, a whitelist would have been nearly impossible to define.
The debate on strategies to prevent CSS will heat up further as sites prepare to defend against CSS worms.
Tags: Uncategorized