The Cross Site Scripting Worm and the Black List

Paladion
By Paladion

October 31, 2005

Last week, the Samy Worm gained notoriety as the first Cross Site Scripting worm. The author explained the technical details of the worm here.

The Samy worm is a good study on the challenges black list filters face. MySpace.com, the victim, used a black list filter to counter Cross Site Scripting (CSS) attacks. I guess they knew they were a candidate for CSS attacks as they followed several techniques to counter CSS.

The MySpace black list filtered out the keywords that can carry CSS payloads: <script>, javascript, <body>, onClick, innerHTML, etc. Further it stripped all escaped single and double quotes. It even blocked "onreadystatechange" which is used in more advanced CSS attacks to invoke XML-HTTP requests.

Then, what went wrong? A combination of things, really.

The attacker evaded the filter by splitting the keywords into smaller parts, and then recombining them at runtime. eg. eval('document.body.inne' + 'rHTML') would go unstopped through a black-list on the lookout for innerHTML. At run time, that expression evaluates to "document.body.innerHTML" and can be used from within the script.

Similarly, double-quotes were also embedded in run time by calling a function that converted the decimal value 34 to the ASCII double-quote. The filter would let String.fromCharCode(34) to go through, not realizing that the adversary had sneaked in a double-quote.

Thirdly, the attacker exploited some browsers' leniency in accepting HTML tags. Internet Explorer, for instance allows newlines inside tags. Thus, IE interprets
<java
script>

as <javascript>; the MySpace black-list filter is stricter and does not interpret the two as the same: more tags were sneaked in this way.

Why didn't MySpace just use a whitelist? That's the tricky part. It's difficult to define white lists for free-flowing text boxes that accept a wide range of inputs. And MySpace was faced with just that. For the features MySpace offered, a whitelist would have been nearly impossible to define.

The debate on strategies to prevent CSS will heat up further as sites prepare to defend against CSS worms.


Tags: Uncategorized

About

Paladion