Breach Support

Partners

Partners

The Cross Site Scripting Worm and the Black List

Paladion
By Paladion

October 31, 2005

Last week, the Samy Worm gained notoriety as the first Cross Site Scripting worm. The author explained the technical details of the worm here.

The Samy worm is a good study on the challenges black list filters face. MySpace.com, the victim, used a black list filter to counter Cross Site Scripting (CSS) attacks. I guess they knew they were a candidate for CSS attacks as they followed several techniques to counter CSS.

The MySpace black list filtered out the keywords that can carry CSS payloads: <script>, javascript, <body>, onClick, innerHTML, etc. Further it stripped all escaped single and double quotes. It even blocked "onreadystatechange" which is used in more advanced CSS attacks to invoke XML-HTTP requests.

Then, what went wrong? A combination of things, really.

The attacker evaded the filter by splitting the keywords into smaller parts, and then recombining them at runtime. eg. eval('document.body.inne' + 'rHTML') would go unstopped through a black-list on the lookout for innerHTML. At run time, that expression evaluates to "document.body.innerHTML" and can be used from within the script.

Similarly, double-quotes were also embedded in run time by calling a function that converted the decimal value 34 to the ASCII double-quote. The filter would let String.fromCharCode(34) to go through, not realizing that the adversary had sneaked in a double-quote.

Thirdly, the attacker exploited some browsers' leniency in accepting HTML tags. Internet Explorer, for instance allows newlines inside tags. Thus, IE interprets
<java
script>

as <javascript>; the MySpace black-list filter is stricter and does not interpret the two as the same: more tags were sneaked in this way.

Why didn't MySpace just use a whitelist? That's the tricky part. It's difficult to define white lists for free-flowing text boxes that accept a wide range of inputs. And MySpace was faced with just that. For the features MySpace offered, a whitelist would have been nearly impossible to define.

The debate on strategies to prevent CSS will heat up further as sites prepare to defend against CSS worms.

Tags: Uncategorized

About

Paladion

SUBSCRIBE TO OUR BLOG

Recent Posts

Healthcare Breaches BG

BLOG

How to Prevent Healthcare Breaches: DBIR 2020
Read More
Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 
MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset

 

AI-Driven MDR

Paladion OnDemand

Company

Resources

Our Services

Technology

Contact Us

Copyright All Rights Reserved © 2020