Cross-Site Scripting Worm Floods MySpace 321
DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
I find this amusing... (Score:5, Interesting)
So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other
Re:IE is too forgiving (Score:3, Interesting)
I once made a comment in the Firefox forums about the difference between the way IE and Firefox interpret web pages. IE believes that everyone is an idiot and will pat the designer on the head and fix the errors without telling you what you did wrong. Firefox on the other hand presumes you are reasonably competent at what you are doing and will let you know when you screw up.
Quick and Dirty solution (Score:2, Interesting)
<script type="text/javascript">
for (i = 0; i < 1000; ++i) {
alert("Disable JavaScript for this site!");
};
alert("OK
</script>
Now you can be sure that {almost*} nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.
* There probably is _somebody_ _somewhere_ who really is masochistic enough to click the thing 1001 times. Their computer probably is infected with several viruses already, though.
Comment removed (Score:4, Interesting)
Re:I find this amusing... (Score:3, Interesting)
Oh and % is used in LIKE queries, that may be why its filtered?
Jeremy
Re:With myspace popularity, comes the problems (Score:3, Interesting)
Which is why I now have in my Apache configuration.
Re:Quick and Dirty solution (Score:5, Interesting)
while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?
Not the first worm of that type (Score:3, Interesting)
Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.
Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.
Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.
I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.
e.g.
<shieldson lock="randomstring" allowed="keyword,keyword,keyword"
disallowed material disabled
<shieldsoff lock="randomstring"/>
state restored to before lock
Where keywords:
textonly = just text
basic = basic formatting <em> <b> <i> <strong>
tables = tables
urls= plain <a href=""> no javascript etc
images= plain images, no javascript etc.
java=java
javascript=javascript.
The idea is it will be very hard for the attacker to guess the random string.
Oh well...
About (2?) years ago (Score:5, Interesting)
Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).
Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D
Re:That's Irrevellant (Score:3, Interesting)
Users want browsers that will render their webpages, including pages they author themselves. Because the average person is not capable of writing a web page that parses, and many tools for writing web pages generate invalid HTML, any standards-compliant browser will not render most of the web. Try running your own web pages through SP using any W3C HTML DTD and see what I mean.
The situation is an artefact left over like a minefield from the browser war in the '90's. If either Netscape or Microsoft had focused in standards-compliance they would have lost market share. It is likely that both companies were actively trying to break standards as a means of locking in users.
Now that things have settled down Microsoft is the only corporate player with an ongoing interest in locking in users, but users are still going to expect browsers to render everything, no matter how malformed. Users experience any failure to render as a browser problem, not an authoring problem. As such, it is going to be difficult to get the web as a whole to be standards-compliant.
One of the fundamental laws of human behaviour was most clearly enunciated by Han Solo: "It's not my fault! It's not my fault!" We can sit back and say that any user of IE deserves to get burned by exploits, or that anyone authoring an invalid web page deserves to not get page views, but the Darwinian market is fundamentally a mechanism for humans to shift blame for their own failures onto others, and users choose IE and users choose MySpace, so neither browser choice nor website choice will ever be accepted as the cause of user's problems.
Re:Quick and Dirty solution (Score:1, Interesting)
Re:IE is too forgiving (Score:3, Interesting)
http://www.w3.org/TR/REC-html40/struct/objects.ht
Notice "Start tag: required, End tag: forbidden"
Which is pretty unambiguous.
That sites response to letting them know that they were putting out "Forbidden" tags was to come up with a "Compatiability Matrix" for which browsers and vesions of browsers would work with there site.
This is unfortunately the attitude of many sites and site designers. If it works for I.E. then we are done. We just docuement the bug with a compatibility matrix and we are golden. The problem here is in the branding, if you have Netscape and some versions of Firefox and a few others, our company logo will not show.
My contention is if you have a product that only works for one browser you have a client server application not a web application.