Rails - Oct 2005 - Interesting AJAX worm story

Some guy wrote a worm which used javascript uploaded to his profile on
MySpace to make AJAX calls in the ''background'' whenever
another MySpace
user viewed his profile!

I thought the story was relevant enough to the Rails AJAX community to
post it here ... sorry for the noise.
>From http://blog.outer-court.com/archive/2005-10-14-n81.html
Could you describe the approach to the worm you wrote? It was Ajax
making use of a MySpace security hole, right?

The hole was actually not in MySpace. To MySpace''s defense, they did a
great job of blocking malicious code, JavaScript, etc. The reason I was
still able to get JavaScript past their filters is by using browsers''
leniencies. With a little finagling, I could get JavaScript to execute
on some browsers, even though the actual code wasn''t valid. It was the
browsers that mistakenly executed JavaScript when they shouldn''t have.

The basic approach was this:

1.	The code was first placed in my profile. Once anyone viewed my
profile, they would unknowingly execute the code.
2.	Upon executing the code, it would add me as one of their
friends. This normally requires their approval, but this was all done in
the background via Ajax. It required multiple GETs and POSTs in order to
obtain all the information necessary, such as random hashes, to approve
the friend request.
3.	It would additionally GET their own profile, grab their list of
heroes if they had any in their profile, and append me as a hero.
Specifically, it would append "but most of all, samy is my hero."
4.	The most important step is then having the code reproduce
itself. It would grab the content of the profile they''re viewing, parse
out the actual code that was being executed, and then append that to the
heroes as well.
5.	The whole process starts over any time anyone views the newly
infected user''s profile.

There were several complexities I had to overcome since MySpace does a
great job of stripping out JavaScript, necessary quotes, Ajax functions,
etc. The code had to be written in such an obfuscated manner to actually
get past their filters, including getting it to propagate past
MySpace''s
own HTML-rewriting that occurs. A more detailed explanation of the
hurdles is available <http://namb.la/popular/tech.html> .




_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

This is what old school security guys like me call XSS (Cross Site  
Scripting), but I guess AJAX worm sounds cooler *sign*

I however do place some blame on MySpace, they where trying to walk a  
fine line between allowing "good" HTML and disallowing "bad"
HTML.
This is a game that you are very likely to lose. These type of  
attacks use the client to do bad stuff, we all know we can''t trust  
the client don''t we?

On Oct 20, 2005, at 12:06 AM, Neville Burnell wrote:
> Some guy wrote a worm which used javascript uploaded to his profile  
> on MySpace to make AJAX calls in the ''background''
whenever another
> MySpace user viewed his profile!
>
> I thought the story was relevant enough to the Rails AJAX community  
> to post it here … sorry for the noise.
>
> From http://blog.outer-court.com/archive/2005-10-14-n81.html
>
> Could you describe the approach to the worm you wrote? It was Ajax  
> making use of a MySpace security hole, right?
>
> The hole was actually not in MySpace. To MySpace’s defense, they  
> did a great job of blocking malicious code, JavaScript, etc. The  
> reason I was still able to get JavaScript past their filters is by  
> using browsers’ leniencies. With a little finagling, I could get  
> JavaScript to execute on some browsers, even though the actual code  
> wasn’t valid. It was the browsers that mistakenly executed  
> JavaScript when they shouldn’t have.
>
> The basic approach was this:
>
> The code was first placed in my profile. Once anyone viewed my  
> profile, they would unknowingly execute the code.
> Upon executing the code, it would add me as one of their friends.  
> This normally requires their approval, but this was all done in the  
> background via Ajax. It required multiple GETs and POSTs in order  
> to obtain all the information necessary, such as random hashes, to  
> approve the friend request.
> It would additionally GET their own profile, grab their list of  
> heroes if they had any in their profile, and append me as a hero.  
> Specifically, it would append “but most of all, samy is my hero.”
> The most important step is then having the code reproduce itself.  
> It would grab the content of the profile they’re viewing, parse out  
> the actual code that was being executed, and then append that to  
> the heroes as well.
> The whole process starts over any time anyone views the newly  
> infected user’s profile.
>
> There were several complexities I had to overcome since MySpace  
> does a great job of stripping out JavaScript, necessary quotes,  
> Ajax functions, etc. The code had to be written in such an  
> obfuscated manner to actually get past their filters, including  
> getting it to propagate past MySpace’s own HTML-rewriting that  
> occurs. A more detailed explanation of the hurdles is available.
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


- Bill