This is what old school security guys like me call XSS (Cross Site
Scripting), but I guess AJAX worm sounds cooler *sign*
I however do place some blame on MySpace, they where trying to walk a
fine line between allowing "good" HTML and disallowing "bad"
HTML.
This is a game that you are very likely to lose. These type of
attacks use the client to do bad stuff, we all know we can''t trust
the client don''t we?
On Oct 20, 2005, at 12:06 AM, Neville Burnell wrote:
> Some guy wrote a worm which used javascript uploaded to his profile
> on MySpace to make AJAX calls in the ''background''
whenever another
> MySpace user viewed his profile!
>
> I thought the story was relevant enough to the Rails AJAX community
> to post it here … sorry for the noise.
>
> From http://blog.outer-court.com/archive/2005-10-14-n81.html
>
> Could you describe the approach to the worm you wrote? It was Ajax
> making use of a MySpace security hole, right?
>
> The hole was actually not in MySpace. To MySpace’s defense, they
> did a great job of blocking malicious code, JavaScript, etc. The
> reason I was still able to get JavaScript past their filters is by
> using browsers’ leniencies. With a little finagling, I could get
> JavaScript to execute on some browsers, even though the actual code
> wasn’t valid. It was the browsers that mistakenly executed
> JavaScript when they shouldn’t have.
>
> The basic approach was this:
>
> The code was first placed in my profile. Once anyone viewed my
> profile, they would unknowingly execute the code.
> Upon executing the code, it would add me as one of their friends.
> This normally requires their approval, but this was all done in the
> background via Ajax. It required multiple GETs and POSTs in order
> to obtain all the information necessary, such as random hashes, to
> approve the friend request.
> It would additionally GET their own profile, grab their list of
> heroes if they had any in their profile, and append me as a hero.
> Specifically, it would append “but most of all, samy is my hero.”
> The most important step is then having the code reproduce itself.
> It would grab the content of the profile they’re viewing, parse out
> the actual code that was being executed, and then append that to
> the heroes as well.
> The whole process starts over any time anyone views the newly
> infected user’s profile.
>
> There were several complexities I had to overcome since MySpace
> does a great job of stripping out JavaScript, necessary quotes,
> Ajax functions, etc. The code had to be written in such an
> obfuscated manner to actually get past their filters, including
> getting it to propagate past MySpace’s own HTML-rewriting that
> occurs. A more detailed explanation of the hurdles is available.
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
- Bill