XSS Damages, a High Risk Web Application Vulnerability
Also known as Cross-Site Scripting, XSS refers to a security vulnerability on web application, the original CSS acronym has been replaced by XSS in order to avoid confusion with Cascading Style Sheet.
What is an XSS attack?
You are probably wondering how powerful is XSS? I would say that it’s the kind of security breach that broke down Myspace in 2005, the most popular online social network at the time or also, shut down Twitter in 2014. And I could go on and on referring to other examples involving well-known companies.
Now, you’re probably wondering how is this possible? How big companies can still be vulnerable to that? I would tell you that few lines of code are sufficient.
In a “safe web environment”, this code should be automatically converted into harmless plain text…Oops, it seems that something had been left out by Tweetdeck causing the code to be executed by this script tag that tells the browser to run the code.
Let’s dive into this script tag and examine what’s in there:
1-An “XSS” class is created and the code invokes the JQuery library’s selector functionality using a dollar sign, meaning to find a “XSS” name class in this page.
2- Once the “XSS” class is found, the parents() invocation will return an ordered list of each containers of this XSS class.
Now, the code wants the specific element in this list that has an index of 1, in other words, the second element. The second element in this list refers to the entire box with the user input to write a tweet and the links below.
3- Now the code asks to find a link in this box container and click it but not just any link, the second one and guess which one is it ? Retweet !
Retweet is clicked but it’s still not done so stay tuned !
Assuming that a pop-up message box appears to ask if we really want to retweet, what’s next ? Dollars sign to find the button that has the action to retweet and CLICK.
Now it’s done and this last step caused a chain effect for all users that logged into TweetDeck and got this pop up :
And this is what we can call a self-retweeting tweet.
Fortunately, in this case, even if this automatic retweet was very annoying, this attack was not about causing harm but it’s a good example showing how large applications can also be vulnerable to this type of attack.
How to gain one million friends in less than 24 hours ?
Speaking about large applications, another good illustration is the one that allows Sammy Kamkar to gain one million friends on mySpace in less than 24 hours. This sounds crazy but again, thanks to few line of code, Sammy Kamkar had created a worn virus on MySpace in 2005.
By examining and playing with HTML code into MySpace, the hacker quickly realised that he was able to do anything he wanted on the web page. First, he started working on a script tag that would force every person going on his MySpace profile to send him a request. It seems that this wasn’t enough for him because he realised that this would reach only few people. He re-programmed the script in a way that each person who view his profile will add him as a friend but also and most importantly, the code will replicate to this person. What does this means?
“So if 5 people viewed my profile, that’s 5 new friends. If 5 people viewed each of their profiles, that’s 25 more new friends,” Samy explained.
From there, things were out of control, the virus was spreading faster and exponentially, within 24 hours, he reached a million friend requests. MySpace took the site offline to take the time to stop the worm and this has become one of the best moments in Hacking History.
In reality, Sammy made a great impact in the web security industry because at this time companies overlooked this web-security issue and they were far more vulnerable than at present to this kind of attack. This self-propagating virus had attracted the interest and attention of many security professionals and an “AntiSamy” Project was even created by the The Open Web Application Security Project.
If you want to know more about Sammy Kamkar’s story, check out his entire explanation in this video.