Cenzic 232 Patent
Paid Advertising
web application security lab

Using XSS to DoS China

This is probably going to be one of the weirder posts I’m going to do, but it’s been on my brain for the last year or so, so I should probably write about it. China has a countrywide firewall that attempts to protect it’s citizens from the infidels. I’ve done a number of tests on this and found that there are many possibilities. Unfortunately, the result of testing is that I get banned for about five minutes from whatever site within China that I am attempting to contact. The firewall is so strict that I can’t even type the words here, or anyone viewing this from China will be unable to view the site.

Of course there are ways around it (rot13 comes to mind). To see the Chinese banned words click here (WARNING, if you are in China I cannot take responsibility for what happens to you upon clicking this). It took me a few weeks to peice together these possible bad words. I gave up on testing since it take so damned long to run through the varients and I don’t promise that these will work but you can do your own tests if this is actually important to you (let me know if what I have on there is wrong or innacurate). Read the instructions on the link to further understand how I tested if you just want to see it for yourself in action.

Now, how does this relate to XSS? Well, let’s say you know that you have some competitor within China that you don’t want visiting sites. If you can get them to visit your site, and view a peice of JavaScript that then queries the site that you don’t want them to visit, for 5 minutes they will be in the penalty box and will be unable to view the site in question. This could be a huge problem if you inject the bad words via the page they are viewing itself, as they will be perma-banned from looking at the page unless they can find some other creative way around it or until the word is removed. Pretty nasty, huh?

Don’t bother forwarding Chinese people to my page, all it will do is block them from my site, not from any other site. I did a little bit of work on TCP/IP spoofing to see if I could spoof a few packets to the Chinese firewall and get other domains blocked but it didn’t work (I’m assuming their stateful packet inspection is smart enough to understand what is a real connection) but my tests were in no way exhaustive.

25 Responses to “Using XSS to DoS China”

  1. v-wall Says:

    well a guess a proxy that was based out of china would do the trick stright away really. weather it was a http tunnle, useing tor or ssh forwarding. It would all really allow them to view pages with the “bad words” in them

  2. RSnake Says:

    Very true, assuming the target knows how to do that… Also it is unclear if tor will be allowed long term through the firewalls. They have already started blocking things like Skype in certain circumstances.

    But yes, to answer your question there are a number of ways around there. Like I said, something as simple as rot13 can easily get around this. Even simple encoding gets around it. Their technology isn’t that complex.

  3. Valehru Says:

    Well TOR is an other solution however this famous onion network has been pretty much been blocked for download within the PRC.

    No official figures have been released on how many people are employed at the great firewall however with recent PR campaigns by the government the chinese public are also starting to patrol the net for restricted content.

    Estimates on this number reach the 1 million + mark however if there is any truth to that statement is anyone’s guess. Amongst that number of people there must be at least a few intelligent people who have figured out what your trying to do there. I think the governments goal is to stop the majority of non-tech savy chinese from accessing this content rather than the chinese geeks who have been accessing it for years…

  4. RSnake Says:

    My understanding from the folks in the know is that the words that have been deemed “bad” are not like the seven forbidden FCC words, these are words that the Chinese government is concerned about because of revolution. The first word on the list is a form of Tai-Chi (a martial art) that mostly old guys do.

    The problem is that is has such a following that it could literally overthrow the government if it ever gained roots beyond where it has. The grass roots movement in China is a very scary thing to goverments that have spent their entire history oppressing their population to control them. Makes you think. Projects like Tor are great, but they need to evolve over time to move past the content filtering products out there. The recent post at http://ha.ckers.org/blog/20060614/ssh-proxy/ goes into this in some detail.

    Over time content filters will get better, but as they stand today, even the best content filters can’t stop pig-latin, let alone something complex. That will change, but as it changes, the evasion techniques will also evolve. Tunneling over HTTP seems the best idea. Using stegonagraphic techniques will probably gain interest with time. There was a talk at DefCon a few years back that went into hiding text in translation services. While interesting, publishing the paper to the world sort of defeats the purpose. It needs to change on such a regular basis that there is no way they could keep the bad traffic from flowing without blocking the good traffic. It’s a tricky problem.

  5. Luny Says:

    I wonder what you guys’ thoughts are on this, its rarely been discussed it seems, but one way to achieve a xss ddos would possibly being thru a banner exchange program. Just think how many different members would be displaying a code you’ve injected via the exchange to accomplish a ddos, or anything else for that matter. Any comments on this, or how successful you think it would be?

  6. v-wall Says:

    Now if a XSS attack could be made against the google that has been made for chince (censored version) Then this would be a major lunch platform in the case of ddos. meh im not guna carry on not thinking stright only just got up

  7. RSnake Says:

    Luny, yah, I’ve thought of that before. In fact, I am aware of a redirect hole in DoubleClick that has been there for quite some time. So the possibilities are there. I think one of the scariest parts of banner advertizing is the fact that I need to intentionally inject JavaScript from anywhere and everywhere.

    If for some reason Overture or Adsense ever got hacked they could run any JavaScript they wanted on virtually every machine in the world. Pretty nasty. And Google isn’t exactly well known for it’s prevention against such attacks (having had two XSS attacks one CSRF attack, one problem with Google Desktop, and countless redirect attacks). I’m not going to go into my Google is evil rant, but regardless of their intentions their track record with web application security isn’t fantastic.

  8. ha.ckers.org security lab - Archive » China hates me Says:

    […] I got an interesting email from id immediately after I posed about how to DoS Chinese people using XSS: So…right after you posted that article about the Chinese firewall, guess what happens to all our return packets into China… […]

  9. ha.ckers.org security lab - Archive » PHP security - developing a new language Says:

    […] Would that make it secure?  What would that solve exactly?  Well now that I’ve got all that stuff taken care of, I’m still not sure that I’m secure.  What about basic content filters?  Those are different on every site.  What about insuring that you aren’t allowing illicit content to be uploaded (okay, you can argue a content filter could detect illegal porn, but I wouldn’t buy it).  What about those Chinese bad words, we discussed?  Yes, we’d have to go out of our way to block those so our Chinese brothers could visit our site.  My point being, no matter what you do, you still end up having to customize your application to deal with the other security risks that your organization faces (if you care). […]

  10. kefka Says:

    Quick question, can the Chinese bypass banned websites by simply using encoded urls in their browser(s)?

  11. RSnake Says:

    If you mean if you URL encode the bad word inside the query string will it go through? No, definitely not. That is the one thing they definitely have covered. I don’t have a method to test if returning information in URL encoded format would be detected or not (since I don’t have a server in China to test with). If someone wants to donate some web space on a Chinese server, it would be easy to test though.

  12. Zizzy Says:

    What? I’m Chinese.

    你们说鸟,关键字能这么用么?

  13. Zizzy Says:

    D你奶奶个哨子

  14. 翔翔 Says:

    huh, I can just view this page and the page with bad words fine. And I’m in China

  15. RSnake Says:

    翔翔, are you connected through some sort of proxy (Tor or otherwise)? Try going to www.baidu.com/?f a l u n (remove the spaces at the end) and see what happens. If you are behind the firewall, nothing should happen, but if you are outside of it you’ll see it’s blocked for 5 minutes.

  16. Cath Says:

    I’m in China and can’t get Google.com or BBC News, but I can see your pages just fine, no errors, no 5 minute ban, nowt. I was just interested as I’m here. Got to your page through Google China btw.

  17. RSnake Says:

    Hi, Cath, did you click on the link in the post? That would cause it, not just surfing around the site.

  18. Cath Says:

    Yes I did.

  19. RSnake Says:

    Weird… because when I go to http://www.net.cn/ and add on one of the bad words “f-a-l-u-n” (remove the -’s) as a query string it blocks me from connecting a second time. Can you get there?

  20. airpurifiers Says:

    even google apps has this problem with China block out..

  21. cleaner Says:

    yes, for many US hosting services sometimes are blocked too. Hope they can resolve this soon.

  22. Zhao Says:

    hey, if you guys could somehow tell me an easy way (possibily without dowloading any progs) to access Wikipedia from China…. that’d be great. the internet cafes don’t allow you to install anything on thier comp but random downloads are ok.

    I am experiencing the 5 min ban from google though…. yeah i searched for falun gong…. baidu does give you results though, even in chinese.

  23. RSnake Says:

    Zhao - you could be experiencing that issue in reverse than anyone outside of China trying to connect into it. If you are already inside of China, accessing Baidu (who is also inside China) would never pass over the country’s firewalls. But Google.com would.

    The easiest way to get around the firewall is to translate it using something like a rot13. Even mild forms of encryption easily bypass the page. I’m not aware of any services that do that since I never need them with how I use the Internet, but I’m sure there are some out there that can do it in JavaScript. IE: CGI download, parse into Rot13, then do a JavaScript translation to re-order the text.

  24. Jeff Says:

    China firewall is lame use Freedur.com to bypass it. You can bypass China Great Firewall and access youtube.com and all other sites which are blocked.

  25. dontcha Says:

    Yup, I’m also using Freedur to access blocked sites here in China. It’s frustrating to go on a search for proxy sites all the time so I’m glad I made the decision to move onto something more ‘premium’.