Cenzic 232 Patent
Paid Advertising
web application security lab

AJAX Worm Demo Code

Today Anurag Agarwal posted a link to the WASC list that demonstrates a conceptual manual AJAX worm. Actually that’s sort of a misnomer since this really is just using XMLHTTPRequest and not XML but you get the idea. The link is benign, but what it does show is a very slowed down and non malicious version of an XMLHTTPRequest worm that propagates via XMLHTTPRequest only (only on Anurag’s domain and only for the files he links to).

This is an interesting take on what we’ve been talking about. Of course it’s extremely slowed down because it’s not meant to overtake anything, and it’s all manual (you can see that the URL field does not change). This is kind of interesting when you can’t XSS the page your interested in but you are able to XSS at least one page that a user will end up clicking on.

The conceptual Warhol worms that I’ve worked on really have very few user requirements save that the user views a page that’s under the control of the worm and has the appropriate technologies installed. But breaking it down into it’s core components is definitely one step to understanding the most effective virulence methodologies. XMLHTTPRequest is definitely a technology worth thinking about though, especially combined with browser bugs like internet explorer’s mhtml: issue et al. Any way to move from one system to another makes the power of such a worm far more potent.

2 Responses to “AJAX Worm Demo Code”

  1. maluc Says:

    this can be quite useful.. anytime you find an XSS on a website but you need it to persist as they view the rest of the pages on the site. if you want to, for example, run a history check of 25,000 websites at a rate of 200/sec (don’t want to lag them so bad they close it). That’ll take over two minutes to complete. So would (i’m guesstimating) pulling and parsing 100 websites using that MHTL bug.

    So it’s biggest use i think is in giving exploits a time extension.

  2. RSnake Says:

    Note this has now moved:

    http://www.attacklabs.com/labs/ajax_worm/home.htm