Rosario Valotta sent me an email today describing a webmail XSS worm he has written - the first I am aware of that is cross domain. There has been a few webmail worms, like Yamanner but nothing quite like this. Rosario picked four Italian webmail services, Libero.it, Tiscali.it, Lycos.it, and Excite.com and built a worm that works across all four domains.

His writeup discusses how he did it. He also included a video as a demonstration of the worm. It walks through how the worm works using a lot of popups showing each step. Of course, a really virulent worm wouldn’t have as many visual queues, but this is a really great visual demonstration. It’s also timely given Billy Hoffman’s talk on web worms next month.

If you haven’t noticed, DNS pinning is all the rage lately. Sure, it’s been around forever, but once Martin Johns found the original problem with it, it became something interesting to talk about (specifically in the context of Intranets). Now, a year later, suddenly people see it as a big hole (and it is). Weird timing though. Anyway, firstly, if you haven’t checked out Christ1an’s blog entry on how DNS pinning works you probably should. This is taken partly from the XSS Exploits book and partially from talking with Christ1an.

More interestingly, David Ross from Microsoft posted two interesting comments on DNS pinning. The first is that IE does not actually implement DNS pinning. Scary. The second is that XMLHTTPRequest did stop anti-anti-anti DNS pinning, which you should already know if you read my blog religiously. The sub-text here (not from David, but from my own thoughts) is that there may be more holes there, rather than needing to shut down the port. Very interesting.

SirDarckCat sent an interesting email this morning about IE6.0. Apparently it attempts to guess what you mean in certain circumstances allowing for rigid anti-XSS filters to fail when looking for precise terms like javascript: and vbscript: even after attempting to de-obfuscate. Rather than attempt to explain, take a look at this snippet from his email:

There are some characteristics in internet explorer that could aid
attackers when doing XSS attacks.

In IExplorer:

??script:

and

???script:

are translated to vbscript:
so, for example:

MYscript:msgbox("hi")

or

YOUscript:msgbox("hi")

will be treated as:

vbscript:msgbox("hi")

and anything with:

????script:

will be treated as:

javascript:

so..

somescript:alert("hi");

will be treated as:

javascript:alert("hi");

I have not been able to test this myself as I don’t have 6.0 handy. However, if it works, I know a log of anti-XSS filters that would fail on this one. It’s a bad one, but anyone worried about it should simply upgrade to 7.0 which doesn’t appear to have this flaw in it. Very nice find by SirDarckCat.

Mustlive wrote up a good overview on the end of the Month of Search Engine Bugs. Over 100 bugs were found, and less than half were fixed by the companies in question. That’s not exactly a great track record but in some cases it’s only been a few days. One thing I thought was interesting was that only two companies wrote to thank Mustlive for finding the bugs. One could argue that they don’t see this as a service, and more of an annoyance than anything, but especially in the case of the community sites, it’s better if whitehats find it than people who use it maliciously.

Now about the sites not fixing the holes. One thing I’d like to make clear from lots of personal experience is that it takes time to fix holes. No matter how big or small it cannot be done instantly. Even with the most agile sites, you still have to a) know about the hole b) make the change and c) test the change. In large sites it can take weeks to go through that process, and sometimes even longer. One of the best examples of that is publicly traded companies that do the bulk of their business through their websites. Sites like this often have quiet periods and aren’t allowed to make changes to their platform because it risks the stability of the sites during the busy season. So 40% of sites fixing these problems might sound appalling but sometimes there is a lot more than meets the eye. However, perhaps it’s time to change the status quo.