Paid Advertising
web application security lab XSS Worm

Luny has been on a bit of a rampage lately writing XSS worms against MMORPGs. This time he hit which is an online role playing game with over 100k users and over 50-100 users logged in at any one time. Luny released the code to me here if anyone is interested.

The age of the XSS worm is definitely upon us… Very soon the anti-virus/spyware crowd will have to start looking into this for ways to block it because consumers will demand it. There are lots of variants and since JavaScript is a full fledge language it is very easy to encrypt the data which would require hooks into the DOM. Has anyone heard of anyone actually attempting to stop XSS through browser plugins? I’ve heard of a few projects that attempt to do it, but nothing at the browser level, and nothing that I think had any legs. I’d love to talk to anyone doing this sort of research if they’re out there.

11 Responses to “ XSS Worm”

  1. Delixe Says:

    I’ve thought of that idea, perhaps even a way to commercialize it. I figured there should be something out there.

    I am interested in developing something like that.

    Feel free to contact me: digitalwarfare[at]gmail[dot] com

  2. WhiteAcid Says:

    Have a look at Unfortunately it’s in very a early development phase at the moment.

    @Luny, are you recording any statistics about the worm?

    Oh, the link the the code is wrong. That link just forwards you back to the main page.

  3. RSnake Says:

    Thanks, WhiteAcid, I fixed the link. But that is more of a string filtering. I’m really talking more about active dectection of the DOM. Hmmm…

  4. Torstein Says:

    What was the admins response?

  5. Delixe Says:

    By the way, what was the reason for taking this down yesterday? I saw it and then it was gone.

  6. yawnmoth Says:

    Given that there’s no general consensus on how to best to disclose XSS vulnerabilities, actively exploiting them as Luny is doing seems to me to be a little reckless.

    I will grant that their payload could be more malicious then it is, but that doesn’t mean that what Luny is doing isn’t malicious, itself. It’s kinda like saying, as your defense to an RIAA lawsuite, “but I didn’t pirate as much as I could!” (and for some reason, I don’t think such a defense would hold much weight).

  7. RSnake Says:

    @Delixe: As I wrote to WhiteAcid, “I just felt like messing with everyone. Can you feel the carpet being pulled out from underneath your feet? Hahah… no, I think I accidentally clicked private when I submitted it. Fat finger! Thanks for pointing it out. “

  8. Luny Says:

    Let me first say that the staff were pretty fast on noticing this and dealing with it. The free hosting company the worm was located on was terminated the very next day when I woke up. However, the xss hole still remained tho when I retested it and probably still does now. (I havent checked today tho).

    I use to play udom myself and it was a very good game up until one point. This wasn’t however about any “revenge” on the game. I infact notified one of the programmers (Venomous) for the game many months ago and mentioned that the forms could be spoofed and a way around their filter evasion. That doesn’t make what i did right tho and I can partly agree why yawnmoth may think it was of malicious intent.

    I didn’t keep track of the total # affected very closely. This worm didn’t affect many, but like RSnake posted, it hit about 100 or so ppl which was about all that were on at one time. Udom may have about 100k+ created accounts but many have been jailed or deleted over time, so that factors into play too. I may have been wrong about total player uniques. After the first large group online was infected I deicided to go to bed and when I woke up, I noticed the worm was pulled.

  9. Jungsonn Says:

    Actually I have a few ideas scattered in my office, no full plans yet. But, the idea for an anti XSS extension is in the pipeline. I have some ideas on howto detect XSS like:

    1.) appearance of document.cookie (reflected xss)
    2.) analysing loops: if->do->while->switch
    3.) iterate over ->document.* (location,cookie,etc)
    4.) iterate over the DOM to find forms which contain a different location for submission than the server like-> if host != form.location
    5.) iterate over *.js files -> if it’s included remotely.


    This all loads before the page is viewable in your browser.

    And on all these items, I want to show an popup where FireFox asks you what to do. Run the code, or kill it. An extra asset will be that the user can flag sites so it won’t popup anymore.

    But these are ideas, so maybe later this year I surely can come up with a test version. So too early to speak about it actually.

    If anyone wants to contribute, be my guest.

  10. digi7al64 Says:

    I really liked the se qualities of this particular worm.

    Though, as we see these types of attacks increase i hope to see self replicating (and contained) worms using some of the more advanced anti-virus techniques such as Polymorphism and Encryption to defeats scanners and blanket sql replacements when they are eventually detected within a system.

    rsnake - is their any chance of putting together some type of code library for known xss worms?

  11. maluc Says:

    jungsonn: well i don’t have much experience coding extensions (read as: none) .. but i have looked over the source of other’s extensions some, and you’ll have to be quite careful how you implement that extension jungsonn. Cuz generally they seem to be javascript based and those can be easy to disable with javascript if you know what you’re looking for. So you’d might need some well designed polymorphic code yourself.

    Of course, maybe not.. will have to see once a working beta version is up.

    digital: i’d very much love to see those advanced worms in javascript too. I have a special interest in headless JS worms using some sort of polymorphic packer. I think it’s quite doable to evade signatures - don’t really have to evade heuristics now since there is no anti-virus tech for webapp worms. And a code repository would be a great idea, including from a history standpoint since the first ones (circa samy) are still recent enough to find.

    yawnmouth & luny: as far as i know, (in the USA) there is no legal precedent of recourse for online items or non-financial game data. Also, i’m not too sure whether permanent XSS qualifies for the Computer Misuse Act since you never gain root access to the server. Even still, i agree it’s a bad idea to write any worm that you benefit tangibly from (an e-penis is not tangible.. if only mine were +.+) .. i’d go so far as to MD5hash account credentials beforehand so you can claim you never gained potential access, but still use it for statistics. Still, good work luny.. and i encourage the open-sourced research into more advanced worm techniques

    They’re still way behind the sophistication as overflow based worms. Long winded as always ~.~