Paid Advertising
web application security lab

Nduja Cross Domain/Webmail XSS Worm

Rosario Valotta sent me an email today describing a webmail XSS worm he has written - the first I am aware of that is cross domain. There has been a few webmail worms, like Yamanner but nothing quite like this. Rosario picked four Italian webmail services,,,, and and built a worm that works across all four domains.

His writeup discusses how he did it. He also included a video as a demonstration of the worm. It walks through how the worm works using a lot of popups showing each step. Of course, a really virulent worm wouldn’t have as many visual queues, but this is a really great visual demonstration. It’s also timely given Billy Hoffman’s talk on web worms next month.

4 Responses to “Nduja Cross Domain/Webmail XSS Worm”

  1. Giorgio Maone Says:

    For those who don’t know, “Nduja” is a typical food in Calabria, Italy. About 66% pork and 33% red chili pepper, it’s a kind of a sausage to be spread as a cream - extremely hot stuff!

    Nduja eaters don’t fear anything.

    Kudos Rosario, I love Nduja :)

  2. RSnake Says:

    What’s the other 1%? ;) Do I even want to know?

  3. zoiz Says:

    Lols, nice article. I’ve seen the source. It’s really simple code, but have a great idea behind it. Thanks

  4. MustLive Says:

    Interesting article.

    Guys, it is nice example of webmail XSS worm and it is first multi-domain XSS worm in the Web. And also with nice video demonstration :-).

    Well done, Rosario.