Cenzic 232 Patent
Paid Advertising
web application security lab

Diminutive XSS Worm Contest Drama and Status Update

Well, so far this week has probably been one of the most interesting I’ve had in running this site in a long time, not only from a technical perspective, but the ethical debate on whether I am sheer evil or contributing to the greater good rose it’s ugly head once again. This was in regards to the diminutive XSS worm contest. One of my favorites was where I was being compared to arming people with nuclear weapons. Clearly, and admittedly most of these people have no background in the issue and have never read this site or the rest of sla.ckers, as there is lots of samples of existing worm code in lots of places on the Internet now. Just because they don’t know about it doesn’t mean it’s not there.

The existing samples of code that we have are always plagued by three things though, which makes them difficult to work with and which I don’t care about. Each contain obfuscation for filter evasion, which we’ve already researched to death, payloads, which we have also researched heavily and lastly site specific code, which really is uninteresting to me, unless I were trying to help out that company in particular solve an existing problem. So the goal is to remove those things and focus on the actual XSS propagation, for which there has been little research done to date.

I’ve always said, you don’t understand a problem until you see it and play with it. This is why having experience is always more valuable than schooling in a topic. It’s like trying to get in a fist fight with a professional boxer having never sparred before and expecting to win. If working to help the understanding of worm propagation makes me evil, so be it. I’d rather be evil and be able to help solve problems than be good and be useless at solving the problem (as are most of the nay-sayers, I’ve found). That’s why people like Giorgio Maone (the author of the noscript plugin) chipped in to help the contest. People like him are solving the problem in their own ways as well. It’s in everyone’s best interest to understand all the vectors. Will this empower bad guys? I’d be nieve to say there’s no chance of that. However, the goal here is to understand why the propagation methods were chosen so we can build defenses against them. We actually had tons of interesting findings that will help us narrow down the most dangerous strains, and start making suggestions to browser companies and security companies that are in development of security technologies so that they can build tools to prevent this.

For people who liken me to an anti-virus company writing viruses, I’d like to point out the fact of the matter which is that I don’t get paid to consult with browser companies on browser security (at least I haven’t in the last several years that I’ve been doing this). In the spirit of full disclosure, I have gotten paid to help out with other things, but not browser security. That’s right, I give advice in the browser security arena for free (for which I have actually been chastised by other executives who feel like I’m wasting my time since I’m not making any money on it). I do it because I’m actually interested in solving the problem. To date I also have never been paid by any company who has ever been hit by an XSS worm. I have, however, on several occasions given them intel and advice, pro-bono. Also, unlike an anti-virus company, I don’t have a security product in development. So, yes, tin foil hat wearers can rest easy - this actually is academic. I know, crazy talk! That’s why this is an web app security lab. People visit this site (or should, at least) with the knowledge that we are pushing the boundaries of what’s know about web application security. We aren’t talking about yesterday’s problems. Think the bad guys are going to stop their own research if we stop talking about it? In this profit driven malicious ecosystem, there’s no chance of that anymore. At least in an open format we can come up with solutions, and see the results of each other’s work.

Another interesting point of view, by Kurt Wismer was that I was that by creating diminutive code I will always get an output of obfuscated code (which I have said a number of times I was trying to avoid) because of the coding tricks necessary to make it that small. He’s absolutely right, of course, but that’s a red herring. See, there are two types of obfuscation, which may be beyond the grasp of people who don’t actually work in this field. The first type is obfuscation to create short/lean code. The second is obfuscation for filter evasion (MD5ing something, hex encoding something, making something polymorphic, not using the word “eval” but “ev”+”al” to beat some regex or string matching, etc…). I’m sorry I didn’t clarify - that’s probably non obvious for people who don’t understand webappsec. So unfortunately, for the most part that’s actually not an interesting comment, although there are some tidbits in some of the variants of code that actually do cause some problems that I will need to disregard for the sake of research, which I’ll talk about after the contest is over.

Anyway, over the last few days I’ve been called a moron, an idiot and probably a half dozen other things. But through it all, I’m 100% confident that this will lead to previously non-published/understood results about worm propagation (I’m confident, because it’s already yielded some various interesting problems that we have had to clarify using rules that I didn’t even think would come up). And I’m also confident that this will lead to ways in which we can protect ourselves from them - not today, certainly, but over time as we as a community start building tools to prevent these issues based, in part, on the results of this contest. I wouldn’t guess that everyone reading this will “get it” as most people don’t really understand how the security world works. I would, however, hope that everyone sits tight and holds their dramatic postings for the results, or at least asks me what I think instead of jumping to wild conclusions. Christmas is already over though, and I already got my wishes granted so I won’t be surprised if it doesn’t happen. :)

So that’s the drama! Gotta love it, huh? Where would I be without the under-educated rants and conspiracy theories? The good news is that there is a lot of really interesting research coming out of the contest, and numbers are approaching the 150-170 byte range. We’re already seeing some trends emerge about the most size efficient ways to write the code, and the ways in which the code must work for best propagation results and portability. The two methods of actual spread that appear to be building to a consensus among the submissions are XMLHttpRequest and submit events. We’ll see how things turn out, but I’m quickly getting a feeling these are by far the two most likely candidates for worm propagation. My question is what sort of valid reasons can people come up with on why the browser should automatically submit a form without user interaction? More detailed analysis to come once we get closer to the cutoff. Amazing stuff!

Pandora is already out of the box, folks, and for good or bad Samy was the culprit, not me. Time to start working on solutions, rather than trying to keep the research quiet.

12 Responses to “Diminutive XSS Worm Contest Drama and Status Update”

  1. Denis Says:

    I totally agree with the idea of making the result of the contest public !
    Don’t listen to those who fear what they don’t know or are too lazy to realize they might be vulnerable ;)

  2. Christofer Hoff Says:

    RSnake:

    I found it rather interesting that Kurt took the tact that he did. I think his point regarding the potential for misuse of code generated as a result of the contest is plausible but unlikely. Honestly, PoC code for any sort of exploitable vulnerability has the potential for misuse, so I’m not convinced this is a corner case that deserves the flambe treatment it’s getting.

    However, I found it a bit of a reach to accuse you of ethical violations and seeding the world with Malware so you could profit from the results as part of a giant conspiracy theory.

    It’s clear that many of those posting their opinions fail to recognize which side of the fence you sit and the contributions toward making the world “better” you have made.

    I was interested in a balanced perspective/commentary from others and will post my thoughts in a couple of days.

    Hey, look at it this way…now you have another 10+ middle names you can add to your list ;)

    /Hoff

  3. RSnake Says:

    Thanks for writing Christofer - I actually wasn’t referring to you specifically but rather the comments on your site, if that was at all unclear. I saw that you were balanced in your post, and for that I’m appreciative.

    Yah, sadly I seem to be the center of a lot of conspiracy theorists’ attention lately, which actually makes it harder to do the actual research. I liked it better when I was director of product management for a Real Estate company while doing the same kind of research in my spare time (again, because I was interested in it - not because I was profiting off of it). At least then people weren’t blaming anything on me. But I’m sure somehow the credit crisis is my fault. ;) I wouldn’t be surprised if that came up next. Nuclear weapons and US recession - all due to RSnake!

    I’m always looking for more middle names! Bring it on!

  4. Christofer Hoff Says:

    No worries, I knew what you meant.

    /Hoff

  5. digi7al64 Says:

    The point most people seem to miss is that the code published is not for a specific site and therefore to truly use it an attack scenario the person seeking to deploy it still needs to find a vulnerability that would allow all those characters to be parsed into it.

    Also in response to this from Dr. Vesselin Bontchev who stated “Respectable security researchers don’t encourage the creation of malware by running contests for it!”. Sir, I don’t believe that a single entity of peers should be solely those with the knowledge to determine who and when the general public should be “allowed” this type of information.

    …next they’ll be telling us the Full Disclosure XSS thread should be removed so people don’t know when they are vulnerable to attack!

  6. Spyware Says:

    Hiding the problem instead of stopping it? What are we, scared? Afraid for the consequences? Act NOW and you are safe. You’re doing a great job here RSnake, and I am 100% behind you.

    Moronic? Realistic. Assume the worst, hope for the best.

  7. xs Says:

    Don’t listen to those who fear. The foo is in the details and the only way to find it is to get in there and analyze what the underground is actually doing.

    There will always be those who are afraid to do this because that is what they learned at there bootcamp for some security certification. Fine! They can sit in the dark and fear what they don’t understand. THis really reminds me of the dark ages. People were uneducated in the dark ages and were told to fear because that was written in some book. So people sat in fear while few were made rich and propered. Same thing happening here.

    We need to quit sitting in fear and get educated. Find the foo and not be afraid of what we learn. Use that foo for good. Education should never be considered unethical.

    Also, I am tired of everyone thinking that as soon as you learn how some attack works that you suddenly become a black hat. Hey, not all of us “hackers” are bad guys, so break out of that thinking.

    Sorry… I kinda ranted. Keep up the good work.

    xs

  8. thrill Says:

    This kind of research reminds me of the research that was done to bring sniffit to the world. If sniffit hadn’t become so widely used, I wonder if ssh would have had the impact it did.

    I’m sure Brecht was seen by many as the anti-christ for his work, but now we can see that his research actually helped secure systems around the world.

    –thrill

  9. Evrim Says:

    This Contest is just 4 you and your young friends, but the real blackhats and offensiv coders are not on your low range!

    How old are you RSnake ?
    Quote: “Relevant parties known the hacker RSnake”
    www.heise.de/security/news/meldung/101401/Wettbewerb-um-kuerzesten-Cross-Site-Scripting-Wurm

    I know you so please don’t send information to people like “heise online” when you want to be famous. please go back were you come from and dont tell everybody you are a famous hacker in our circle.

    WE KNOW WERE YOU COMING FROM ;)
    greetz from germany

  10. euronymous Says:

    Hi robert

    as others said you…just don’t have to listen stupid scared people saying : “oh my god, rsnake, world known security expert, is inviting people to write malware…”..

    i think we miss the point: is we don’t do research on hot security topics like xss malware, session management (as i do), and so on, there wll always be someone that will do it maybe with more and more bad thoughts in mind….

    I mean…I write a big software, a big web application, and the world start to use it…everyone think it’s secure…no one make research on how much it can be secure…we’re safe?

    no, damn it…

    so? we, as security researchers MUST research things that other don’t…also if they can be HOT and be used to do bad things…

    I know I’r speaking about already listen words…but come on..don’t miss the point please :)

    an hungry euronymous

  11. RSnake Says:

    @Evrim - I didn’t submit anything to heise.de. I don’t speak German and have only been to that site a few times. Sorry!

    @euronymous - Yah, I just hope others realize this isn’t just fun and games. There’s a lot of important research going on here. There’s a thread about as much here: http://sla.ckers.org/forum/read.php?2,19242
    and here: http://sla.ckers.org/forum/read.php?2,19143

  12. Robert Says:

    Security Through Obscurity has never been a good approach, get the data into the open and eventually it will get enough exposure that something will be done about it.