History of Cross Site Scripting

I have been asked to give a presentation about cross site scripting at a local OWASP chapter meeting. I am making my research and notes available in to a series of blog posts. The second – history of cross site scripting.

XSS Defined
History of XSS
Detecting XSS
Reporting XSS in a Meaningful Way
Preventing XSS

Timeline

JavaScript is Born, XSS Follows

Netscape introduced JavaScript in 1995. Soon after, hackers realize that when someone surfs their website they can force load any website (webmail, banks, auction sites) in a frame and use JavaScript to cross boundaries between the two sites – hence the name “cross site scripting.” Netscape introduced the same origin policy to combat the issue, but hackers found ways to circumvent the control. Research is done at Microsoft, shared with CERT who released an advisory, and given to vendors while hackers create malicous JavaScript to steal cookies and deface webpages. The XSS explosion came in 2005 when the Samy worm took down MySpace.

Samy

Samy Kamkar wanted to change the text of his profile to say “in a hot relationship” instead of “in a relationship”. Wanting to use JavaScript, he wrote an HTML fuzzer to look for a vulnerability that would make it possible. He found one that allowed him to add himself to people’s top user list, add the string “but most of all, Samy is my hero”, and inject the JavaScript on their page. Anyone who viewed that profile had the same change done to their profile. The infection rate was exponential, affecting 8000 users in the first few hours and over a million in the less than 20 hours. An hour later, MySpace was offline.

Samy released a statement explaining what happened along with time frames, screenshots, and his code:

“I’m sorry MySpace and FOX. I love you guys, all the great things MySpace provides, and all the great shows FOX has, my favorite being Nip/Tuck. Oh wait, Nip/Tuck is FX? My bad, but FOX, I’m sure you still have some good stuff. But maybe you should start picking up Nip/Tuck reruns? Just a thought. I’m kidding! Please don’t sue me.”

Fox, realizing Samy was not acting maliciously, didn’t prusue a case. But, the FBI did. Samy was arrested and pled guilty. He entered a plea agreement on January 31, 2007 to a felony charge resulting in three years probation, 90 days community service, and an undisclosed amount of restitution.

This is the fastest spreading worm in history. Before this, you had infections of hundreds of thousands of machines in 24 hours – but never more than a million.

JavaScript Malware

In Samy’s aftermath,  XSS research and malware went in to overdrive. In a few short months, JavaScript port scanners, keyloggers, trojan horses, browser history stealers, and Intranet attacks really started to plague the Internet.

OWASP

Today, XSS is at the top of OWASP’s top 10 application security risks list. It was number one in the last version, and is currently number two.

Sources

Script Injection
Original CERT Advisory
Samy’s Technical Explanation
Whitehat Security XSS Whitepaper
OWASP Top 10
XSS Attacks (Amazon):

Leave a Reply

Your email address will not be published. Required fields are marked *