Looking to push the research envelope around malicious worm propagation, Web application security specialist Robert Hansen (left) is running a contest encouraging hackers to create cross-site scripting (XSS) worms.
Hansen, who uses the hacker moniker RSnake, is looking to find the smallest amount of code necessary for XSS worm propagation:
“I’m not interested in payloads for this contest, but rather, the actual methods of propagation themselves. We’ve seen the live worm code and all of it is muddied by obfuscation, individual site issues, and the payload itself. I’d rather think cleanly about the most efficient method for propagation where every character matters.“
The rules for the contest are straightforward. They include:
“Must work in at least Internet Explorer 7.0 and Firefox 2.x.Must have a payload of “XSS” in an alert box.Must work in at least Apache 1.3+ and 2+ (considering the dominance in web server market).Must require no user interaction or user interaction that happens on every single page without the user thinking about it (for example, mousing over anywhere in the body of a page).“
Deadline for submissions is January 10, 2007.
[SEE: XSS Worm Squirms Through Google’s Orkut]
Hanson’s contest has already attracted criticism in some quarters by people who believe it encourages malware propagation. However, as everyone knows, you can’t think about defense unless you start to think like attackers.
As Hanson explains, attackers do not need new code to find ways to launch cross-site scripting attacks.
“Pandora is already out of the box, folks, and for good or bad Samy was the culprit, not me. Time to start working on solutions, rather than trying to keep the research quiet.“
He’s absolutely right. Cross-site-scripting has emerged as one of the biggest problems haunting Web 2.0-type applications and the worms have already started to wriggle through some big-name targets.
Understanding how they work by thinking like the attacker is an important aspect of research into figuring out how to stop them.