XSS Bug Remains the Worst Infection for Sites

XSS bugs continue to create trouble for application and web programmers as they allow hackers to steal bank account details and other confidential information from e-mails by inserting malicious script into legitimate websites.

Researcher RSnake, who works on security for websites, has come across lot of XSS flaws. But he is waiting to see many more, particularly ones that create the quintessential harm, so that this researcher and other computer security experts can better work to build defensive measures against them.

In an instant message, RSnake said that it is important to understand the programs hackers use to propagate generic worms in order to develop tools to ward off those threats. Channel Register reported this on January 5, 2008.

According to the US Department of Homeland Security's cyber security division, an XSS bug can exploit websites hosting faulty Flash files with respect to the domain that hosts those files. Similarly, attacks that modify or spoof online content too can exploit sites hosting vulnerable Flash files. It has been found that attackers have been exploiting flaws in SWF, i.e., Shockwave Flash files, to launch cross-site scripting XSS exploits.

In the last week of December 2007, a massive virus hit Google's Orkut social networking site that infected over 700,000 users within just 24 hours. It was a demonstration of a powerful XSS attack in which the worm worked by adding a malicious JavaScript code to the profiles of the users victimized.

The December attack was outstanding because it merely required the Orkut visitor to view the infected website so that, in turn, he becomes infected. The infection spread by sending e-mail messages to the friends on the address list of an infected user.

Many characteristics of this attack were similar to the 'Samy' virus that hit MySpace in 2005. In less than 24 hours, the XSS attack added over one million users of MySpace to the attacker's MySpace profile that eventually forced NewsCorp to briefly get the social networking site offline.

According to RSnake, the XSS worms really have just two techniques but numerous variants. The need is to find the maximum number of these variants, reported Channel Register.

Related article: XSS Flaw in Yahoo Mail Allows Attacking IM Users

» SPAMfighter News - 1/17/2008