Launching XSS CSRF Based Worms On Social Networks

For those who didn't know it yet, XSS is just bad. But it can be far worse. Usually if not always, many have the firm idea that XSS worms needs to be stored XSS worms instead of reflected XSS worms. This might hold some water, because it contributes to it's persistence. But it isn't necessary. in this article I want to explain why a stored XSS hole isn't mandatory, and that reflected XSS can perform worm like behavior due to the use of CSRF. CSRF is a great way of mixing up or leverage the social engineering part. We as an attacker don't necessarily need to engineer all users to click on a link that looks quite murky. It is possible to let victims infect their own friends. This way, the social engineering is far more likely to succeed. CSRF can help us achieve that goal, to propagate a reflected XSS worm we only have to trick only one person. The rest happens automatically.

Last week a reader named Bart Kerkvliet contacted me about a XSS hole he found in the online social network site called Hyves. Hyves is a very popular website in my country. They have millions of active users including our national president. Bart told me about the XSS vulnerability, and that he contacted Hyves to notify them about the issue. Hyves didn't respond adequately, and he tried again. After some time they decided to fix it. Bart then went back and tried again, and sure they didn't fix it properly. It was still possible to inject Javascript into different search fields. Obviously, it wasn't fixed. Hyves also said that it wasn't that bad after all. They do filter for single and double quotes, so who cares, you can't do anything malicious right? Wrong.