Writing A Modular Universal XSS Worm

After the diminutive XSS worm replication contest, I got the idea of writing a universal XSS worm that can be applied in almost any situation or location. No, that was a joke. I had the idea for a long time, but never got around to actually write something like it.

The biggest issue regarding webapplication worms isn't about the worm size, but about the hole to let it propagate. With remote Javascript files we can go any place and any size we want to. The only trigger we need is a simple < script /> instance to let it become part of the website and it's DOM. We only have to call the remote Javascript file each time, and we can adjust or modify the payload of the worm at any time. The downside? well, actually there isn't one.

One might argue that they could block the remote Javascript file, but when they found out a worm is hitting their system, it's usually too late. Many worms only need a few seconds to become mostly unaddressable annoying. But, p0ng! -as this worm is called- is different. It tries to propagate itself through SQL injection, PHP code injection and also tries to fetch remote shells to upload new copies of itself. Well, that's gonna be nasty to mitigate!