An XSS worm, sometimes referred to as a cross site scripting

virus A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsky's 1 ...

, is a malicious (or sometimes non-malicious) payload, usually written in

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...

, that breaches

browser security Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-si ...

to propagate among visitors of a website in the attempt to progressively infect other visitors. They were first mentioned in 2002 in relation to a cross site scripting vulnerability in

Hotmail Outlook.com is a webmail service that is part of the Microsoft 365 product family. It offers mail, Calendaring software, calendaring, Address book, contacts, and Task management, tasks services. Founded in 1996 by Sabeer Bhatia and Jack Smit ...

Concept

XSS worms exploit a security vulnerability known as cross site scripting (or ''XSS'' for short) within a website, infecting users in a variety of ways depending on the vulnerability. Such site features as profiles and chat systems can be affected by XSS worms when implemented improperly or without regard to security. Often, these worms are specific to a single web site, spreading quickly by exploiting specific vulnerabilities. Cross-site scripting vulnerabilities are commonly exploited in the form of worms on popular social or commercial websites, such as MySpace,

Yahoo! Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo Inc., which is 90% owned by investment funds managed by Apollo Global Man ...

Orkut Orkut was a social networking service owned and operated by Google. The service was designed to help users meet new and old friends and maintain existing relationships. The website was named after its creator, Google employee Orkut Büyükkökt ...

Justin.tv Justin.tv was a website created by Justin Kan, Emmett Shear, Michael Seibel, and Kyle Vogt in 2007 to allow anyone to broadcast video online. Justin.tv user accounts were called "channels", like those on YouTube, and users were encouraged to br ...

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...

and

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

. These worms can be used for malicious intent, giving an attacker the basis to steal personal information provided to the web site, such as passwords or credit card numbers.

Examples

Several XSS worms have affected popular web sites.

Samy worm

The Samy worm, the largest known XSS worm, infected over 1 million MySpace profiles in less than 20 hours. The virus' author was sued and entered a plea agreement to a felony charge.

Justin.tv worm

was a video casting website with an active user base of approximately 20 thousand users. The cross-site scripting vulnerability that was exploited was that the "Location" profile field was not properly sanitized before its inclusion in a profile page. The "Location" profile field was sanitized when included in the title of a profile page but not within the actual field in the page's body. This meant that the authors of the worm, in order to achieve stealth to boost the lifetime and spread of the worm, had to automatically remove the XSS payload from the title of the page from within the worm's code, which was already hidden by comments. After proper development of the worm, it was executed approximately Saturday, 28 Jun 2008 21:52:33 UTC, and finished on Sun, 29 Jun 2008 21:12:21 UTC. Since the social website that was targeted was not particularly active (compared to other popular XSS worm targets), the worm infected a total of 2525 profiles within roughly 24 hours. The worm was found a few hours before it was successfully removed, and based on data that was recorded (due to the worm's original intent for research purposes) the worm was able to infect uninfected profiles after they were sanitized forcefully by developers of Justin.tv. The worm was sanitized once more after the vulnerability was patched, and it was able to be removed easily. However, this shows the ability for the worm to adapt and spread even after counter-attack. Other particular factors which are indicated by the graphs and data released by attackers include social activity and lack of new, uninfected users during periods of time.

Orkut "Bom Sabado" worm

Orkut, a social networking Site, was also hit by a XSS worm. Infected users receive a scrap containing the words "Bom Sabado" (

Portuguese Portuguese may refer to: * anything of, from, or related to the country and nation of Portugal ** Portuguese cuisine, traditional foods ** Portuguese language, a Romance language *** Portuguese dialects, variants of the Portuguese language ** Portu ...

, "Happy Saturday").

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

has yet to comment on the situation.

Concept

Examples

Samy worm

Justin.tv worm

Orkut "Bom Sabado" worm

References

See also