Through malicious JavaScript and browser “leniencies,” Samy was the first self-propa-gating XSS worm. In 24 hours, Samy had more than a million friends on MySpace, each claiming “Samy is my hero.”
A primary hurdle for Samy was bypassing input filters on restricted HTML. MySpace performs input filtering on HTML to prevent malicious JavaScript execution. For example, MySpace restricted use of <script>, the word javascript,<Href>, and a lot more items, but restrictions were largely based on static words such as javascript. MySpace did not restrict these items if they contained newlines or were converted to ACSII and hex encoding.
Following is a description of how Samy bypassed input filters in MySpace:
1. The word javascript was fi ltered by MySpace. To get around this fi ltering, Samy simply added a new line (denoted by \n) between the words java and script.
For example, javascript became java\nscript, which translated to this:
'java script'
When \n was inserted between java and script, the browser interpreted the code asjavascript, allowing JavaScript to be executed on MySpace. The Samy code went from this,
java\nscript:eval(document.all.mycode.expr) to this:
java
script:eval(document.all.mycode.expr)
2. MySpace also fi ltered double quotes ("), which were needed for the worm.
While all quotes were escaped by MySpace fi ltering, Samy was able to use JavaScript to converted double quotes from decimal to ASCII characters.
Because JavaScript was proved to be useable on MySpace, Samy was able to use JavaScript to convert decimal to ASCII characters. This allowed to be double quotes (") to be converted to CharCode(34), bypassing the input fi ltering for double quotes, as shown here:
('double quote: ' + String.fromCharCode(34))
3. The word innerHTML was also fi ltered by MySpace, which was needed by Samy to post code on the profi le of the user who was currently viewing the page. To get around this fi ltering, Samy used eval(), which is used to evaluate two strings in JavaScript and then can be used to put the strings together. For example, the following JavaScript eval code will print the number 1108 by evaluating strings a and b:
alert(eval("a=1100; b=108; (a+b); "));
The same method can be applied here to combine to strings values to bypass fi lters. This method was used by Samy to combine the words inne with rHTML, as shown below in a snippet of Samy’s code:
alert(eval('document.body.inne' + 'rHTML'));
4. The word onreadystatechange was also fi ltered by MySpace, which was needed by Samy to use a XMLHTTPRequest to get the user’s browser to make HTTP GET and POST requests. To get around this fi ltering, Samy also used the eval() function, as shown next in a snippet of Samy’s code. Notice how eval() is used to combined xmlhttp.onread and ystatechange = callback:
eval('xmlhttp.onread' + 'ystatechange = callback');
From these input filtering bypass actions, Samy was able to perform the following malicious JavaScript functions on MySpace:
• Execute JavaScript
• Use double quotes by converting decimal to ASCII
• Use innerHTML with eval(), allowing code to be posted on a user’s profi le
• Useonreadystatechange eval(), forcing the user’s browser to make HTTP GET and POST request with XML-HTTP
After input filers were bypassed by Samy to run the critical function with JavaScript, how were those functions actually executed? One of the primary reasons why the Samy worm was successful was because XMLHTTPRequest can silently execute GET and POST requests on behalf of the user. A secondary hurdle for Samy was to force the browser to execute multiple GETs and POSTs, search source pages for specific values, and perform other hostile actions on behalf of the currently logged-in user. The actions
were primarily performed with XMLHTTPRequest. The following shows how Samy was able to execute such functions.
1. Samy needed to force a user’s browsers to perform GETs to get the user’s current list of heroes. To perform this action, XMLHTTPRequest was used, which was already made possible by item number 4 in the preceding input fi ltering bypass section. The following code sample was used by Samy to force GETs by the browser:
function
getData(AU){
M=getFromURL(AU,'friendID');
L=getFromURL(AU,'Mytoken') }
2. To fi nd the friendID of the user viewing the page, Samy need to search the source page for the specifi c friendID. Using the eval() function again, Samy was able to fi nd the value and store it for later use:
var index = html.indexOf('frien' + 'dID');
3. From GETs and searches, Samy was able to get a list of friends, but he now needed to perform a POST to force the user to add Samy as a friend (and a hero). XMLHTTPRequest POST was used to perform this action, which was again possible using item number 4 in the input fi ltering bypass section. Furthermore, while XMLHTTPRequest would restrict POSTs to profi le .myspace.com because it is on a different domain, a profi le can be reached using www.myspace.com/profi le (where profi le is the name of the user). Samy simply replaced profi le.myspace.com with www.myspace.com and submitted the request.
The following sample code was used by Samy to force-convert profi le to www for the requested user:
Using these steps, Samy was able to perform the following malicious JavaScript functions on MySpace:
• Force the user’s browser to perform GETs by XMLHTTPRequest
• Search the current source page of the user
• Force the user’s browser to perform POSTs by XMLHTTPRequest
These executed actions, combined with the input filtering bypass actions, allowed Samy to do basically anything he wanted via JavaScript and AJAX (XMLHTTPRequest) once a user visited his MySpace page. Once his code was completed to perform all the actions described so far, his final step was to load the worm. The follow steps highlight his actions from posting the worm to propagating it:
1. Place hostile JavaScript on MySpace page. Once a user views the page, all the malicious code is executed by the user’s browser, which includes forcing the browser to perform HTTP GETs/POSTs.
2. The code adds Samy to as the user’s friend, which is completed by XMLHTTPRequest with several GETs/POSTs. The code also grabs a list of the user’s hero and adds Samy as a hero, by specifi cally adding “but most of all, samy is my hero”.
3. For self-propagation, allowing this to be classifi ed as worm and not a Trojan horse, the worm will post the hostile code to the user’s hero pages as well, blasting all the user’s heroes with the malicious code automatically.
4. Once a user’s hero was infected with the code, Samy would be added as a friend and all their heroes would then be blasted with the code, repeating steps 2 through 4 indefi nitely until MySpace eventually was forced to shut down its site to clear up the worm.