Over on Sla.ckers.org, a security researcher who uses the handle Rsnake (a.k.a. Robert Hansen) proposed a competion (due to end on Jan 10th) to create the smallest, self-propogating XSS worm possible. Cross-site scripting (XSS) is a type of computer vulnerability associated with Web applications and which allows an attacker to inject code into the Web pages viewed by other users.
There have been previous examples of XSS worms in the wild. The most famous is most likely the “Samy is my Hero” that affected MySpace, but recently we post about another threat that targeted Google’s social network, Orkut.
Rsnake’s idea is that by promoting the writing of such a worm, it will better help researchers to protect against them. This idea opens up the same debate that started in 2003, when Professor John Aycock of the University of Calgary in Canada announced that a module in “Computer Viruses and Malware” would be taught in his course. This issue divided security experts back in 2003, and it’s likely Rsnake’s challenge will do the same. On one side of the fence we have people like Ken Barker, Head of Calgary Computer Science Dept., who argue that “the better we understand something, even if we radically disagree with it, the more likely we are to provide effective mechanisms to counteract it.” The other argument of course is that we do not need to actually create malicious code in order to understand how it works.
This debate will not wrap up anytime soon, with both sides making interesting points. There is no doubt however that XSS attacks are a major security concern for Web users today, and will continue to increase. So far we have been lucky that majority of XSS worms have been non-malicious in their motives (with the exception of JS_YAMANER.A).
Unfortunately I doubt that this trend will continue in the future.