There have been several studies conducted that explore this new threat of cross-site scripting (XSS) viruses. Currently, cross site scripting has never been utilized to create viruses. These viruses would be both platform independent and would not be affected by common firewall configurations.
Cross Site Scripting viruses could have a significant impact for Internet continuity (i.e.: distributed denial of service (DDOS) attacks, SPAM and dissemination of browser exploits.) This is particularly relevant with the increasing sophistication of web browsers and the growing popularity of web based applications such as Blogs, Wikis etc.
Cross-site scripting virus infection occurs in two stages and, more often than not, on at least two devices and as such, there are two kinds of infections that work symbiotically.
First, the server is infected with persistent self-propagating code that it doesn’t execute. The second stage would be browser infection. The injected code is loaded from the site into the non-persistent web browser and then executed. The execution will then seek new servers to be exploited and potentially executes its payload. A typically scenario would be one infected server and many infected browsers.
Like conventional viruses, XSS viruses are capable of delivering payloads. The payloads will be executed in the browser and have the restriction of HTML compliant code. That is, the payload can perform HTML functions, including JavaScript. For example, the payload could deliver a DDOS attack, display SPAM or contain browser exploits. Due to increasing browser sophistication, future payload capabilities are likely to increase.
Potential disinfection methods will involve the referrer field from the request header. This is due to the fact that the referrer is likely to be logged on web servers where infection has been attempted. Thus, where referrer spoofing hasn’t occurred, following the log files will reveal a trail back to the source of the virus.
Whilst unlikely, the most obvious way to prevent XSS viruses is to remove XSS vulnerabilities from web applications. Another method is for browsers to enforce a request restriction on a web page’s sub-elements. The restriction would only allow sub-elements to be requested from the main URL’s domain. Thus, preventing XSS viruses from infecting other web applications.
One of the main differences between conventional viruses and xss viruses is that conventional viruses reside and execute on the same system. XSS viruses separate these two requirements in a symbiotic relationship between the server and the browser. The execution occurs on the client browser and the code resides on the server.
Platform indiscrimination also differentiates a XSS virus from its conventional counterparts. This is due to the encapsulation within HTML and the HTTP/HTTPS protocol. These standards are supported on most web browsers running on a variety of operating systems, thereby making XSS viruses platform independent. This platform independence increases the number of potential web applications that can be infected.
XSS viruses are a new brand of malware and they distinguish themselves from their conventional counterparts through the requirement of a client-server relationship as well as their platform independence. With the increasing sophistication of web browsers in the near future virus writers may exploit XSS and practically execute any malicious code they want. We need to combat this threat before XSS viruses gain popularity among malware authors.
