How To Make Money With XSS
Finding XSS is dead easy task. Everybody is vulnerable to this type of issue and even if there are protection mechanisms on place such as application firewalls and sanitization filters, very often attackers can get a stable exploit working in a matter of a couple of minutes. In fact, I don't think that there are unstable XSS exploits. It is not like the attacker have to manipulate the stack or a corrupted heap in order to get some sort of execution control. No! It is a simple injection issue.
In this post I am going to summarize one of the attack strategies, which I discussed in detail in my paper For my next trick - hacking Web2.0, and talked about it over here. We are going to look at a very basic scenario which outlines a possible technique attackers can use in order to make money out of XSS vulnerabilities.
The strategy is quite simple. First of all attackers need is a bunch of XSS issues for various sites. The higher ranking these sites have, the more money they will make. A good starting point is XSSED.com. The attacker can simply grab the high ranking sites from known lists and use them for the strategy that follows. On the other hand, a simple python script in combination with Google.com could serves the same purpose.
So, at this stage the attackers have XSS attacks ready to be deployed. The next stage is to come up with a generic payload for all of them. This step is quite simple as well. In regards to the initial idea, there are two ways to make money: direct and indirect. I am going to cover the Ad-jacking one :). The idea is that the attackers plug an XSS payload into the page to hijack the ads revenue. This is a dead easy task. In most cases, all the attackers need to do is to change a simple number. From this point on, everyone who stumbles across the Ad-jacked page and clicks on the any ad, some profit will be made not to the page owner but the attacker. Not cool.
The final stage is to get the XSSed URLs and their payloads out for general consummation. Attackers can use the power of Web2.0 technologies in this case. Social bookmarking sites fit very well here. The more the attackers bookmark the Ad-jacked URLs, the more money they will make out of them. There are even services like OnlyWire, which allows attackers to distribute the URLs to 20 more different social bookmarking websites in a single go. Of course, attackers will keep websites with very, very, very high ranking for services such as DIGG and Reddit for manual submission, since both of them have CAPTCHAs. But, heh, CAPTCHAs can be easy broken as well.
Now search engines, aggregators, and other robotic things will start exploring and crawling the Ad-jacked webistes. People will start visiting them and looking for info inside them and every once in a while someone will click on the ads. The only problem is that site owners will share their profit with the crooks.
So, this is it! More information about this issue is outlined in the paper. Have a look through it if you have time.
Archived Comments
CAPTCHAs can be easy broken as well.code?
Of course, attackers will keep websites with very, very, very high ranking for services such as DIGG and Reddit for manual submission, since both of them have CAPTCHAsAfter I read your post in 12.09.2007, I looked at Digg's captcha and found that it's velnerable (to my MustLive CAPTCHA bypass method). So this captcha like a lot of others can be easily bypassed (with my method).
code?kork, there will be a whole of month which I'll make - Month of bugs in CAPTCHAs. This month will be full of codes (exploits) for bypassing captchas all over the Internet. So keep waiting for official announcement. You will be happy ;-), everyone will be happy, especially bad guys, but good guys too.
no code but you can check out some of the successful projects currently available for free that does break most of the CAPTCHAs.You speaking mostly about OCR breaking of captchas or breaking with manual typing (low cost man power). But there is a way (with my methods - main and advanced) to bypass a lot of captchas in the Internet.
CAPTCHAs are dead!Not all captchas - many still trying (for their last days). And many still making look that "they are working fine". And many others still believe that captchas can protect them (security site's also - there are a lot of vulnerable captchas on security sites also). But I'll show to web community and their captchas the real life ;-). Very soon Internet will see - the Captchas Apocalypses. A lot of captchas will die. The time has come.