Comet and Cross-Site Scripting

by Joe WalkerMay 20th, 2008

When Ajax was the #1 premium buzzword, we had a spate of ‘Ajax security issues’, which were mostly just known browser issues pumped up with a little extra JavaScript. Most web security issues affect Web 1.0 as much as Web 2.0.

I’m not sure that Comet will ever reach the stratospheric level of buzz that Ajax did, but I do have a clue where someone can find the headline "COMET SECURITY FLAW". Like many of the Ajax counterparts it’s not really anything new, but it is something to be aware of.

Short version:

Any site with XSS flaw + user editable pages + comet = web-worm to take on a Warhol Worm for speed.

Long Version + Comparison with Warhol Worm:

I created a clone of Twitter using DWR for my 2 talks at JavaOne. The first was on Comet with Alex Russell and the second on security with Jeremiah Grossman. In the first talk we showed how easy it is to add Comet features to an app, and in the second we hacked a (deliberately insecure) Twitter clone to pieces, ending with a web worm that worked its way around the site infecting user profile after user profile.

There is the potential for a web worm any time you have a XSS flaw on a site with user editable pages such as a social network. Perhaps the most obvious example was created by Samy Kamkar who managed to create some HTML that evaded MySpace’s anti-XSS filters. If you viewed Samy’s profile the XSS was executed, and the script copied itself to your profile and sent a friend request on your behalf to Samy. Then whenever someone looked at your profile they got infected, also befriended Samy, and so on. Samy is just out of his 3 year probation having pleaded guilty to a violation of penal code section 502(c)(8).

The worm managed to infect over a million profiles in well under 24 hours as people clicked around MySpace. The only option available to the MySpace admins was to shut the site down while they cleaned it out. More technical details on the attack are available.

The good news for MySpace was that they'd not taken the Comet step that Facebook just have with Facebook Chat. If Samy could have used chat as a vector for his XSS propagation then he could have infected far more than a million profiles in 24 hours. The propagation speed would be limited only by the latencies built into Facebook's chat system. With the Samy incident the propagation relied on you viewing the profile of an infected user. What if you only needed to be online and friends with an infected user?

A Warhol worm could, in theory, infect the entire Internet in 15 minutes (hence the name). The propagation time of a Warhol Worm is limited by the need to find new hosts to infect. Warhol worms can prime themselves with an initial hit-list of vulnerable hosts, but from then on they are limited by the search for hosts to infect.

The propagation rates of a social network worm are different. We remove the random element replacing it with a node space based on our proximity to Kevin Bacon. The idea is that we are all connected, even to Kevin Bacon, through 6 friends.

Assuming a the worm takes 1 second to propagate, clearly this means you can infect the majority of people in any social network in 6 seconds, and we can replace the initial hit-list by making sure we are friends with Robert Scoble.

The 6 second theory is flawed simply because any social network is going to fall over very quickly under that strain whether it's written in Erlang or not. This is of course not much comfort to the Facebook admins!

Just to make it clear - we’re not saying that Facebook has any holes. They don’t allow HTML as an input so their system has some built in resilience against XSS attacks. The point is that if there is a chance that your system is vulnerable to web worms, Comet could make matters much worse.

Numbers side-track: The time to infect people depends on the size of the total population and the average network size. The only data I could find on Facebook network size claims a average of 164 friends for a population of 70 million or so, where the 6 degrees assumption is based on 250 friends in the real world against a population of approaching 7 billion. The 6 degrees Facebook application thinks the average number of nodes between 2 people is under 6. In some ways it’s rather academic however - if a flaw of this type could crash Facebook in 5 or 50 seconds, either is fairly bad.

Moral: Before you add chat or other Comet features to a site, make very sure that you don't have any XSS holes.

One Response to “Comet and Cross-Site Scripting”

  1. Comet Daily » Blog Archive » On-board vs. Off-board Comet Says:

    [...] but if you want you can try it out yourself. BlabberOne is a Twitter clone which demonstrates (amongst other things) how easy it can be with on-board Comet to add asynchronous updates. The source code is available [...]

Copyright 2015 Comet Daily, LLC. All Rights Reserved