In association with heise online

07 January 2008, 15:36

Competition for shortest cross-site scripting worm

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

"If you know others and know yourself, you will not be imperilled in a hundred battles", wrote Chinese military strategist Sun Tzu way back in the third century B.C. Now, RSnake, a hacker well known among his peers, has announced a competition for the shortest cross-site scripting worm so that everyone can get to know one of main enemies of web 2.0. The winner will not, however, be receiving an award, unless fame counts. RSnake says the idea of such a competition came to him during a discussion about current XSS worms.

At the moment, many website operators and users fail to understand the risk that stems from cross-site scripting. It is hoped that such a public competition will raise awareness. At the same time, the "brainstorming" that will take place for the competition could also cause considerable damage if it ends up in the wrong hands. Recently, a JavaScript worm infected several hundred thousand profiles on the Orkut social networking website. Even before that, XSS worms such as Samy and YaManner had already drawn a lot of attention - the former for taking down MySpace in 2005, the latter for propagating itself through Yahoo!Mail.

The competition ends on Thursday, January 10. Results can already be posted as a commentary to the announcement. Indeed, some already have been. RSnake will also be accepting submissions via e-mail and publishing the code after the competition has ended.

The code has to fulfil certain requirements: for instance, it must not require any user interaction on the website and must work at least with Internet Explorer 7 and Firefox 2.x. It must run on Apache 1.3.x and 2.x web servers at least. There are also some restrictions. Furthermore, the code must not grow during dissemination nor be injected as a parameter. In addition, no data from cookies or GET parameters may be used. For a complete list of requirements, see Diminutive XSS Worm Replication Contest.

This event represents a significant technical challenge, and could lead to wider understanding of the XSS problem. It might even potentially advance the science of defence against XSS. However, open competitions of this nature may soon be a thing of the past. Germany recently passed a law that could be interpreted as prohibiting such public hacking, and, once it comes into force later this year, the comparable "supply" clause of the revised UK Computer Misuse Act might also be invoked to curb the unfettered public dissemination of security exploits that inevitably results.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit