New XSS Attack Builds An Anonymous Network
Kelly Jackson Higgins writes on Dark Reading:
A pair of researchers has combined cross-site scripting (XSS) and anonymization techniques to build a framework that lets an attacker gather Web content incognito.More here.
"Our goal was to retrieve Web content anonymously," says Matthew Flick, principal with FYRM Associates, who, along with fellow researcher Jeff Yestrumskas, demonstrated the XSS Anonymous Browser (XAB) framework at Black Hat DC yesterday. "We [said], 'Why don't we volunteer people for our network?'...Cross-site scripting can make people do things we want."
The framework uses the victim as a cover for an attack. "It's basically an agentless botnet...there's no trace of our code on their system," says Flick, who adds such an attack would likely have legal ramifications. "It's a decent way of hiding your tracks."
The researchers demonstrated their proof of concept [.pdf], but did not release any code. They acknowledged that XSS and anonymization make an unlikely couple. "Putting anonymity and cross-site scripting together is unusual," Flick said during the pair's demo.
In a nutshell, the attack turns an unsuspecting user's browser into an anonymous browsing tool for the attacker, who then can silently abuse the browser to access Web content he doesn't want traced to him, such as porn or a site for espionage or theft purposes.