Persistent XSS in Top Website enables large-Scale DDoS attack

Incapsula firm discovered the exploitation of a persistent XSS vulnerability in one of the world most popular website to run a large scale DDoS attack.

Recently Cloud-based security service provider Incapsula detected an application layer DDoS attack conducted hijacking a huge volume of traffic to victims website. The website of Incapsula customer was flooded by a DDoS attack, over 20 million GET requests from the browsers of over 22,000 machines targeted the website. The attack was characterized by the exploitation of a persistent XSS vulnerability in one of the world’s largest and most popular high profile video content provider. According to Incapsula, attackers are using an Ajax-script based DDoS tool, that exploits the victim’s browser to run a DDoS request at the rate of one request per second.

“The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page.” reports the official post by Incapsula.

The scheme of attack is very interesting, The attacker injected an ‘onload‘ call in the <img> tag, once a legitimate user visits any webpage on the vulnerable website (e.g., in the comment section) the JavaScript code injected in the attacker’s image is executed by the victim’s browser which in turn injected a hidden iframe with the address of the DDoSers C&C domain. To run the attack the hackers just need to post comments on the popular video pages, the DDoS attack could be improved if the publishing of comment is executed automatically by a large botnet which orders thousands of hijacked browsers.

“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”

The duration of the involvement of victims in the DDoS attack is directly linked to the duration of the requested video as explained in the official blog post, The Javascript is “session long” but these can be 20 or even 30 min videos so the sessions are much longer than usual.

“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length and with thousands of views every minute, the attack can quickly become very large and extremely dangerous.” researchers explained.

In time I’m writing Incapsula hasn’t revealed the name of vulnerable, it is only known that it allows its users to sign-up and sign-in with their own profiles.

Resuming, to launch a large scale DDoS attack, attackers strategically post comments on the popular video pages, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch their favorite videos. The detection of the attack was possible due the behaviour-based security algorithms:

“By intercepting the malicious requests, we were also able to trace back the attack’s source. We did this by replacing the content of the target URL with a snippet of our own JavaScript, which reported the original referral source – leading us to the abused video website. ” Incapsula revealed.

Last consideration on the attack is that experts believe that attackers are renting their DDoS attack as service due the following observation:

the initial code targeted several unrelated sites
in a span of 24hr the targets were changed, some more than once
the updated CnC code collected statistical data that looked like it was meant to be used for billing (duration, number of participants)

Pierluigi Paganini

(Security Affairs – DDoS attack, Persistent XSS vulnerability)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.