Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing the Osama Facebook worm [closed]

There is a javascript worm spreading on facebook. The worm tricks users into executing javascript by copying and pasting the payload into the address bar. This is not xss, this is social engineering. If you read the worm's source code you'll see that its riding on the session and forging requests like the Sammy worm. What are some way that a web application can prevent this type of attack?

like image 301
rook Avatar asked May 04 '11 16:05

rook


2 Answers

If we're talking about a malicious user script manipulating the DOM (like this one seems to be doing):

You could ensure all the native JS code is hidden away from the global scope (through closures) and then hijack the document property of window. There can be ways a worm can circumvent this, but it will surely make things harder.

This is not something I've actually attempted and have proven to work, but the basic idea is:

(function () {
    // Initialize page

    // When we're done, make document inaccessible
    window.document = null;
})();

The pretense is, all native code that's executed during page initialization (including jQuery code etc.) should be bound to the actual document object through closure. It should not be possible for "javascript:" code in the address bar to access the actual document by executing in the global scope.

Again, I might be missing something blatantly flawed with this idea, and I'm ready to embrace all the downvotes. Maybe there are additional steps that need to be taken to completely hide away document.

like image 65
Ates Goral Avatar answered Sep 27 '22 15:09

Ates Goral


Education is the best and only way.

like image 41
Lightness Races in Orbit Avatar answered Sep 27 '22 16:09

Lightness Races in Orbit