Operation n

This article is part of my concept Ad-Jacking: XSSing for Fun and Profit.

Attacks of the future may utilise Web 2.0 and XSS to propogate worms for profit. The most obvious way to do this is via Ad-Jacking, a term I coined for a category of attacks that utilise a combination of XSS, JSON services and click-fraud. As I mentioned before, Ad-Jacking is like click-fraud on steriods.

Today I will discuss a potential Ad-Jacking scenario as well as a proof of concept JavaScript payload.

You will see many affiliate systems using HTML anchor wrapped around an IMG. For example:

<a href="http://www.the-affiliate/?afl=97781">
<img src="http://www.the-affiliate/images/banner7.gif"
alt="" border="0"></a>

As part of our XSS SuperWorm, for our proof of concept the attacker has setup his/her own affiliate account and is given the affiliate number 12345. Our attackers CPA link would look like this:

http://www.the-affiliate/?afl=12345

Now for our little XSS JavaScript payload which will change the pages affiliate ID (’97781′) to the attackers (’12345′). This means, if the user visiting follows the link and purchases something, the attacker will receive the credit rather than the original site.

The code is simple, we grab every link from the DOM and parse it for our affiliate URL. Once we find it, we simply replace it with the attackers:

var x = document.getElementsByTagName('a');
for (i=0;i<x.length-1;i++) {
 if (x[i].href.match(/http://www.the-affiliate/?afl/)) {
   x[i].href = 'http://http://www.the-affiliate/?afl=12345/?aff=test';
  }
}

An attacker is most likely to Ad-Jack your exisiting Ad network. The reason behind this is that the webmaster has most likely already optimised the website to have the Ad display in the best possible place for increased sales; more importantly, the webmaster is less likely to get suspicious of the attack if an existing Ad network is Ad-Jacked.

XSS can be used for alot more then a simple alert box and should be treated with the fear it deserves.