DDOS Attack Enabled by Persistent XSS Vulnerability on Top Video Content Provider’s Site

Attack diagram

Incapsula mitigated an application layer distributed denial-of-service (DDOS) attack against one of its customers earlier this week. The attack is interesting because the cybercriminals have leveraged a vulnerability in a popular website to carry out the operation.

Traffic hijacking techniques have been used to flood the targeted server with over 20 million GET requests from 22,000 web browsers.

Incapsula hasn’t named the website abused for the attack, but it has revealed that it’s popular video content provider from the top 50 websites on Alexa.

It’s important to note that the site allows users to sign in with their own profiles. The attackers exploited a persistent cross-site scripting (XSS) vulnerability that enabled them to inject JavaScript code into the <img> tag associated with the image of the user profile.

This meant that malicious code could be embedded each time the image was utilized. Whenever someone visited pages containing the image, the malicious code was executed.

“As a result, each time a legitimate visitor landed on that page, his browser automatically executed the injected JavaScript, which in turn injected a hidden <iframe> with the address of the DDoSer’s C&C domain,” Incapsula’s Ronen Atias explained in a blog post.

“There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.”

One request per second might not seem enough for a big DDOS attack, but considering that it’s a popular video site that gets thousands of views every minute, the cyberattack can be disruptive.

In order to increase the efficiency of the attack, the attackers planted the maliciously crafted images, via comments, to popular videos. While the site’s visitors were viewing the videos – some of which 30 minutes in length – they were unknowingly helping the cybercrooks disrupt the targeted website.

Incapsula’s systems quickly blocked the attack, and the company intercepted the malicious requests in an effort to track down the source. That’s how they’ve identified the video site.

The website’s support team has been notified of the existence of the persistent XSS vulnerability.

Based on their analysis, Incapsula researchers determined that the attack they mitigated had been just a test run. Shortly after the attack, the cybercriminals updated their C&C domain to make their operation more robust.

Since the new version of the code includes mechanisms for tracking an attack, possibly for billing purposes, it’s possible that a botnet-for-hire service is being rolled out.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s