XSS: Steps Involved
18 year-old Guillermo Rauch explains how he was able to create the worm simply by entering some script in the “About me” textarea of a Digg profile:
1. Check the user is logged in, by checking for the absence of a login link.
2. Propagate the script by retrieving the profile edit details form and ajaxly submitting it.
3. We disable the Digg Bar by posting to http://digg.com/settings/viewing. This time we don’t really need to retrieve the whole form, because we already have the magic token that prevents CSRF attacks.
4. We shout to friends to check out our profile. When a friend is infected, the script tag also holds the information of the scripter, so that the victim doesn’t shout back, which could raise suspicions that something fishy is going on.
5. We also store the created shouts ids in a cookie, to hide them from the user view as soon as the script loads and avoid users seeing weird shouts they didn’t voluntarily send.
Additionally, I set up a callback page and a very basic form of cross-domain requests (using images) to inform me of the success of the different stages of the worm (infection, bar disabling, propagation) for each user.
Fast Response From Digg, Digg Code Fixed