Ten years after the Samy worm its discoverer's voice is lost in the din
Wade Alcorn recalls how XSS attacks went from concept to MySpace-muncher in days
It has been 10 years since Sydney security bod Wade Alcorn disclosed how cross-site scripting vulnerabilities could be weaponised, a revelation that would one week later see the proof of concept become the fastest-spreading worm ever.
There is no direct link between Alcorn's disclosure and Samy Kamkar's eponymously named worm which within 20 hours plastered more than a million MySpace profiles with the words "but most of all, samy is my hero".
"I was looking more into the consequences of cross site scripting and no-one had at the time had looked into if it could be used as a self-replicating virus," Wade says.
"I had set up a vulnerable PHP app to test it ... it took a couple of weeks all up to put it together."
Alcorn was ,like much of the wider public, surprised at the speed of the Samy worm's spread. Perhaps no-one more than MySpace which took down its network after the malware outbreak.
Alcorn's disclosure hit home with some small circles of the security world in the intervening week before Samy was unleashed, but news of his approach was confined mainly to niche security mailing lists.
Admins were busy; The disclosure did not trigger the mass run of input validation across the web that it should in a world where security is king.
"It was a very different time then," Alcorn says. "People didn't really understand the gravity of it."
After the worm, MySpace was left smarting and Kamkar was hit with a felony charge and banned from using a computer outside of work for three years.
While the infant social media landscape was temporarily interrupted, the benign nature of the worm meant MySpace was largely considered to have dodged a bullet.
"There would have been an opportunity to do it a lot worse," Alcorn says. "Someone could have used the attack for a large distributed denial of service, or steal the details of MySpace users, and been a lot more covert about it."
Mass cross-site scripting attacks still take place today and the attack vector remains one of the most prominent indictments about the poor state of information security.
Alcorn, now better known for creating the Browser Exploitation Framework (BeEF) popular with security penetration testers, notes that the attack vector may be dropping off across the bigger and more security-sensitive web properties but says it is "telling" that it remains in the OWASP Top 10 most pressing web app security lists, cemented in third spot.
"Defence comes back to proper output encoding, and input validation." ®