XSS vulnerability in popular video site enables unique DDoS attack


A persistent cross-site scripting (XSS) vulnerability in a popular site that hosts video content enabled an attacker to carry out a distributed denial-of-service (DDoS) attack against a different site, according to California-based website security company Incapsula, which helped mitigate the Thursday attack.
The video content website is one of the largest and most popular and sits in the Alexa top 50, according to a Thursday post by Ronen Atias, a security researcher with Incapsula, who explained that the name of the popular video site and the name of the DDoS target could not be revealed.
Specific details of the vulnerability also could not be revealed, at least not until it is fixed, but Atias did explain how the attack worked. He said it began with the attacker using the persistent XSS vulnerability to inject a JavaScript payload into the tag for a member's profile picture on the video website.
Next, the attacker chose to post in the comments section of the most popular videos. This caused the injected image to be hosted on those pages, so whenever the videos were viewed, the JavaScript activated, GET requests were sent to target sites, and, ultimately, the DDoS was carried out with the unknowing aid of viewers.
In the end, Incapsula's client was hit by more than 20 million GET requests stemming from more than 22,000 viewers, according to the post. In a Friday email correspondence, Igal Zeifman, product evangelist with Incapsula, explained to SCMagazine.com how the company picked up on the attack.
“We used Incapsula's technology to identify the malicious requests, intercept them and re-route them to another location which held a custom made script, [which] traced the request back to the DDoS tool and to the abused site,” Zeifman said.
Zeifman said he does not think a DDoS like this has ever been carried out before – at least not through such a prominent website – and added that what he witnessed taking place appeared to be more of a test run, to see if this type of attack can be effective.
“The website in question needs to directly address this vulnerability; it is a weak spot unique to their website,” Zeifman said. “The tricky part is knowing that such a weak spot even exists.”