XSS bug in popular Chinese site exploited to launch DDoS attack
Posted on 28 April 2014.
DDoS mitigation firm Incapsula has put a stop to the speculations that the video content provider whose vulnerable website was misused to launch a DDoS attack was YouTube, and has revealed that it was actually Sohu.com, currently the 27th most visited website in the world.

Earlier this month, Ronen Arias, security analyst at Incapsula, has written a blog post about the attack in question, which the company was hired to mitigate. The (still unnamed) third-party target of the attack was being hit with "over 20 million GET requests originating from the browsers of over 22,000 Internet users."

The investigation revealed an unlikely source. A XSS vulnerability in one among the most popular websites in the world allowed the attacker to inject JavaScript code into the tag associated with the profile image of its users.

The attacker went on to comment on many, many videos, and each time the malicious code would accompany the comment. Once the code was on a page, each time another visitor landed on it the code was executed and would trigger another code injection and an Ajax-scripted DDoS tool that would take command of the browser and instruct it to send repeated (one per second) requests to the target sites.

"Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous," Arias explained.

"Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."

He also shared some details on how the company was able to block the attack and discover its source.

The site in question has been notified of the vulnerability, and has eventually patched it, allowing Incapsula to finally squash the rumours swirling around on the internet about its identity.


Chrome extension thwarts user profiling based on typing behavior

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Jul 29th