XSS vulnerability in popular video site enables unique DDoS attack California-based website security company Incapsula said that a persistent cross site script XSS vulnerability in a popular video sharing site facilitied a DDoS attack against a different site.
Attack was repelled by Incapsula on Thursday. Ronen Atias, Security researcher at incapsula, said the videos site is extremely popular with Top 50 Alexa . However he said that the name of the site and the that of DDOS target site can’t be disclosed right now.
Specific details of the vulnerability also could not be revealed, at least not until it is fixed, but Atias did explain how the attack worked. He said it began with the attacker using the persistent XSS vulnerability to inject a JavaScript payload into the <img> tag for a member’s profile picture on the video website.
Next, the attacker chose to post in the comments section of the most popular videos. This caused the injected image to be hosted on those pages, so whenever the videos were viewed, the JavaScript activated, GET requests were sent to target sites, and, ultimately, the DDoS was carried out with the unknowing aid of viewers.
In the end, Incapsula’s client was hit by more than 20 million GET requests stemming from more than 22,000 viewers, according to the post. In a Friday email correspondence, Igal Zeifman, product evangelist with Incapsula, explained to SCMagazine.com how the company picked up on the attack.
The Incapsula says this is really big deal as the DDOS attack was carried out through such a prominent site.
View full post on Who Got Hacked – Latest Hacking News and Security Updates