Now we just need to be able to send data to other pages, so we can perform actions on behalf of the user.
2.2 AJAX Basics
But, there are separate implementations of it in different browsers. We need to be able to deal with this.
(Besides, web developers are always being nagged at to write compatible standards-compliant code. ;D)
After all this, we put it together and get a worm similar to this one. http://mihd.net/52hp8d
I suggest you use Notepad++ or another text editor with syntax highlighting to read it.
Since the worm requires user interaction, it may not spread as fast as a persistent one, but it is much easier to re-release it.
This is because, as mentioned, reflective XSS vulnerabilities are much more common to find. This allows for more frequent attacks.
The worm was not as 'featured' as it could have been. Kuza55 suggested I use a RCSR(Reverse Cross-Site Request) vulnerability to abuse the Firefox password manager which could have been implemented. It also did not do as many CSRF actions as it could have, such as changing the users name, e-mail or other account information.
The vulnerability mentioned in this paper was disclosed on the GaiaOnline forums quite awhile before this worm was even thought of.
Since it did not seem it would be fixed any time soon, it gave me ample time to 'play around'.
Although, this does not mean GaiaOnline is in any way particularly 'insecure'. It is, but it is also not alone.
70 to 80% of sites all have XSS flaws as suggested by DarkReading: http://www.darkreading.com/document.asp?doc_id=111482
Even sites that are labeled secure by third party security companies have flaws as seen in the following articles:
3.2 Special Thanks and Acknowledgements
Thanks to RSnake for hosting great resources like the sla.ckers forums (http://sla.ckers.org/forum) as well as the XSS Cheat Sheet. (http://ha.ckers.org/xss.html)
He also gave his opinion on the worm and helped me clean up my code. (Although I think after a few rewrites most of it was lost. Hehe.)
Thanks to Kuza55 (http://kuza55.blogspot.com/) for some important ideas about logging.
Thanks to Sid/WhiteAcid(http://www.whiteacid.org/ and http://blogs.securiteam.com/index.php/archives/author/whiteacid/) for making sure I used date() in my logging.