Recently we were contacted by Rosario Valotta who shared
his latest research paper and a proof of concept of what he defines to be a cross webmail worm (XWW). Rosario implemented the worm in order to demonstrate its significant negative impact that could have on unaware users of famous webmail providers which are vulnerable to XSS. He named the worm "Nduja connection".
Apparently, Nduja "is a soft, spicy hot, spreadable salami considered one of the most famous, if not the most famous, of typical calabrian foods."
In case you are interested, this is how to make penne rigate with nduja
, the provided code pieces, and the PoC video demonstration
, can confidently say that I trust his claim that "Njuda connection" is currently working perfectly. The video
According to Rosario, his aim "is only to show the possible critical consequences deriving from not caring about XSS vulns, mainly in services with a critical customer base like webmails are."
Certainly his aim sounds very familiar to me! So as far as it concerns XSS, I strongly believe that the community of web application security researchers is mostly striving towards the same aim - especially the last few years. Poor XSS! You are so underestimated - yet a major threat if fallen in the wrong but experienced hands.
We almost mirror
on a daily basis XSSed online services with a critical customer base. Stakeholders are crucial for the successful operation of these services. Protecting their privacy should be our goal, because some people forget, some people are lazy, some other are not vigilant enough about protecting their sensitive personal information. Whatever reason is causing an online service to be insecure, is enough for malicious people to exploit it.
Therefore a recommended solution is to use a secure browser. Bear in mind that no browser is secure by default installation. You must configure them for security. The functionality of a website is largely dependent upon the software used and its configuration (be it a browser, a browser plugin, or a firewall).