I am submitting a paper for Blackhat USA and the OWASP Belgium and NYC conferences. These are exciting times. Blackhat is always cool, Belgium is far away, and I know Tom Brennan will put on a great show in NYC. The title of the paper, which I’m not glued to yet, is “Building And Mitigating Next-Gen XSS Worms: Techniques in Attacking and Defending in Web 2.0”. If that doesn’t work, I may rely on my safety paper: “Brokeback XSS: Why Jeremiah and Robert Can’t Quit Each Other, or XSS”. Anyway, here’s the abstract of the paper I’m proposing:

“There has been much analysis of the recent MySpace and Yahoo! cross-site scripting worms. While the web development world slowly comes to recognize self-propagating web attacks, attackers are in the wild, presumably improving on the work of their predecessors.

In this paper we will analyze the design choices made by past worm authors and hopefully illuminate how future attackers will improve on the current paradigm when building the next generation of cross-site scripting worms. Also, the paper will highlight some new defense mechanisms in both preventing current and next generation cross-site scripting worms, and include some original recommendations on how to respond to such attacks.”

Abstracts don’t really say a whole lot. Not to give it all away, but some of the topics will include:

  • dynamic XSS command-and-control channels
  • egress malware filtering rules
  • polymorphic payload code
  • content restrictions
  • distributed scanning

I plan on finishing the paper within the next 2 weeks and I also plan on getting it accepted. If it doesn’t I’ll have plenty of blogging material, but I think this is stuff a lot of the webappsec community will find very interesting.

Also, Sarah: I’m sorry you hate my blog. But there’s one thing you can’t deny.