lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 29 Jun 2010 21:12:53 -0400
From: Sébastien Duquette <ekse.0x@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Using of the sites for attacks on other sites

Actually some of his articles were listed (76 to 80) and he said it
was mentioned in the post, not the top 10.

On Tue, Jun 29, 2010 at 4:41 PM, Chris Evans <scarybeasts@...il.com> wrote:
> 2010/6/28 MustLive <mustlive@...security.com.ua>:
>> Hello participants of Full-Disclosure!
>>
>> For last two months I didn't post my articles to this list due to some not
>> serious moaning in April on some of my articles (you always can find my
>> articles at my site and in WASC Mailing List). But at the end of June I
>> decided to remind you about my last articles.
>>
>> Recently I wrote new article Using of the sites for attacks on other sites
>> (http://websecurity.com.ua/4322/). This is brief English version of it.
>>
>> Last year in article DoS attacks via Abuse of Functionality vulnerabilities
>> (it was mentioned at
>> http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html)
>
> I do not see your name anywhere in the top ten?
>
> Cheers
> Chris
>
>> I told about possibility of conducting of DoS attacks via Abuse of
>> Functionality vulnerabilities at other sites. Particularly I showed examples
>> of such vulnerabilities at web sites regex.info and www.slideshare.net.
>> These attacks can be as unidirectional DoS, as bidirectional DoS, depending
>> on capacities of both servers.
>>
>> And now I'll tell you about possibility of conducting of CSRF attacks on
>> other sites via Abuse of Functionality vulnerabilities. Researching of such
>> attacks I begun already at 2007 when found such vulnerability at regex.info.
>>
>> Using of Abuse of Functionality for attacks on other sites.
>>
>> Sites, which allow to make requests to other web sites (to arbitrary web
>> pages), have Abuse of Functionality vulnerability and can be used for
>> conducting of CSRF attacks on other sites. Including DoS attacks via Abuse
>> of Functionality, as it was mentioned above. CSRF attacks can be made only
>> to those pages, which don't require authorization.
>>
>> For these attacks it's possible to use as Abuse of Functionality
>> vulnerabilities (similar to mentioned in this article), as Remote File
>> Include vulnerabilities (like in PHP applications) - it's Abuse of
>> Functionality via RFI.
>>
>> This attack method can be of use when it's needed to conduct invisible CSRF
>> attack on other site (to not show yourself), for conducting of DoS and DDoS
>> attacks and for conducting of other attacks, particularly for making
>> different actions which need to be made from different IP. For example, at
>> online voting, for turning of hits of counters and hits of advertising at
>> the site, and also for turning of clicks (click fraud).
>>
>> Abuse of Functionality:
>>
>> Attack is going at request of one site (http://site) to another
>> (http://another_site) at using of appropriate function of the site
>> (http://site/script).
>>
>> http://site/script?url=http://another_site
>>
>> Advantages of this attack method.
>>
>> In this part of the article I wrote a list of advantages of this attack
>> method. And I mentioned another two important paragraphs:
>>
>> Note, that this DoS attack is possible to use for attacks on redirectors,
>> which I wrote about in my articles Redirector’s hell and Hellfire for
>> redirectors.
>>
>> Also at conducting of DoS attacks it's possible to use several such servers
>> at once and so to conduct DDoS attack. In such case these servers will be
>> appearing as zombie-computers. I.e. botnet will be made from not home
>> computers, but from web servers (which can have larger capacities and faster
>> connections). So these vulnerabilities can lead to appearing of new class of
>> botnets (with zombie-servers).
>>
>> Examples of vulnerable web sites and web services.
>>
>> In this part of the article I showed examples of different web sites and web
>> services which could be used for conducting of attacks on other sites.
>> Including regex.info, www.slideshare.net, anonymouse.org, www.google.com,
>> translate.google.com, babelfish.altavista.com, babelfish.yahoo.com,
>> keepvid.com, web application Firebook, W3C validators and iGoogle.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists