lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 11 Jul 2010 23:45:44 +0100
From: Benji <me@...ji.com>
To: MustLive <mustlive@...security.com.ua>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Using of the sites for attacks on other sites

One say, I hope I can troll FD as well as you do.

Sent from my iPhone

On 11 Jul 2010, at 21:53, "MustLive" <mustlive@...security.com.ua> wrote:

> Hello Chris and Sebastien!
> 
>> I do not see your name anywhere in the top ten?
> 
> Chris, I'll answer at your question, even Sebastien already have answered at
> it in the list. I see two senses in your question (one direct and one
> hidden) and will answer on both of them.
> 
> Note, that your question is out of topic of my letter, but the topic with
> TOP 10 is also interesting, so I'll answered on it briefly. And then I'll
> direct the discussion to the original topic which I started in my first
> letter (about my article).
> 
> About direct sense of your question. My articles are mentioned in the total
> list of hacks (as I said in my first letter). And, as you understand, my
> name is not mentioned in top ten because judges selected other articles for
> the TOP 10.
> 
> Do I agree with order in the TOP 10 - no I don't, but it's judges decision.
> And anyway all researches in the total list are interesting. Do I agree that
> Jeremiah not put all my submissions to the prior (and then to the total)
> list of hacks (he selected only part of them) - no I don't, but it's his
> decision. I'm not worry about this - because I'm writing articles for
> people, not for some places in tops and not for some prizes.
> 
> About hidden sense of your question. It looks like you are bragging about
> the fact that you are in the top ten, and I'm not. This bragging will not
> touch me, so no need to try ;-). I stated my position above concerning my
> articles and the resulting TOP 10.
> 
> The brag it's not serious. And you must take into account, that such
> bragging about the fact that you get to the top ten is directed not only
> against me, but also against all other security researches who participated
> last year, but not get to the top ten. So think about it.
> 
>> Actually some of his articles were listed (76 to 80) and he said it was
>> mentioned in the post, not the top 10.
> 
> Sebastien, yes, my articles, which were selected by Jeremiah, were published
> (in order of placing into the list) at page with prior list of hacks (from
> which TOP 10 was selected) and at page with TOP 10 and the total list of
> hacks. But as I said before, Chris had put other sense in his question.
> 
> Off topic is not good, but bragging (which he demonstrated) is not serious.
> And taking into account that in my article I mentioned that there are such
> vulnerabilities at Googles' sites which allow to attack other sites via
> Google's servers (and Chris is an employee of this company), so it's twice
> not serious from his side.
> 
> Let's back to original topic of my original letter. Where I talked about my
> article Using of the sites for attacks on other sites.
> 
> I'm finding such Abuse of Functionality vulnerabilities already from 2007
> and informing admins of vulnerable sites about them. But mostly all admins
> are ignoring this type of holes (like many other holes), because they don't
> care about security or because they don't see big deal in that their sites
> connecting to arbitrary sites. But there are admins of web sites which
> attend to such vulnerabilities - for example, last month guys from W3C
> agreed with my warning and promised to fix these holes
> (http://lists.w3.org/Archives/Public/site-comments/2010Jun/0032.html). And I
> also informed Google about such issues at their sites (we'd see how they
> fix them).
> 
> Soon I'll write about my new researches on this topic which I made recently.
> And for these researches I created a tool for conducting of DDoS attacks on
> the sites via other sites, which I'd write about in the next letter.
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> ----- Original Message ----- 
> From: "Chris Evans" <scarybeasts@...il.com>
> To: "MustLive" <mustlive@...security.com.ua>
> Cc: <full-disclosure@...ts.grok.org.uk>
> Sent: Tuesday, June 29, 2010 11:41 PM
> Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites
> 
> 
> 2010/6/28 MustLive <mustlive@...security.com.ua>:
>> Hello participants of Full-Disclosure!
>> 
>> For last two months I didn't post my articles to this list due to some not
>> serious moaning in April on some of my articles (you always can find my
>> articles at my site and in WASC Mailing List). But at the end of June I
>> decided to remind you about my last articles.
>> 
>> Recently I wrote new article Using of the sites for attacks on other sites
>> (http://websecurity.com.ua/4322/). This is brief English version of it.
>> 
>> Last year in article DoS attacks via Abuse of Functionality
>> vulnerabilities
>> (it was mentioned at
>> http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html)
> 
> I do not see your name anywhere in the top ten?
> 
> Cheers
> Chris
> 
>> I told about possibility of conducting of DoS attacks via Abuse of
>> Functionality vulnerabilities at other sites. Particularly I showed
>> examples
>> of such vulnerabilities at web sites regex.info and www.slideshare.net.
>> These attacks can be as unidirectional DoS, as bidirectional DoS,
>> depending
>> on capacities of both servers.
>> 
>> And now I'll tell you about possibility of conducting of CSRF attacks on
>> other sites via Abuse of Functionality vulnerabilities. Researching of
>> such
>> attacks I begun already at 2007 when found such vulnerability at
>> regex.info.
>> 
>> Using of Abuse of Functionality for attacks on other sites.
>> 
>> Sites, which allow to make requests to other web sites (to arbitrary web
>> pages), have Abuse of Functionality vulnerability and can be used for
>> conducting of CSRF attacks on other sites. Including DoS attacks via Abuse
>> of Functionality, as it was mentioned above. CSRF attacks can be made only
>> to those pages, which don't require authorization.
>> 
>> For these attacks it's possible to use as Abuse of Functionality
>> vulnerabilities (similar to mentioned in this article), as Remote File
>> Include vulnerabilities (like in PHP applications) - it's Abuse of
>> Functionality via RFI.
>> 
>> This attack method can be of use when it's needed to conduct invisible
>> CSRF
>> attack on other site (to not show yourself), for conducting of DoS and
>> DDoS
>> attacks and for conducting of other attacks, particularly for making
>> different actions which need to be made from different IP. For example, at
>> online voting, for turning of hits of counters and hits of advertising at
>> the site, and also for turning of clicks (click fraud).
>> 
>> Abuse of Functionality:
>> 
>> Attack is going at request of one site (http://site) to another
>> (http://another_site) at using of appropriate function of the site
>> (http://site/script).
>> 
>> http://site/script?url=http://another_site
>> 
>> Advantages of this attack method.
>> 
>> In this part of the article I wrote a list of advantages of this attack
>> method. And I mentioned another two important paragraphs:
>> 
>> Note, that this DoS attack is possible to use for attacks on redirectors,
>> which I wrote about in my articles Redirector’s hell and Hellfire for
>> redirectors.
>> 
>> Also at conducting of DoS attacks it's possible to use several such
>> servers
>> at once and so to conduct DDoS attack. In such case these servers will be
>> appearing as zombie-computers. I.e. botnet will be made from not home
>> computers, but from web servers (which can have larger capacities and
>> faster
>> connections). So these vulnerabilities can lead to appearing of new class
>> of
>> botnets (with zombie-servers).
>> 
>> Examples of vulnerable web sites and web services.
>> 
>> In this part of the article I showed examples of different web sites and
>> web
>> services which could be used for conducting of attacks on other sites.
>> Including regex.info, www.slideshare.net, anonymouse.org, www.google.com,
>> translate.google.com, babelfish.altavista.com, babelfish.yahoo.com,
>> keepvid.com, web application Firebook, W3C validators and iGoogle.
>> 
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>> 
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ