[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6905b1570705170048l7f268fefy58854fa666f9a186@mail.gmail.com>
Date: Thu, 17 May 2007 08:48:25 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, "WASC Forum" <websecurity@...appsec.org>,
"webappsec @OWASP" <webappsec@...ts.owasp.org>
Subject: OWASP / Advanced Web Hacking / Service API
Manipulation / Next Generation of Web Attacks
The OWASP talk went OK. For those who are interested in the slides and
want to know what the talk was all about, check the following URLs:
http://www.gnucitizen.org/projects/6th-owasp-conference
http://www.gnucitizen.org/
There are two Proof of Concept examples that I used for the
presentation. The first POC, the JavaScript Spider, is a simple tool
that uses Yahoo Pipes together with W3C Tidy to spider web pages. As
you can see, no server side support is required from your side.
Everything is handled by publicly available services. This is the most
stable spider I've ever wrote and it is not based on the "Same Origin
Policy Unification Technique" I talked about last year which is also
the key component of JIKTO. Unfortunately, JIKTO can be written in a
lot less lines of code (20) and the Spider is a non-malicious example
that proves it.
The second POC, the TinyFS, is a simple tool for storing and
retrieving information into/from TinyURL on-line service. Each slot is
restricted to 3.9k, however this is more then enough if attackers want
to store malware code and retrieve it when it is required.
In a similar way, other types of tools can be constructed as well. It
is easy to write port scanner, remote storage services, communication
channels, distribution channels, attack libraries and databases, etc.
I covered most of this on OWASP. It is also worth mentioning that
although attackers can abuse these services to penetrate websites and
easy the distribution of Web malware, whitehats can construct highly
distributed testing infrastructures to tackle web security problems
quicker. There are several tools that are currently build which will
show in a greater extend the purpose of these type of systems.
I am planning to put more information on the subject very soon. Today
it is important to realise that the WEB is going out of limits. XSS
and CSRF are still two of the most dangerous attack vectors available
today but there is a lot more going on. This presentation was designed
to show the dangers of the web in general. By combining different
services attackers can achieve results that go beyond our wildest
dreams.
I hope that you enjoyed the slides and the presentation.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists