[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Using of the sites for attacks on other sites

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites
From: Sébastien Duquette <ekse.0x@xxxxxxxxx>
Date: Tue, 29 Jun 2010 21:12:53 -0400

Actually some of his articles were listed (76 to 80) and he said it
was mentioned in the post, not the top 10.

On Tue, Jun 29, 2010 at 4:41 PM, Chris Evans <scarybeasts@xxxxxxxxx> wrote:
> 2010/6/28 MustLive <mustlive@xxxxxxxxxxxxxxxxxx>:
>> Hello participants of Full-Disclosure!
>>
>> For last two months I didn't post my articles to this list due to some not
>> serious moaning in April on some of my articles (you always can find my
>> articles at my site and in WASC Mailing List). But at the end of June I
>> decided to remind you about my last articles.
>>
>> Recently I wrote new article Using of the sites for attacks on other sites
>> (http://websecurity.com.ua/4322/). This is brief English version of it.
>>
>> Last year in article DoS attacks via Abuse of Functionality vulnerabilities
>> (it was mentioned at
>> http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html)
>
> I do not see your name anywhere in the top ten?
>
> Cheers
> Chris
>
>> I told about possibility of conducting of DoS attacks via Abuse of
>> Functionality vulnerabilities at other sites. Particularly I showed examples
>> of such vulnerabilities at web sites regex.info and www.slideshare.net.
>> These attacks can be as unidirectional DoS, as bidirectional DoS, depending
>> on capacities of both servers.
>>
>> And now I'll tell you about possibility of conducting of CSRF attacks on
>> other sites via Abuse of Functionality vulnerabilities. Researching of such
>> attacks I begun already at 2007 when found such vulnerability at regex.info.
>>
>> Using of Abuse of Functionality for attacks on other sites.
>>
>> Sites, which allow to make requests to other web sites (to arbitrary web
>> pages), have Abuse of Functionality vulnerability and can be used for
>> conducting of CSRF attacks on other sites. Including DoS attacks via Abuse
>> of Functionality, as it was mentioned above. CSRF attacks can be made only
>> to those pages, which don't require authorization.
>>
>> For these attacks it's possible to use as Abuse of Functionality
>> vulnerabilities (similar to mentioned in this article), as Remote File
>> Include vulnerabilities (like in PHP applications) - it's Abuse of
>> Functionality via RFI.
>>
>> This attack method can be of use when it's needed to conduct invisible CSRF
>> attack on other site (to not show yourself), for conducting of DoS and DDoS
>> attacks and for conducting of other attacks, particularly for making
>> different actions which need to be made from different IP. For example, at
>> online voting, for turning of hits of counters and hits of advertising at
>> the site, and also for turning of clicks (click fraud).
>>
>> Abuse of Functionality:
>>
>> Attack is going at request of one site (http://site) to another
>> (http://another_site) at using of appropriate function of the site
>> (http://site/script).
>>
>> http://site/script?url=http://another_site
>>
>> Advantages of this attack method.
>>
>> In this part of the article I wrote a list of advantages of this attack
>> method. And I mentioned another two important paragraphs:
>>
>> Note, that this DoS attack is possible to use for attacks on redirectors,
>> which I wrote about in my articles Redirector’s hell and Hellfire for
>> redirectors.
>>
>> Also at conducting of DoS attacks it's possible to use several such servers
>> at once and so to conduct DDoS attack. In such case these servers will be
>> appearing as zombie-computers. I.e. botnet will be made from not home
>> computers, but from web servers (which can have larger capacities and faster
>> connections). So these vulnerabilities can lead to appearing of new class of
>> botnets (with zombie-servers).
>>
>> Examples of vulnerable web sites and web services.
>>
>> In this part of the article I showed examples of different web sites and web
>> services which could be used for conducting of attacks on other sites.
>> Including regex.info, www.slideshare.net, anonymouse.org, www.google.com,
>> translate.google.com, babelfish.altavista.com, babelfish.yahoo.com,
>> keepvid.com, web application Firebook, W3C validators and iGoogle.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Using of the sites for attacks on other sites
  - From: MustLive
- Re: [Full-disclosure] Using of the sites for attacks on other sites
  - From: Chris Evans

Prev by Date: [Full-disclosure] [USN-930-2] apturl, Epiphany, gecko-sharp, gnome-python-extras, liferea, rhythmbox, totem, ubufox, yelp update
Next by Date: Re: [Full-disclosure] Using of the sites for attacks on other sites
Previous by thread: Re: [Full-disclosure] Using of the sites for attacks on other sites
Next by thread: Re: [Full-disclosure] Using of the sites for attacks on other sites
Index(es):
- Date
- Thread