Home
Latest images
Search
Register
Log inUsing sites to attack other sites
Page 1 of 1
Using sites to attack other sites
andry Wed Aug 11, 2010 11:14 pm
We tell you about the possibility of CSRF attacks on other sites through the Abuse of Functionality vulnerability. Investigation of these attacks I started back in 2007 when
discovered similar vulnerabilities in regex.info.
Using Abuse of Functionality for attacks on other sites.
Sites that allow you to make requests to other web sites (to arbitrary web pages) Abuse of Functionality with vulnerability and can be used for CSRF attacks on other sites.
Including DoS attacks through Abuse of Functionality, as noted above. CSRF attacks can be done only on those pages that require authentication.
For these attacks can be used as Abuse of Functionality vulnerability (similar to those described in this article) and Remote File Include Vulnerability (as in PHP applications) -
Abuse of Functionality is through RFI.
This method of attack may be required when necessary to a hidden CSRF attack on another site (not to light up) for the DoS and DDoS attacks and for other attacks, in particular
to carry out various actions that have to do with different IP. For example, when online voting for twisting the meter hits and impressions on the site, as well as nakruchennya clicks
(click fraud).
Abuse of Functionality:
Attack is directed at one site (http://site) to another (http://another_site) used according to the function site (http://site/script).
http://site/script?url=http://another_site
The advantages of this method attacks.
In this method, which uses external sites for attacks on other sites, the following advantages (as compared to using your own computer):
Using the resources of other servers.
Hide referrer (compared to CSRF attacks by site visitors).
Hide your own IP, but hide the source of that attack, can also be used to bypass restrictions on IP.
Conduct DoS attacks on other sites, using servers of external sites.
Conducting DDoS attacks on other sites, using servers of external sites.
Note that this DoS attack can be used for attacks on the redirectors, which I wrote in my articles redirectors hell and hell fire for redirectors.
Also during the DoS attacks can be used several such servers, and thus hold a DDoS attack. In this case, data servers will act as the computer-zombies. That bot network will be
made not from home computers and the web servers (which may have greater capacity and faster communication channels). Therefore, data vulnerability may result in a new class of
bot networks (from a zombie).
Examples of vulnerable Web sites and Web services.
To conduct CSRF attacks on other sites can use different services:
1. Online services regex.info and www.slideshare.net.
2. Anonymizer such as anonymouse.org.
3. Online translator on www.google.com, translate.google.com, and babelfish.altavista.com babelfish.yahoo.com.
4. Services for vykachky video from video-hosting sites such as keepvid.com.
5. Web application Firebook on all sites that use it (but you must have access to the admin area or conduct CSRF attack on the admin site).
6. W3C validators - only 11 vulnerable validator (12 scripts).
7. Functional iGoogle:
http://www.google.com/ig/add?feedurl=http://google.com
discovered similar vulnerabilities in regex.info.
Using Abuse of Functionality for attacks on other sites.
Sites that allow you to make requests to other web sites (to arbitrary web pages) Abuse of Functionality with vulnerability and can be used for CSRF attacks on other sites.
Including DoS attacks through Abuse of Functionality, as noted above. CSRF attacks can be done only on those pages that require authentication.
For these attacks can be used as Abuse of Functionality vulnerability (similar to those described in this article) and Remote File Include Vulnerability (as in PHP applications) -
Abuse of Functionality is through RFI.
This method of attack may be required when necessary to a hidden CSRF attack on another site (not to light up) for the DoS and DDoS attacks and for other attacks, in particular
to carry out various actions that have to do with different IP. For example, when online voting for twisting the meter hits and impressions on the site, as well as nakruchennya clicks
(click fraud).
Abuse of Functionality:
Attack is directed at one site (http://site) to another (http://another_site) used according to the function site (http://site/script).
http://site/script?url=http://another_site
The advantages of this method attacks.
In this method, which uses external sites for attacks on other sites, the following advantages (as compared to using your own computer):
Using the resources of other servers.
Hide referrer (compared to CSRF attacks by site visitors).
Hide your own IP, but hide the source of that attack, can also be used to bypass restrictions on IP.
Conduct DoS attacks on other sites, using servers of external sites.
Conducting DDoS attacks on other sites, using servers of external sites.
Note that this DoS attack can be used for attacks on the redirectors, which I wrote in my articles redirectors hell and hell fire for redirectors.
Also during the DoS attacks can be used several such servers, and thus hold a DDoS attack. In this case, data servers will act as the computer-zombies. That bot network will be
made not from home computers and the web servers (which may have greater capacity and faster communication channels). Therefore, data vulnerability may result in a new class of
bot networks (from a zombie).
Examples of vulnerable Web sites and Web services.
To conduct CSRF attacks on other sites can use different services:
1. Online services regex.info and www.slideshare.net.
2. Anonymizer such as anonymouse.org.
3. Online translator on www.google.com, translate.google.com, and babelfish.altavista.com babelfish.yahoo.com.
4. Services for vykachky video from video-hosting sites such as keepvid.com.
5. Web application Firebook on all sites that use it (but you must have access to the admin area or conduct CSRF attack on the admin site).
6. W3C validators - only 11 vulnerable validator (12 scripts).
7. Functional iGoogle:
http://www.google.com/ig/add?feedurl=http://google.com
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» PDF Attack
» Anatomy of an XSS Attack
» Durzosploit XSS attack
» MD5-string attack on web applications
» Fault-Based Attack of RSA Authentication
» Anatomy of an XSS Attack
» Durzosploit XSS attack
» MD5-string attack on web applications
» Fault-Based Attack of RSA Authentication
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|