[Full-disclosure] Using of the sites for attacks on other sites
mustlive at websecurity.com.ua
Sun Jul 11 21:53:07 BST 2010
Hello Chris and Sebastien!
> I do not see your name anywhere in the top ten?
Chris, I'll answer at your question, even Sebastien already have answered at
it in the list. I see two senses in your question (one direct and one
hidden) and will answer on both of them.
Note, that your question is out of topic of my letter, but the topic with
TOP 10 is also interesting, so I'll answered on it briefly. And then I'll
direct the discussion to the original topic which I started in my first
letter (about my article).
About direct sense of your question. My articles are mentioned in the total
list of hacks (as I said in my first letter). And, as you understand, my
name is not mentioned in top ten because judges selected other articles for
the TOP 10.
Do I agree with order in the TOP 10 - no I don't, but it's judges decision.
And anyway all researches in the total list are interesting. Do I agree that
Jeremiah not put all my submissions to the prior (and then to the total)
list of hacks (he selected only part of them) - no I don't, but it's his
decision. I'm not worry about this - because I'm writing articles for
people, not for some places in tops and not for some prizes.
About hidden sense of your question. It looks like you are bragging about
the fact that you are in the top ten, and I'm not. This bragging will not
touch me, so no need to try ;-). I stated my position above concerning my
articles and the resulting TOP 10.
The brag it's not serious. And you must take into account, that such
bragging about the fact that you get to the top ten is directed not only
against me, but also against all other security researches who participated
last year, but not get to the top ten. So think about it.
> Actually some of his articles were listed (76 to 80) and he said it was
> mentioned in the post, not the top 10.
Sebastien, yes, my articles, which were selected by Jeremiah, were published
(in order of placing into the list) at page with prior list of hacks (from
which TOP 10 was selected) and at page with TOP 10 and the total list of
hacks. But as I said before, Chris had put other sense in his question.
Off topic is not good, but bragging (which he demonstrated) is not serious.
And taking into account that in my article I mentioned that there are such
vulnerabilities at Googles' sites which allow to attack other sites via
Google's servers (and Chris is an employee of this company), so it's twice
not serious from his side.
Let's back to original topic of my original letter. Where I talked about my
article Using of the sites for attacks on other sites.
I'm finding such Abuse of Functionality vulnerabilities already from 2007
and informing admins of vulnerable sites about them. But mostly all admins
are ignoring this type of holes (like many other holes), because they don't
care about security or because they don't see big deal in that their sites
connecting to arbitrary sites. But there are admins of web sites which
attend to such vulnerabilities - for example, last month guys from W3C
agreed with my warning and promised to fix these holes
(http://lists.w3.org/Archives/Public/site-comments/2010Jun/0032.html). And I
also informed Google about such issues at their sites (we'd see how they
Soon I'll write about my new researches on this topic which I made recently.
And for these researches I created a tool for conducting of DDoS attacks on
the sites via other sites, which I'd write about in the next letter.
Best wishes & regards,
Administrator of Websecurity web site
----- Original Message -----
From: "Chris Evans" <scarybeasts at gmail.com>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <full-disclosure at lists.grok.org.uk>
Sent: Tuesday, June 29, 2010 11:41 PM
Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites
2010/6/28 MustLive <mustlive at websecurity.com.ua>:
> Hello participants of Full-Disclosure!
> For last two months I didn't post my articles to this list due to some not
> serious moaning in April on some of my articles (you always can find my
> articles at my site and in WASC Mailing List). But at the end of June I
> decided to remind you about my last articles.
> Recently I wrote new article Using of the sites for attacks on other sites
> (http://websecurity.com.ua/4322/). This is brief English version of it.
> Last year in article DoS attacks via Abuse of Functionality
> (it was mentioned at
I do not see your name anywhere in the top ten?
> I told about possibility of conducting of DoS attacks via Abuse of
> Functionality vulnerabilities at other sites. Particularly I showed
> of such vulnerabilities at web sites regex.info and www.slideshare.net.
> These attacks can be as unidirectional DoS, as bidirectional DoS,
> on capacities of both servers.
> And now I'll tell you about possibility of conducting of CSRF attacks on
> other sites via Abuse of Functionality vulnerabilities. Researching of
> attacks I begun already at 2007 when found such vulnerability at
> Using of Abuse of Functionality for attacks on other sites.
> Sites, which allow to make requests to other web sites (to arbitrary web
> pages), have Abuse of Functionality vulnerability and can be used for
> conducting of CSRF attacks on other sites. Including DoS attacks via Abuse
> of Functionality, as it was mentioned above. CSRF attacks can be made only
> to those pages, which don't require authorization.
> For these attacks it's possible to use as Abuse of Functionality
> vulnerabilities (similar to mentioned in this article), as Remote File
> Include vulnerabilities (like in PHP applications) - it's Abuse of
> Functionality via RFI.
> This attack method can be of use when it's needed to conduct invisible
> attack on other site (to not show yourself), for conducting of DoS and
> attacks and for conducting of other attacks, particularly for making
> different actions which need to be made from different IP. For example, at
> online voting, for turning of hits of counters and hits of advertising at
> the site, and also for turning of clicks (click fraud).
> Abuse of Functionality:
> Attack is going at request of one site (http://site) to another
> (http://another_site) at using of appropriate function of the site
> Advantages of this attack method.
> In this part of the article I wrote a list of advantages of this attack
> method. And I mentioned another two important paragraphs:
> Note, that this DoS attack is possible to use for attacks on redirectors,
> which I wrote about in my articles Redirector’s hell and Hellfire for
> Also at conducting of DoS attacks it's possible to use several such
> at once and so to conduct DDoS attack. In such case these servers will be
> appearing as zombie-computers. I.e. botnet will be made from not home
> computers, but from web servers (which can have larger capacities and
> connections). So these vulnerabilities can lead to appearing of new class
> botnets (with zombie-servers).
> Examples of vulnerable web sites and web services.
> In this part of the article I showed examples of different web sites and
> services which could be used for conducting of attacks on other sites.
> Including regex.info, www.slideshare.net, anonymouse.org, www.google.com,
> translate.google.com, babelfish.altavista.com, babelfish.yahoo.com,
> keepvid.com, web application Firebook, W3C validators and iGoogle.
> Best wishes & regards,
> Administrator of Websecurity web site
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.