full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] OWASP / Advanced Web Hacki

[Full-disclosure] OWASP / Advanced Web Hacking / Service API Manipulation / Next Generation of Web Attacks

From: pdp (architect) <pdp.gnucitizen_at_nospam>
Date: Thu May 17 2007 - 07:48:25 GMT
To: full-disclosure@lists.grok.org.uk, "WASC Forum" <websecurity@webappsec.org>, "webappsec @OWASP" <webappsec@lists.owasp.org>


The OWASP talk went OK. For those who are interested in the slides and want to know what the talk was all about, check the following URLs:

http://www.gnucitizen.org/projects/6th-owasp-conference http://www.gnucitizen.org/

There are two Proof of Concept examples that I used for the presentation. The first POC, the JavaScript Spider, is a simple tool that uses Yahoo Pipes together with W3C Tidy to spider web pages. As you can see, no server side support is required from your side. Everything is handled by publicly available services. This is the most stable spider I've ever wrote and it is not based on the "Same Origin Policy Unification Technique" I talked about last year which is also the key component of JIKTO. Unfortunately, JIKTO can be written in a lot less lines of code (20) and the Spider is a non-malicious example that proves it.

The second POC, the TinyFS, is a simple tool for storing and retrieving information into/from TinyURL on-line service. Each slot is restricted to 3.9k, however this is more then enough if attackers want to store malware code and retrieve it when it is required.

In a similar way, other types of tools can be constructed as well. It is easy to write port scanner, remote storage services, communication channels, distribution channels, attack libraries and databases, etc. I covered most of this on OWASP. It is also worth mentioning that although attackers can abuse these services to penetrate websites and easy the distribution of Web malware, whitehats can construct highly distributed testing infrastructures to tackle web security problems quicker. There are several tools that are currently build which will show in a greater extend the purpose of these type of systems.

I am planning to put more information on the subject very soon. Today it is important to realise that the WEB is going out of limits. XSS and CSRF are still two of the most dangerous attack vectors available today but there is a lot more going on. This presentation was designed to show the dangers of the web in general. By combining different services attackers can achieve results that go beyond our wildest dreams.

I hope that you enjoyed the slides and the presentation. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/