[WEB SECURITY] Using of safety mechanisms for blocking access to the site

MustLive mustlive at websecurity.com.ua
Mon Aug 30 13:17:30 EDT 2010


Hello participants of Mailing List.

In my article Faulty using of MD5 in web applications
(http://www.webappsec.org/lists/websecurity/archive/2010-08/msg00018.html)
I told about incorrect using of safety mechanisms which leads to
vulnerabilities in web applications. In this article - Using of safety
mechanisms for blocking access to the site - which I planed to write from
beginning of 2009, I'll write about another example of faulty using of
security mechanisms which allows to attack users and admins of the sites.

-------------------------------------------
Abusing of safety mechanisms.
-------------------------------------------

There are such protection method as blocking (it can be made by IP or other
parameters). And all safety mechanisms which use automatic blocking can be
used against users and admins of the sites (and even search engine bots).
I.e. the attack is possible on safety mechanisms of the site (on built-in
systems or WAF) with the purpose of blocking access to the site.

The access can be blocked as to the user's account, as to the whole web
site. So it's possible to force the site to block the users which will lead
to DoS for every attacked user and with large amount of blocked users it'll
lead to DoS of the site itself (even without making DDoS attack), because
most of the users will can't visit the site.

It's another version of reverse DDoS attack
(http://websecurity.com.ua/2276/) which I wrote about in 2008. If in that
case the attack was going on browsers of visitors of the site, that in this
case the attack is going on safety mechanisms of the site (on behalf of
visitors of the site).

The next attacks are possible:

- Attacks for blocking of accounts at incorrect logins.
- Attacks on built-in safety mechanisms (built-in IPS) with blocking.
- Attacks on WAF with turned on blocking.
- Attacks for blocking of search engine bots.

Attacks on built-in IPS and WAF are more dangerous then attacks on login
forms, because they lead to blocking of access to the whole site and can be
used not only to block users and admins of the sites, but also search engine
bots.

----------------------------------------------------------------------
Attacks for blocking of accounts at incorrect logins.
----------------------------------------------------------------------

There are such web applications (e.g. forums and other engines) that use
automatic blocking as protection from Brute Force attack on login forms. If
logins are known (and I many times wrote about a lot of Information Leakages
in web applications which lead to disclosure of logins), then it's possible
to block all these account.

It's doing by entering correct login and incorrect password (as much times
as needed to exceed threshold of blocking system). I saw such web
applications (particularly forum engines) and such attacks on them in my
practice. It's know issue to security community, but still not
understandable for web developers.

-----------------------------------------------------------------------------------------
Attacks on built-in safety mechanisms (built-in IPS) with blocking.
-----------------------------------------------------------------------------------------

There are web sites with built-in safety mechanisms with blocking and they
can be attacked with this method. In 2009 I found one such site, where among
other vulnerabilities was Abuse of Functionality hole (in protecting
functionality which blocks access at one special request to the site), which
allows to conduct blocking of users and admins of the site.

I'm not mentioning URL of this site due to rules of the list ;-), but
everyone can read about this site and the holes which I found on it
(including this Abuse of Functionality) at my site
(http://websecurity.com.ua/3782/). Also I described the method of bypassing
of blocking at this site. Any admin or user of this site or bot which
visited it, who doesn't know this bypass method, will not have access to the
whole site, after conducting of this attack.

So with simple CSRF attack (such as GET request via img tag) on users of the
site, it's possible to block full access to the site for users and even
admins of the site. Undermentioned blocking of bots of search engines is
also possible at this site.

--------------------------------------------------------
Attacks on WAF with turned on blocking.
--------------------------------------------------------

There are web sites with WAF with turned on blocking and they can be
attacked with this method. I saw such sites in my practice, which use WAF
(particularly ModSecurity) and block visitor (by IP) completely after few
suspicious requests. So lame WAFs with such settings can be used against
users and admins of the sites with them.

With few simple CSRF attacks (there must be as much attacks as needed to
exceed threshold of WAF) on users of the site, it's possible to block full
access to the site for users and even admins of the site. Undermentioned
blocking of bots of search engines is also possible at such sites.

-----------------------------------------------------------
Attacks for blocking of search engine bots.
-----------------------------------------------------------

It's also possible to block search engine bots (spiders) by this attack. If 
to make a special link on other site which leads to target site (and link 
consists appropriate parameters to trigger blocking), then the bots of 
search engines will follow this link. And after visiting of target site the 
bot will be blocked (by IP, if blocking is making by IP, or by session, if 
blocking is making by session and the bot supports session handling). Which 
leads to site being not indexed by search engines and it'll fall out from 
search engines' indexes.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list