[WEB SECURITY] Using of the sites for attacks on other sites

MustLive mustlive at websecurity.com.ua
Tue Jun 29 07:49:22 EDT 2010


Hello participants of Mailing List.

Recently I wrote new article Using of the sites for attacks on other sites
(http://websecurity.com.ua/4322/). And yesterday I posted brief English
version of it to Full-disclosure mailing list
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).

In this article I told about conducting of attacks on other sites via Abuse
of Functionality vulnerabilities. Here is some important quotes:

This attack method can be of use when it's needed to conduct invisible CSRF
attack on other site (to not show yourself), for conducting of DoS and DDoS
attacks and for conducting of other attacks, particularly for making
different actions which need to be made from different IP. For example, at
online voting, for turning of hits of counters and hits of advertising at
the site, and also for turning of clicks (click fraud).

Note, that this DoS attack is possible to use for attacks on redirectors,
which I wrote about in my articles Redirector’s hell and Hellfire for
redirectors.

Also at conducting of DoS attacks it's possible to use several such servers
at once and so to conduct DDoS attack. In such case these servers will be
appearing as zombie-computers. I.e. botnet will be made from not home
computers, but from web servers (which can have larger capacities and faster
connections). So these vulnerabilities can lead to appearing of new class of
botnets (with zombie-servers).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list