[WEB SECURITY] [Full-disclosure] DDoS attacks via other sites execution tool

psy root at lordepsylon.net
Wed Jun 19 15:25:56 EDT 2013


Hi,

On 18/06/13 22:50, MustLive wrote:
> Hello participants of Mailing List.
> 
> If you haven't read my article (written in 2010 and last week I wrote about
> it to WASC list) Advantages of attacks on sites with using other sites
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html),
> 
> feel free to do it. In this article I reminded you about using of the sites
> for attacks on other sites
> (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html),
> DDoS attacks via other sites execution tool (DAVOSET)
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html),
> 
> sending spam via sites and creating spam-botnets
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html)
> 
> and wrote about advantages of attacks on sites with using other sites.

I have read the articles and they are very interesting, for example, the
"hell" redirection. This kind of web abuse can be very powerful.

Nice work! ;-)

> Last week I've published online my DDoS attacks via other sites execution
> tool (http://websecurity.com.ua/davoset/). It's tool for conducting
> of DDoS attacks via Abuse of Functionality vulnerabilities on the sites,
> which I've made in 2010. Description and changelog on English are presented
> at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010).

Curiously, I posted a tool written in python the same day. It is called:
UFONet

http://ufonet.sf.net

At first, I designed a module for XSSer (http://xsser.sf.net) to use XFS
found on third-party, on the direction of DoS attacks. But, I decided
that best thing was to create a unique tool, because of the interesting
subject.

My idea now, is to work the detection of new 'zombies' by crawlering
techniques and increase the "strike" capability requests.

I have thought for example, that may be is interesting to obtain the
images, flash movies, etc., like a benchmarking process on the target,
to pass to the 'zombies' the places heavier on the site and do a more
effective attack.

> This is the last version of my DAVOSET. After that I've stopped its
> development. But now I am planning to continue development of the software
> and to release new versions (I'll release v.1.0.6 today).

I have seen that your tool doesn't allows the use of proxies. It may be
interesting to add that functionality.

> For three years I was holding this tool privately, but now released it for
> free access. So everyone can test Abuse of Functionality vulnerabilities at
> multiple web sites - like Google's sites, W3C and many others, which were
> informed by me many times during many years (I was informing admins of web
> sites about such vulnerabilities since 2007), but ignored and don't want to
> fix these holes for a long time, and for example Google continued to create
> new services with Abuse of Functionality and Insufficient Anti-automation
> vulnerabilities, which can be used for such DoS and DDoS attacks.

I would like to propose that we work together. I'm sure that the
community would appreciate our agreement on a single line of development.

Thank you very much for publish your research.

A greeting.

psy




More information about the websecurity mailing list