Hi, On 18/06/13 22:50, MustLive wrote: > Hello participants of Mailing List. > > If you haven't read my article (written in 2010 and last week I wrote about > it to WASC list) Advantages of attacks on sites with using other sites > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), > > feel free to do it. In this article I reminded you about using of the sites > for attacks on other sites > (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), > DDoS attacks via other sites execution tool (DAVOSET) > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), > > sending spam via sites and creating spam-botnets > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) > > and wrote about advantages of attacks on sites with using other sites. I have read the articles and they are very interesting, for example, the "hell" redirection. This kind of web abuse can be very powerful. Nice work! ;-) > Last week I've published online my DDoS attacks via other sites execution > tool (http://websecurity.com.ua/davoset/). It's tool for conducting > of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, > which I've made in 2010. Description and changelog on English are presented > at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010). Curiously, I posted a tool written in python the same day. It is called: UFONet http://ufonet.sf.net At first, I designed a module for XSSer (http://xsser.sf.net) to use XFS found on third-party, on the direction of DoS attacks. But, I decided that best thing was to create a unique tool, because of the interesting subject. My idea now, is to work the detection of new 'zombies' by crawlering techniques and increase the "strike" capability requests. I have thought for example, that may be is interesting to obtain the images, flash movies, etc., like a benchmarking process on the target, to pass to the 'zombies' the places heavier on the site and do a more effective attack. > This is the last version of my DAVOSET. After that I've stopped its > development. But now I am planning to continue development of the software > and to release new versions (I'll release v.1.0.6 today). I have seen that your tool doesn't allows the use of proxies. It may be interesting to add that functionality. > For three years I was holding this tool privately, but now released it for > free access. So everyone can test Abuse of Functionality vulnerabilities at > multiple web sites - like Google's sites, W3C and many others, which were > informed by me many times during many years (I was informing admins of web > sites about such vulnerabilities since 2007), but ignored and don't want to > fix these holes for a long time, and for example Google continued to create > new services with Abuse of Functionality and Insufficient Anti-automation > vulnerabilities, which can be used for such DoS and DDoS attacks. I would like to propose that we work together. I'm sure that the community would appreciate our agreement on a single line of development. Thank you very much for publish your research. A greeting. psy

Video example: http://ufonet.sourceforge.net/ufonet/UFONet-v0.1b.ogv > Curiously, I posted a tool written in python the same day. It is called: > UFONet > > http://ufonet.sf.net

This project has been temporarily blocked for exceeding its bandwidth threshold On Thu, Jun 20, 2013 at 8:25 AM, psy <root@lordepsylon.net> wrote: > Video example: > > http://ufonet.sourceforge.net/ufonet/UFONet-v0.1b.ogv > > > Curiously, I posted a tool written in python the same day. It is called: > > UFONet > > > > http://ufonet.sf.net > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

This should hold on: + Video: http://vimeo.com/68772290 + Code: https://github.com/epsylon/ufonet ------------------- On 20/06/13 14:25, psy wrote: > Video example: > > http://ufonet.sourceforge.net/ufonet/UFONet-v0.1b.ogv > >> Curiously, I posted a tool written in python the same day. It is called: >> UFONet >> >> http://ufonet.sf.net >

I updated the tool/code to: UFONet v0.2b Code: - https://github.com/epsylon/ufonet - http://sourceforge.net/p/ufonet/code/ci/master/tree/ Package: http://sourceforge.net/projects/ufonet/files/ufonet-v0.2b.zip/download Web: http://ufonet.sourceforge.net/ ------------------ On 20/06/13 16:12, psy wrote: > This should hold on: > > + Video: http://vimeo.com/68772290 > > + Code: https://github.com/epsylon/ufonet > > ------------------- > > On 20/06/13 14:25, psy wrote: >> Video example: >> >> http://ufonet.sourceforge.net/ufonet/UFONet-v0.1b.ogv >> >>> Curiously, I posted a tool written in python the same day. It is called: >>> UFONet >>> >>> http://ufonet.sf.net >> > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hello psy! I'm glad that you liked DOVOSET. And I'm glad that you liked my articles, including those old articles about attacks via redirectors (Redirectors' hell and Hellfire for redirectors). Such attacks can be used together with XSS holes. So it can be useful for your tool. Specially for using with your UFONet - to use XSS holes with looped redirectors to conduct more powerful DDoS attacks - I released advisory about Denial of Service vulnerabilities WordPress at 27.06.2013. Any redirector at any web site or any redirector service can be used with XSS vulnerabilities to conduct DDoS attack via UFONet. > Curiously, I posted a tool written in python the same day. It is called: > UFONet I made my tool already in 2010. That time I made an announcement of the tool, where I described DAVOSET and its effectiveness, but didn't release the tool. I made it private and gave it only to one security researcher, who wanted to look at it. I didn't want to give such kind of attacking tool to script kiddies (to prevent mass attacks, because there were a lot such Abuse of Functionality vulnerabilities in Internet, since 2007 when I start finding them and presented in zombies-lists with my tool). But because for three years people continue to ignore such holes and almost nobody fixed such holes (just few most serious ones, and even Yahoo lamerly ignored for a long time such hole in their Babelfish and in 2012 just lamerly closed it), so I decided to release it publicly in June 2013. > My idea now, is to work the detection of new 'zombies' by crawlering > techniques and increase the "strike" capability requests. Good ideas. But concerning automated searching XSS holes by crawlering. It'll be already XSS scanner, not just attacking tool for using existent vulnerabilities, and it'll give a lot of power to an attacker. No need for him to find XSS holes, your tool will do everything for him ;-). Just enter target site and UFONet will do all the work (find a lot of zombies and attack the target with all of them), so be careful with such functionality. > I have seen that your tool doesn't allows the use of proxies. It may be > interesting to add that functionality. Thanks for suggestion. I've added it to ToDo - in addition to all my ideas (which I have a lot). The reason, why I've not done it earlier and was not planning, is simple - DAVOSET is using other sites as proxies for conducting DoS attacks. So target sites after received DDoS attacks from multiple zombie sites will be seeing in logs only Google, W3C and other sites/IPs. So proxying is part of attack :-). But for paranoids, who worry that admins on zombie-sites will give their logs to admins of victim-sites (or not admins, but special services), then additional proxy will be good solution (and I'll add proxy support in the future). > + Video: http://vimeo.com/68772290 I've seen your video. And I wrote you feedback about video and some feedback about UFONet last month. And will write more feedback soon. Keep working on your software. Concerning your release of v.0.2. Think about making more detailed changelog (not just mention concerning release of new version, but with detailed description of changes). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "psy" <root@lordepsylon.net> To: "MustLive" <mustlive@websecurity.com.ua> Cc: <full-disclosure@lists.grok.org.uk>; <websecurity@lists.webappsec.org> Sent: Wednesday, June 19, 2013 10:25 PM Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool > Hi, > > On 18/06/13 22:50, MustLive wrote: >> Hello participants of Mailing List. >> >> If you haven't read my article (written in 2010 and last week I wrote >> about >> it to WASC list) Advantages of attacks on sites with using other sites >> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), >> >> feel free to do it. In this article I reminded you about using of the >> sites >> for attacks on other sites >> (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), >> DDoS attacks via other sites execution tool (DAVOSET) >> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), >> >> sending spam via sites and creating spam-botnets >> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) >> >> and wrote about advantages of attacks on sites with using other sites. > > I have read the articles and they are very interesting, for example, the > "hell" redirection. This kind of web abuse can be very powerful. > > Nice work! ;-) > >> Last week I've published online my DDoS attacks via other sites execution >> tool (http://websecurity.com.ua/davoset/). It's tool for conducting >> of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, >> which I've made in 2010. Description and changelog on English are >> presented >> at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010). > > Curiously, I posted a tool written in python the same day. It is called: > UFONet > > http://ufonet.sf.net > > At first, I designed a module for XSSer (http://xsser.sf.net) to use XFS > found on third-party, on the direction of DoS attacks. But, I decided > that best thing was to create a unique tool, because of the interesting > subject. > > My idea now, is to work the detection of new 'zombies' by crawlering > techniques and increase the "strike" capability requests. > > I have thought for example, that may be is interesting to obtain the > images, flash movies, etc., like a benchmarking process on the target, > to pass to the 'zombies' the places heavier on the site and do a more > effective attack. > >> This is the last version of my DAVOSET. After that I've stopped its >> development. But now I am planning to continue development of the >> software >> and to release new versions (I'll release v.1.0.6 today). > > I have seen that your tool doesn't allows the use of proxies. It may be > interesting to add that functionality. > >> For three years I was holding this tool privately, but now released it >> for >> free access. So everyone can test Abuse of Functionality vulnerabilities >> at >> multiple web sites - like Google's sites, W3C and many others, which were >> informed by me many times during many years (I was informing admins of >> web >> sites about such vulnerabilities since 2007), but ignored and don't want >> to >> fix these holes for a long time, and for example Google continued to >> create >> new services with Abuse of Functionality and Insufficient Anti-automation >> vulnerabilities, which can be used for such DoS and DDoS attacks. > > I would like to propose that we work together. I'm sure that the > community would appreciate our agreement on a single line of development. > > Thank you very much for publish your research. > > A greeting. > > psy

On 18/07/13 22:55, MustLive wrote: > Hello psy! hey MustLive! > I'm glad that you liked DOVOSET. And I'm glad that you liked my articles, > including those old articles about attacks via redirectors (Redirectors' > hell and Hellfire for redirectors). Thanks. Of course I like them. This kind of web abuse is a possible vector than can be very effective if is good conducted and is present in a lot of place over the Internet. Also, it is not very easy to filter it so, has a lot of points to review for new attacking researching ways. Congrats again! > Such attacks can be used together with XSS holes. So it can be useful for > your tool. Specially for using with your UFONet - to use XSS holes with > looped redirectors to conduct more powerful DDoS attacks - I released > advisory about Denial of Service vulnerabilities WordPress at 27.06.2013. > Any redirector at any web site or any redirector service can be used with > XSS vulnerabilities to conduct DDoS attack via UFONet. XSSer (http://xsser.sf.net) has some DoS features implemented; client DoS (for reflected XSS) and server side DoS (for persistent XSS). Idea for UFONet is try to unify that features, add a simple test to discover on a target posible vectores, and try to add them to a list of "zombies". More or less, try to simplify (be specific) a DDoS attack using XSS payloads. >> Curiously, I posted a tool written in python the same day. It is called: >> UFONet > > I made my tool already in 2010. That time I made an announcement of the > tool, where I described DAVOSET and its effectiveness, but didn't release > the tool. I made it private and gave it only to one security researcher, > who > wanted to look at it. I didn't want to give such kind of attacking tool to > script kiddies (to prevent mass attacks, because there were a lot such > Abuse > of Functionality vulnerabilities in Internet, since 2007 when I start > finding them and presented in zombies-lists with my tool). But because for > three years people continue to ignore such holes and almost nobody fixed > such holes (just few most serious ones, and even Yahoo lamerly ignored > for a > long time such hole in their Babelfish and in 2012 just lamerly closed it), > so I decided to release it publicly in June 2013. Don't think about "kidding" possible uses. Just try to put more near some features to try to advance in other fields. Like I told you, I published that tool this day, but idea borns like a module of XSSer just on same time like you (arround 2009/2010). Btw, is interesting to put both tools on public to try to unify a bit some researching processes. For example, UFONet (with GPL license) now evades cache on clients, that probably, can be a usefull feature for future DAVOSET releases. >> My idea now, is to work the detection of new 'zombies' by crawlering >> techniques and increase the "strike" capability requests. > > Good ideas. But concerning automated searching XSS holes by crawlering. > It'll be already XSS scanner, not just attacking tool for using existent > vulnerabilities, and it'll give a lot of power to an attacker. No need for > him to find XSS holes, your tool will do everything for him ;-). Just enter > target site and UFONet will do all the work (find a lot of zombies and > attack the target with all of them), so be careful with such functionality. Hehehe. Yes, I know, but you know, always trying to be more near of the "big red button". Strategically, I think that this kind of crawlering processes can be nice to obtain more possible "zombies". A positive attack needs minumun a hundred of them. On testing tasks, I tryed some attacks against a ngnix web server with the list that you provide on DAVOSET, plus a list that some people interesting did on a piratepad, and it was not to much effective, at start. After some attempts, we tryed the attack coordinate from different machines and using this "big" list that we recopile and target loading time was considerably reduced. Not "Dosed"... By the way, probably "old" web server configurations cannot resists the attack scenario proposed. >> I have seen that your tool doesn't allows the use of proxies. It may be >> interesting to add that functionality. > > Thanks for suggestion. I've added it to ToDo - in addition to all my ideas > (which I have a lot). The reason, why I've not done it earlier and was > not planning, is simple - DAVOSET is using other sites as proxies for > conducting DoS attacks. So target sites after received DDoS attacks from > multiple zombie sites will be seeing in logs only Google, W3C and other > sites/IPs. So proxying is part of attack :-). But for paranoids, who worry > that admins on zombie-sites will give their logs to admins of victim-sites > (or not admins, but special services), then additional proxy will be good > solution (and I'll add proxy support in the future). Yeah :-) >> + Video: http://vimeo.com/68772290 > > I've seen your video. And I wrote you feedback about video and some > feedback > about UFONet last month. And will write more feedback soon. > > Keep working on your software. Concerning your release of v.0.2. Think > about making more detailed changelog (not just mention concerning > release of new version, but with detailed description of changes). Yes. But as you know, actually I am involved in some "social-physical" projects. I will try to propose a "hackaton" on summer to try to advance UFOnet 0.3 roadmap. I will be glad if you can participate with some suggestions. > Best wishes & regards, Keep strong!! ;-) > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ----- Original Message ----- From: "psy" <root@lordepsylon.net> > To: "MustLive" <mustlive@websecurity.com.ua> > Cc: <full-disclosure@lists.grok.org.uk>; <websecurity@lists.webappsec.org> > Sent: Wednesday, June 19, 2013 10:25 PM > Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool > > >> Hi, >> >> On 18/06/13 22:50, MustLive wrote: >>> Hello participants of Mailing List. >>> >>> If you haven't read my article (written in 2010 and last week I wrote >>> about >>> it to WASC list) Advantages of attacks on sites with using other sites >>> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), >>> >>> >>> feel free to do it. In this article I reminded you about using of the >>> sites >>> for attacks on other sites >>> (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), >>> >>> DDoS attacks via other sites execution tool (DAVOSET) >>> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), >>> >>> >>> sending spam via sites and creating spam-botnets >>> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) >>> >>> >>> and wrote about advantages of attacks on sites with using other sites. >> >> I have read the articles and they are very interesting, for example, the >> "hell" redirection. This kind of web abuse can be very powerful. >> >> Nice work! ;-) >> >>> Last week I've published online my DDoS attacks via other sites >>> execution >>> tool (http://websecurity.com.ua/davoset/). It's tool for conducting >>> of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, >>> which I've made in 2010. Description and changelog on English are >>> presented >>> at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010). >> >> Curiously, I posted a tool written in python the same day. It is called: >> UFONet >> >> http://ufonet.sf.net >> >> At first, I designed a module for XSSer (http://xsser.sf.net) to use XFS >> found on third-party, on the direction of DoS attacks. But, I decided >> that best thing was to create a unique tool, because of the interesting >> subject. >> >> My idea now, is to work the detection of new 'zombies' by crawlering >> techniques and increase the "strike" capability requests. >> >> I have thought for example, that may be is interesting to obtain the >> images, flash movies, etc., like a benchmarking process on the target, >> to pass to the 'zombies' the places heavier on the site and do a more >> effective attack. >> >>> This is the last version of my DAVOSET. After that I've stopped its >>> development. But now I am planning to continue development of the >>> software >>> and to release new versions (I'll release v.1.0.6 today). >> >> I have seen that your tool doesn't allows the use of proxies. It may be >> interesting to add that functionality. >> >>> For three years I was holding this tool privately, but now released it >>> for >>> free access. So everyone can test Abuse of Functionality vulnerabilities >>> at >>> multiple web sites - like Google's sites, W3C and many others, which >>> were >>> informed by me many times during many years (I was informing admins of >>> web >>> sites about such vulnerabilities since 2007), but ignored and don't want >>> to >>> fix these holes for a long time, and for example Google continued to >>> create >>> new services with Abuse of Functionality and Insufficient >>> Anti-automation >>> vulnerabilities, which can be used for such DoS and DDoS attacks. >> >> I would like to propose that we work together. I'm sure that the >> community would appreciate our agreement on a single line of development. >> >> Thank you very much for publish your research. >> >> A greeting. >> >> psy > >