The Top 5 most Popular Web2.0 Services Hackers Cannot live Without

Let’s have a look at the top 5 most popular Web2.0 services hackers cannot live without. This listing is based on my personal research that was also presented at OWASP Web Application Security Conference 2007 in Italy.

Yahoo Pipes

Yahoo Pipes is the web hacker power tool. The powerful mashup functionalities of YPipes cannot be compared to any other service available on-line. Even Google’s Mashup Editor looks like a baby toy when compared to Yahoo’s big guns.

Yahoo pipes allow you to mashup feeds, xml and csv files. The service provides powerful caching capabilities to improve the availability of the mashed data. Among the traditional filters and aggregators, Yahoo pipes can be used to replace text blocks, perform mathematical computations, execute contextual searches and many other things. The result of the mashed data can be exported in RSS, ATOM, JSON, XML and pretty much everything else that is under the sun.

Yahoo pipes is one of the most elegant tools when it comes to AJAX worms. The internal Pipes logic can be used to fetch any resource and serve it as well structured JSON serialized object. With a few blocks on pipes, attackers can develop powerful vulnerability scanners/spiders that work on browser based JavaScript code (i.e. harmless web pages). Yahoo Pipes is the most elegant tool for all sorts of malicious purposes on-line. Signup today.

Dapper

Dapper is the web2.0 scraping service. Dapper’s wrapper allows you to parse the content of any page in a few simple steps. Just like Pipes, Dappers supports many output formats, including XML, RSS, ATOM, JSON, etc.

Dappers is most suitable for community supported malware code. Why do you want to statically embed your XSS attack vectors inside your malicious JavaScript when you can dynamically parse them from websites such as XSSED.com? As soon as a new XSS vector is added to the on-line XSS database, Dapper will pick it up and send it to all bots so they are all updated with the latest vulnerability findings. Worms that propagate across the entire Web has never been easier without Dapper.

Feed43

Feed43 goes even further then Dapper. Instead of parsing the top layer data, Feed43 allows you write regular expression like rules. This service is suitable when you need to get into the remote page source code. In a few simple steps, we can parse and collect important bits of informaton from every page online. Feed43 outputs RSS only, but that shouldn’t bother you. We can get Pipes and Dapper to convert it back to JSON, XML or ATOM. It is that easy.

Feed42 is suitable when you need to get to the point. Do you want to extract the latest Google Hacking database entries, or you may prefer to look for SQL Injection payloads? No problem. Use Feed42 powerful parsing capabilities and get your results as simple RSS feeds. Then feed the Trojan. Why not use Digg’s commenting system as covert channel for distributing malicious payloads? Feed42 will help you out with whatever your needs are.

Zoho Creator

Zoho Creator is MS Access for the Web. You can create database like applications in a few simple steps. Just login and start building your forms. It is as simple as dragging the type of field that you want and dropping it inside the current workspace. Save you form and exposed it online. Now use JavaScript to populate your database entries.

Zoho Creator is a great tool, and very powerful too. It allows you to do all sorts of useful things, like Phishing users with only client-side JavaScript. For example, create a new database that has fields for the username, the password and of course the website where the credentials were retrieved from. Now link that to your JavaScript. When you hijack the login forms your are after, just send the credentials across Zoho. The Service will store them for you and will send you a confirmation email. I’m loving it! Now sit back and relax. Soon your phished accounts will start showing up in your mail box. If you are not after accounts, well, just store whatever else you need, like sites that has been already compromised so your worm does not have to redo the job again. Simple!

Google Reader

Google Reader the one of the most powerful feed readers on-line. This application allows you to subscribe to anything. It also has some nice GUI features. However, there is more then that.

Google Reader is one of the most powerful feed backup and mashup services on-line. Do you need to backup the stolen credentials? Use the reader. Do you want to mash them up with your friendsâ€™ malicious feeds? Use the reader. Whatever you need, the reader is the right tool for you. It is so powerful that you can export to mashed feeds again into ATOM and then feed it back to your Trojans.

Comments

David Kierznowski responds:

Love the pic :)

Shaun responds:

Nice tips! I would also recommend Feedity ( http://www.feedity.com ) which is a webpage parser and RSS feed generator (like Dapper and Feed43), but I find Feedity to be the sleekist and easiest of the lot.

gail responds:

i love mashups to thats why i created it for web2.0 TRUST! creator java OS

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a fee web application security framework for automated and manul penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

GNUCITIZEN

Navigation