6th OWASP Conference

published: May 17th, 2007

Here you can find all presentation materials that I used for the 6th OWASP Conference. Further discussion and clarification on the subject to be expected very soon.

Use the mouse to browse through the presentation. You can also download the Microsoft Power Point version if that is more convenient to you. Be aware that the slides may not be very descriptive. I try not to put too much information into my presentations in order to avoid unnecessary clutter. Feel free to drop a comment if something is unclear. The presentation will be explained in depth in several follow up posts on GNUCITIZEN, so subscribe to the RSS feed to get informed as soon as that happens.

There are two Proof of Concept examples that I used for the presentation. You can find them here and here. Both of them try to show the depth of the problem without being too malicious. Keep in mind that a lot more is possible.

The first POC, the JavaScript Spider, is a simple tool that uses Yahoo Pipes together with W3C Tidy to spider web pages. As you can see, no server side support is required from your side. Everything is handled by publicly available services.

The second POC, the TinyFS, is a simple tool for storing and retrieving information into/from TinyURL on-line service. Each slot is restricted to 3.9k, however this is more then enough if attackers want to store malware code and retrieve it when it is required.

In a similar way, other types of tools can be constructed as well. It is easy to write port scanner, remote storage services, communication channels, distribution channels, attack libraries and databases, etc. I covered most of this on OWASP. It is also worth mentioning that although attackers can abuse these services to penetrate websites and easy the distribution of Web malware, whitehats can construct highly distributed testing infrastructures to tackle web security problems quicker. There are several tools that are currently build which will show in a greater extend the purpose of these type of systems.

I hope that you enjoyed the slides and the presentation.

» more | » comments rss | posted by pdp | syndication and integration ( )

comments

pdp responds:

Yahoo PIPEs is down for now. Give them some time to fix the mess, then try the POCs.

pdp responds:

Yahoo PIPEs is back. POCs work.

Acidus responds:

HAHA! That’s awesome! I did some work against TinyURL a year or so back with TinyDisk (http://www.msblabs.org/tinydisk). Glad to see someone else using it as a data storage system!

Go pdp!

pdp responds:

To me, the Web is one gigantic operating system with hundreds of APIs and syscalls. The browser is our shell from where we can access the WebOS features. TinyURL, although just URL shrinking service, can be used as a storage mechanism as you pointed out long time ago. However, I seriously doubt that no one has thought that this functionality will be available to JavaScript as well. Similar types of setups can significantly increase the attack surface of web based malware written entirely in JavaScript.

pdp responds:

Unfortunately, PIPEs is down again. I suspect Yahoo has some serious problems. I have never seen anything like that before.

MacGyveR responds:

Have you thought of implementing redundancy on the tinyFS by using other such services in a type of software raid manner. striping or mirroring could be done here, giving potenial worms etc. a fallback if one service blocks them.

pdp responds:

yes, it is possible and very probable that it will happen!

pdp responds:

Due to the fact that Yahoo is constantly changing their services, you might not be able to successfully execute this POC. At the time of publishing, the POC was working successfully.

GNUCITIZEN

navigation

6th OWASP Conference

comments

trackbacks

respond