6th OWASP Conference

Thu, 17 May 2007 07:33:14 GMT
by pdp

Here you will be able find all materials that I used for my presentation at the 6th OWASP Conference. Further discussion and clarification on the subject to be expected very soon.

Be aware that the slides may not be very descriptive. In general, I try not to put too much information into my presentations in order to avoid unnecessary clutter. Feel free to drop a comment if something is unclear. The presentation will be explained in depth in several follow up posts on GNUCITIZEN, so subscribe to the RSS feed to get it as soon as that happens.

There are two Proof of Concept examples that I used for the presentation. Both of them are theoretical. You can find them here and here. Both POCs try to show the depth of the problem without being too malicious. Keep in mind that a lot more is possible.

The first POC, the JavaScript Spider, is a simple tool that uses Yahoo Pipes together with W3C Tidy to spider web pages. As you can see, no server side support is required from our side. Everything is handled by publicly available services.

The second POC, the TinyFS, is a simple tool for storing and retrieving information into/from TinyURL on-line service. Each slot is restricted to 3.9k, however this is more then enough for attackers who need to store malware code and retrieve it when required.

Other types of tools can be constructed in a similar way. It is easy to write port scanners, remote storage services, communication channels, distribution channels, attack libraries and databases, etc. I covered most of this at OWASP. It is also worth mentioning that although attackers can abuse these services to penetrate websites and to easy the distribution of Web malware, whitehats can construct highly distributed testing infrastructures to tackle web security problems a lot quicker. There are several tools that are currently build which will show in a greater extend the purpose of these types of systems.

I hope that you enjoyed the slides and the presentation.

Archived Comments

pdppdp
Yahoo PIPEs is down for now. Give Yahoo some time to fix the mess, then try the POCs.
pdppdp
Yahoo PIPEs is back. POCs work.
AcidusAcidus
HAHA! That's awesome! I did some work against TinyURL a year or so back with TinyDisk (http://www.msblabs.org/tinydisk). Glad to see someone else using it as a data storage system! Go pdp!
pdppdp
To me, the Web is one gigantic operating system with hundreds of APIs and syscalls. The browser is our shell from where we can access the WebOS features. TinyURL, although just URL shrinking service, can be used as a storage mechanism as you pointed out long time ago. However, I seriously doubt that no one has thought that this functionality will be available to JavaScript as well. Similar types of setups can significantly increase the attack surface of web based malware written entirely in JavaScript.
pdppdp
Unfortunately, PIPEs is down again. I suspect Yahoo has some serious problems. I have never seen anything like that before.
MacGyveRMacGyveR
Have you thought of implementing redundancy on the tinyFS by using other such services in a type of software raid manner. striping or mirroring could be done here, giving potenial worms etc. a fallback if one service blocks them.
pdppdp
yes, it is possible and very probable that it will happen!
pdppdp
Due to the fact that Yahoo is constantly changing their services, you might not be able to successfully execute this POC. At the time of publishing, the POC was working successfully.