google's language translation also does this.. http://ipchicken.com http://translate.google.com/translate?u=http://ipchicken.com
m.w ----- Original Message ----- From: "Petko Petkov" <[EMAIL PROTECTED]> To: <[email protected]> Cc: <[email protected]> Sent: Tuesday, July 19, 2005 4:05 AM Subject: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Security Notice: Anonymous Web Attacks via Dedicated Mobile Services > Security Risk: UNKNOWN > Publish Data: 2005 July 16 > > Security Researcher: Petko Petkov > Contact Information: [EMAIL PROTECTED] > PGP Key: http://pdp.gnucitizen.org/ppetkov.asc > > Synopsis > - -------- > > Various Mobile Services provide malicious users with an intermediate > point to anonymously browse Web Resources and execute attacks against > them. > > Affected Applications > - --------------------- > > * Google's WMLProxy > * IYHY > > Background > - ---------- > > WAP stands for Wireless Application Protocol, a communication standard > primarily designed for Information Exchange on various Wireless Terminals > such as mobile telephones. WAP devices work with WML (Wireless Markup Language), > a markup language similar to HTML but more strict because of its XML nature. WML > and HTML are totally different in semantics. As such, there are applications > located on The Internet that are able to transcode from HTML/XHTML to WML. > > Description > - ----------- > > An attacker can take advantage of the Google's WMLProxy Service by sending a > HTTP GET > request with carefully modified URL of a malicious nature. Such request hides > the > attacker's IP address and may slow down future investigations on a successful > breakin > since Google's Services are often over-trusted. > > The following URL should reveal the current IP address: > http://ipchicken.com > > However, a similar request proxied through WMLProxy: > http://wmlproxy.google.com/wmltrans/u=ipchicken.com > results to: > 64.233.166.136 which belongs to Google Inc. > > Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is > primarily > designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate > point for > launching anonymous attacks. For example the following URL reveals IYHY IP > address: > http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com > > Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their > IP address > further. For example, the following URL goes through WMLProxy and IYHY before > getting to > http://ipchiken.com: > http://wmlproxy.google.com/wmltrans/[EMAIL PROTECTED] > > Impact > - ------ > > Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight > risk in > situations where they are over-trusted. Google's entries are often filtered out > from the > logs making all possible attacks undetectable. Moreover, attackers can make use > of mobile > devices to request dangerous URLs in order to compromise vulnerable Web > Applications. > If such requests are not monitored by the particular mobile network, there is no > way to > detect where the attack is launched from. > > Workaround > - ---------- > > Mobile Services can offer cleaver parameter filtering features to prevent the > execution of > dangerous requests. However, it is important to understand that simple input > validation > technique can be easily circumvented. The tinyurl service can be used to obscure > the dangerous > URLs, bypassing the input validation checks that an application may have. > > It is also worth to mention that modifying the requests, in order to stop > certain XSS and > SQL Injection attacks, may completely brake the logic of the proxided Web Site > leaving the users > with unsatisfactory results. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > > iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G > SDmdYsnJsSRSMlgCEl6cMX4= > =J9z1 > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
