One say, I hope I can troll FD as well as you do. Sent from my iPhone
On 11 Jul 2010, at 21:53, "MustLive" <[email protected]> wrote: > Hello Chris and Sebastien! > >> I do not see your name anywhere in the top ten? > > Chris, I'll answer at your question, even Sebastien already have answered at > it in the list. I see two senses in your question (one direct and one > hidden) and will answer on both of them. > > Note, that your question is out of topic of my letter, but the topic with > TOP 10 is also interesting, so I'll answered on it briefly. And then I'll > direct the discussion to the original topic which I started in my first > letter (about my article). > > About direct sense of your question. My articles are mentioned in the total > list of hacks (as I said in my first letter). And, as you understand, my > name is not mentioned in top ten because judges selected other articles for > the TOP 10. > > Do I agree with order in the TOP 10 - no I don't, but it's judges decision. > And anyway all researches in the total list are interesting. Do I agree that > Jeremiah not put all my submissions to the prior (and then to the total) > list of hacks (he selected only part of them) - no I don't, but it's his > decision. I'm not worry about this - because I'm writing articles for > people, not for some places in tops and not for some prizes. > > About hidden sense of your question. It looks like you are bragging about > the fact that you are in the top ten, and I'm not. This bragging will not > touch me, so no need to try ;-). I stated my position above concerning my > articles and the resulting TOP 10. > > The brag it's not serious. And you must take into account, that such > bragging about the fact that you get to the top ten is directed not only > against me, but also against all other security researches who participated > last year, but not get to the top ten. So think about it. > >> Actually some of his articles were listed (76 to 80) and he said it was >> mentioned in the post, not the top 10. > > Sebastien, yes, my articles, which were selected by Jeremiah, were published > (in order of placing into the list) at page with prior list of hacks (from > which TOP 10 was selected) and at page with TOP 10 and the total list of > hacks. But as I said before, Chris had put other sense in his question. > > Off topic is not good, but bragging (which he demonstrated) is not serious. > And taking into account that in my article I mentioned that there are such > vulnerabilities at Googles' sites which allow to attack other sites via > Google's servers (and Chris is an employee of this company), so it's twice > not serious from his side. > > Let's back to original topic of my original letter. Where I talked about my > article Using of the sites for attacks on other sites. > > I'm finding such Abuse of Functionality vulnerabilities already from 2007 > and informing admins of vulnerable sites about them. But mostly all admins > are ignoring this type of holes (like many other holes), because they don't > care about security or because they don't see big deal in that their sites > connecting to arbitrary sites. But there are admins of web sites which > attend to such vulnerabilities - for example, last month guys from W3C > agreed with my warning and promised to fix these holes > (http://lists.w3.org/Archives/Public/site-comments/2010Jun/0032.html). And I > also informed Google about such issues at their sites (we'd see how they > fix them). > > Soon I'll write about my new researches on this topic which I made recently. > And for these researches I created a tool for conducting of DDoS attacks on > the sites via other sites, which I'd write about in the next letter. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ----- Original Message ----- > From: "Chris Evans" <[email protected]> > To: "MustLive" <[email protected]> > Cc: <[email protected]> > Sent: Tuesday, June 29, 2010 11:41 PM > Subject: Re: [Full-disclosure] Using of the sites for attacks on other sites > > > 2010/6/28 MustLive <[email protected]>: >> Hello participants of Full-Disclosure! >> >> For last two months I didn't post my articles to this list due to some not >> serious moaning in April on some of my articles (you always can find my >> articles at my site and in WASC Mailing List). But at the end of June I >> decided to remind you about my last articles. >> >> Recently I wrote new article Using of the sites for attacks on other sites >> (http://websecurity.com.ua/4322/). This is brief English version of it. >> >> Last year in article DoS attacks via Abuse of Functionality >> vulnerabilities >> (it was mentioned at >> http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html) > > I do not see your name anywhere in the top ten? > > Cheers > Chris > >> I told about possibility of conducting of DoS attacks via Abuse of >> Functionality vulnerabilities at other sites. Particularly I showed >> examples >> of such vulnerabilities at web sites regex.info and www.slideshare.net. >> These attacks can be as unidirectional DoS, as bidirectional DoS, >> depending >> on capacities of both servers. >> >> And now I'll tell you about possibility of conducting of CSRF attacks on >> other sites via Abuse of Functionality vulnerabilities. Researching of >> such >> attacks I begun already at 2007 when found such vulnerability at >> regex.info. >> >> Using of Abuse of Functionality for attacks on other sites. >> >> Sites, which allow to make requests to other web sites (to arbitrary web >> pages), have Abuse of Functionality vulnerability and can be used for >> conducting of CSRF attacks on other sites. Including DoS attacks via Abuse >> of Functionality, as it was mentioned above. CSRF attacks can be made only >> to those pages, which don't require authorization. >> >> For these attacks it's possible to use as Abuse of Functionality >> vulnerabilities (similar to mentioned in this article), as Remote File >> Include vulnerabilities (like in PHP applications) - it's Abuse of >> Functionality via RFI. >> >> This attack method can be of use when it's needed to conduct invisible >> CSRF >> attack on other site (to not show yourself), for conducting of DoS and >> DDoS >> attacks and for conducting of other attacks, particularly for making >> different actions which need to be made from different IP. For example, at >> online voting, for turning of hits of counters and hits of advertising at >> the site, and also for turning of clicks (click fraud). >> >> Abuse of Functionality: >> >> Attack is going at request of one site (http://site) to another >> (http://another_site) at using of appropriate function of the site >> (http://site/script). >> >> http://site/script?url=http://another_site >> >> Advantages of this attack method. >> >> In this part of the article I wrote a list of advantages of this attack >> method. And I mentioned another two important paragraphs: >> >> Note, that this DoS attack is possible to use for attacks on redirectors, >> which I wrote about in my articles Redirector’s hell and Hellfire for >> redirectors. >> >> Also at conducting of DoS attacks it's possible to use several such >> servers >> at once and so to conduct DDoS attack. In such case these servers will be >> appearing as zombie-computers. I.e. botnet will be made from not home >> computers, but from web servers (which can have larger capacities and >> faster >> connections). So these vulnerabilities can lead to appearing of new class >> of >> botnets (with zombie-servers). >> >> Examples of vulnerable web sites and web services. >> >> In this part of the article I showed examples of different web sites and >> web >> services which could be used for conducting of attacks on other sites. >> Including regex.info, www.slideshare.net, anonymouse.org, www.google.com, >> translate.google.com, babelfish.altavista.com, babelfish.yahoo.com, >> keepvid.com, web application Firebook, W3C validators and iGoogle. >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
