tag:blogger.com,1999:blog-13756280.post5052705799767887174..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: CSRF DDoS, skeleton in the closetJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-13756280.post-47278607970081051492008-04-25T10:47:00.000-07:002008-04-25T10:47:00.000-07:00it is very nice text. thanks for it..it is very nice text. thanks for it..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45821049661406078212008-04-23T15:37:00.000-07:002008-04-23T15:37:00.000-07:00And we have a very good practical example from the...And we have a very good practical example from the recent DDoS on CNN.<BR/><BR/>I'm going to quote a recent post from Dancho Danchev here:<BR/><BR/><I>What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. </I><BR/><BR/><A HREF="http://ddanchev.blogspot.com/2008/04/ddos-attack-against-cnncom.html" REL="nofollow">http://ddanchev.blogspot.com/2008/04/ddos-attack-against-cnncom.html</A><BR/><BR/>ps, adam that paper looks really interesting, thanks!!!Security4allhttps://www.blogger.com/profile/09433979568731690987noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-92060795035640580812008-04-22T19:46:00.000-07:002008-04-22T19:46:00.000-07:00CSRF is useful for a lot of different applications...CSRF is useful for a lot of different applications depending on all of the variables that need to be taken into account. If POST requests can be done via GET requests instead (most times they can indeed), there are very few checks in place for referrering URLs, and a token system is either nonexistent or hardly implemented then you have all the necessary bits for a CSRF worm.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21070665714778954722008-04-22T11:24:00.000-07:002008-04-22T11:24:00.000-07:00Jeremiah,You might be interested in the Puppetnets...Jeremiah,<BR/><BR/>You might be interested in the <A HREF="http://s3g-mirror.malware-dmz.org/papers/puppetnets-ccs06.pdf" REL="nofollow">Puppetnets</A> paper.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45086784714925481502008-04-22T09:08:00.000-07:002008-04-22T09:08:00.000-07:00It would be cool if the browsers can add something...It would be cool if the browsers can add something the request header if the request is coming from a img, iframe etc., versus the main page being loaded in the browser ... that would give us web developers another potential defense against certain types of CSRF such as the one mentioned here. Of course this doesn't solve it all, but it would certainly up the ante for the bad guysBrian Pearsonhttps://www.blogger.com/profile/11153303976239850216noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5788830045921371822008-04-22T05:55:00.000-07:002008-04-22T05:55:00.000-07:00It's funny that you should post about how people u...It's funny that you should post about how people underestimate CSRF as a vulnerability. I just posted about a purely CSRF attack that I can use to compromise someone's box a couple days ago. The stuff is dangerous and people need to take it seriously, especially with the proliferation of new products that start up web servers on the local system.<BR/><BR/>http://r00tin.blogspot.com/2008/04/utorrent-pwn3d.htmlRobhttps://www.blogger.com/profile/15811656706735141330noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60811320497632731712008-04-22T03:38:00.000-07:002008-04-22T03:38:00.000-07:00@AdamThat's why the term CSRF is outdated, because...@Adam<BR/><BR/>That's why the term CSRF is outdated, because it isn't XSS also. It are unauthorized requests, the mechanism -or distribution layer- used in CSRF as well as XSS to work. Since "cross-site" also can happen locally, in your browser, or in your phone or any other place, I feel that we should drop the term all together, because it restricts us and limit us. Payload and transportation of it are different mechanisms which should not be confused with each other. The payload like Javascript or HTML cannot fall under the same name as "scripting" because it isn't. <BR/><BR/>It's payload transported over the mechanism that triggers an unauthorized request on behalf of the person or software that makes it. But as I said, that can happen in your phone also, so it isn't "cross-site-scripting" nor a "cross-site-request-forgery".<BR/><BR/>I've written an article on it and my viewpoints on it yesterday:<BR/>http://www.0x000000.com/?i=553Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-81160489888799902472008-04-22T00:20:00.000-07:002008-04-22T00:20:00.000-07:00Oh great. Here we go. :)Oh great. Here we go. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77265310132862957072008-04-22T00:18:00.000-07:002008-04-22T00:18:00.000-07:00CSDDoS add that one to the list ;)CSDDoS add that one to the list ;)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14167887357151114972008-04-22T00:05:00.000-07:002008-04-22T00:05:00.000-07:00I guess that's fair enough, though we probably nee...I guess that's fair enough, though we probably need to call it something, but I'd prefer we didn't add another esoteric name or acronym to the pool . :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-33658150194696851422008-04-21T23:57:00.000-07:002008-04-21T23:57:00.000-07:00It's not clear to me that DDoS via image tags is a...It's not clear to me that DDoS via image tags is a cross-site request forgery attack. It certainly involves a cross-site requests, but I'm not sure there is any forgery involved.Anonymousnoreply@blogger.com