Monthly Archives: October 2014

How Attackers View Your Web Site

This post is shamelessly taken from the Akamai blog.

The Boston Application Security Conference (BASC) was this past weekend, and Patrick Laverty from Akamai InfoSec’s CSIRT team gave a talk called “How Hackers View Your Web Site.”

Patrick recorded the talk and posted it on his YouTube channel. Like everything he does, it’s quite good. So I’m sharing it here.

Laverty described his talk this way:

“As defenders, we have to be right 100% of the time where an attacker only needs to be right once. The attack surface of a modern web site is incredibly large and we need to be aware of all of it. Additionally, individual attacks may not always be effective but sometimes using them together can gain the desired effect. In this talk, we’ll take a look at the whole attack surface for a typical web site and the various ways that an attacker will use to compromise a site.”

 546 total views

Presenting at OWASP BASC 2014!

Today was a pretty great day, presenting for the OWASP Boston Application Security Conference held at Microsoft in Cambridge. My talk was “How Hackers Views Your Web Site” and I thought it was pretty well received. It had a great audience that seemed to enjoy it. I have a lot of fun with the topic as well.  It’s one that most people in infosec probably already are aware of all the pieces but when you see it all at once, it’s like “Hmm, yeah, there’s that too.”

 525 total views,  2 views today

Vulnerability Assessment vs. Penetration Testing

I was asked by my colleague Bill Brenner to step in and film a whiteboard video for Akamai. The topic was pre-chosen for me, Vulnerability Assessment vs. Penetration Testing (pentesting). We filmed the video a couple weeks ago (those lights are hot!) and the whiteboard video should be out by January. But in the meantime, Bill suggested that my script would make a good blog post. So I said sure, put it up. Here is the blog post from my video script:

(If you’re wondering what are whiteboard videos, here are some examples:

 485 total views

You Spin Me Right Round, Like a Record Baby…

Here’s a fun one I got to play with the other day. It’s not so much a vulnerability but some bad coding that could have presented itself to look like a denial of service attack. It triggered rate controls on the WAF, which will often get my attention. Then I looked and saw it was mostly coming from a single IP address. Right there, you can almost immediately rule out DDoS, because the first D is for “distributed”. A single IP isn’t very well “distributed”.

Looking into the IP address, I noticed that it was coming from a media outlet in Latin America. I haven’t seen too many news orgs that want to DoS a site. Plus, all the requests were all going to the same file on a customer’s site, and it was pretty innocuous. It was just a story that was relevant to the news org.

Next, I looked a little more into the file that was being called. I put the URL into a browser and I got a white screen. Nothing. But looking a little more closely, I could see that the page just kept reloading. A “View ->Source” of the page showed nothing. Blankness. Nothing was loading, even though the page was reloading endlessly. What was causing that?

Let’s take a piece out of the transaction. Remove the browser. I opened up terminal and did a curl of the URL and got a response. Included in the response, in the header was:

<head><meta http-equiv="refresh" content="0;url=/removed/index.html"> </head>

Well, there we go. For some reason, someone put a meta refresh on the page, to refresh every 0 seconds, which is basically constantly and forever. This was just a mistake by a developer, as sites will often put in a refresh, either in the meta tag or in the javascript, to force reloading, which the skeptical side of me says is to increase advertising views. If you’re going to sit on a page for a while, the server is going to reload that page and reload the ads, possibly showing new ones, or just getting a new impression of the old ones. Except setting the refresh to 0 means the page never loads completely.

So why did the media site link to this page if it never loads? I suspect the link was old and the refresh changed after the page had been linked. Then everyone who clicked on the link on the media site, to this reloading site, probably left it running for at least a few seconds or possibly just left it running in a browser tab and waited. You get enough of these at the same time and it can look like a DoS. But as we can see, if it looks like a DoS, smells like a DoS and quacks like a Dos, it might still not be a DoS.

Fun stuff.

 384 total views,  1 views today