Tuesday, March 30, 2010

From Stored XSS to DDoS, almost

The backbone of science is sharing your failed experiments so here goes.

I was a little frightened when directed to RFC 2397. Basically it says that included objects that you would reference by a URL can be provided inline in one or more forms. It looks like this:

<img src=”data:image/png;base64,alkj2K09…..” />

Try it. It’s kind of neat-o. The idea I had was that maybe you could provide a java applet that way. You can already deliver an applet by reference with XSS but an applet is only supposed to be able to make connections back to the site that it was downloaded from. If you try to connect to anything else, like the target site, it generates a pop message that the user has to click through. If I could get the target site to provide the applet it should be able to connect back to the target site without the user being aware.

The fun idea I had was to write a java applet implementation of the slowloris attack. The really awesome thing if this were possible is that if you find a stored XSS vulnerability in the target site you could get the legitimate users of the site to DDoS it indefinitely. Beyond that, you may be able to make SSH or other authenticated connections back for random password guessing; perhaps the results could be reported back to the attacker via DNS requests. The difficulty (if it worked) is that the target site would have to allow a pretty large stored XSS. If the stored XSS vulnerability is against a TEXT database column you’re fine. If it’s against a VARCHAR(128) and you’re trying to deliver a 1.2KB jar file it’s not going to work.

I could get the applet to work flawlessly at attacking my test web server. It would sometimes even do so without the socket connection sandbox permission dialog from popping up. It wouldn’t work properly with the inline jar file though. Eventually I tried Firefox+Sun JRE on windows and it gave me the error message I needed: unknown protocol: data or something similar.

Maybe this could still work with Flash or some funky contortions with JNLP. I, however, am done working on it.

Monday, March 29, 2010

Ohh...: Does anyone ever talk about what sort of psychological relief Walmart...

Ohh...: Does anyone ever talk about what sort of psychological relief Walmart...

Does anyone ever talk about what sort of psychological relief Walmart brought to the individual in the small town, in terms of alleviating the burden of over-judgmental townies who ran the local Rx, hardware, grocery, etc., by offering purchasing anonymity (I mean socially; not in terms of…

Everything lost is something else gained, and vice versa. Walmart has a lot of detractors and a lot of promoters. I haven’t seen this side of the debate before.

DoSassination Market

From Wikipedia:

An assassination market is a prediction market where any party can place a bet (using anonymous electronic money, and pseudonymous remailers) on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise assassination of individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death. Because the payoff is for knowing the date rather than performing the action of the assassin, it is substantially more difficult to assign criminal liability for the assassination.

What if a site existed where there would be various pools for betting on when a given site’s Denial of Service attack would end. The rules would state that the betting pool site would attempt to retrieve a given site’s root page in its entirety. If it succeeded it would make 9 more attempts randomly dispersed over the next five-minute period. If all of those subsequent attempts succeeded the site would be considered “up”. If any of them failed, the test would begin again after a random delay of between 5 and 60 minutes.

To win the betting pool, Bob has to add to the pool and he has to guess when the DoS will end. The best way for him to make that guess is to extend the current DoS attack with his own and then end his on the moment of his prediction, hoping that any other ongoing attacks have also ceased. As more people participate in this flash DoS, the betting pool grows, bringing more interest to the “contest” and more people who will try their own DoS to win the pool.

Sunday, March 14, 2010


Brilliant idea of the day.

I register the domain, “elitehackingcontest.org” or somesuch nonesense. I make sure the website says that the target sites are “realistically simulated Internet sites”. I then just pick random sites on the internet and point target1.elitehackingcontest.org.

I then advertise the crap out of it and let hilarity ensue.

Saturday, March 6, 2010

Alice In Wonderland

Saw “Alice In Wonderland”. Meh. Glad I didn’t pay to see it in sphincter-puckering IMAX 3D. The casting was good, the acting was good… I just felt that it wasn’t engaging.