Full Disclosure mailing list archives
Re: DDoS attacks via other sites execution tool
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 18 Jul 2013 23:55:16 +0300
Hello psy! I'm glad that you liked DOVOSET. And I'm glad that you liked my articles, including those old articles about attacks via redirectors (Redirectors' hell and Hellfire for redirectors). Such attacks can be used together with XSS holes. So it can be useful for your tool. Specially for using with your UFONet - to use XSS holes with looped redirectors to conduct more powerful DDoS attacks - I released advisory about Denial of Service vulnerabilities WordPress at 27.06.2013. Any redirector at any web site or any redirector service can be used with XSS vulnerabilities to conduct DDoS attack via UFONet.
Curiously, I posted a tool written in python the same day. It is called: UFONet
I made my tool already in 2010. That time I made an announcement of the tool, where I described DAVOSET and its effectiveness, but didn't release the tool. I made it private and gave it only to one security researcher, who wanted to look at it. I didn't want to give such kind of attacking tool to script kiddies (to prevent mass attacks, because there were a lot such Abuse of Functionality vulnerabilities in Internet, since 2007 when I start finding them and presented in zombies-lists with my tool). But because for three years people continue to ignore such holes and almost nobody fixed such holes (just few most serious ones, and even Yahoo lamerly ignored for a long time such hole in their Babelfish and in 2012 just lamerly closed it), so I decided to release it publicly in June 2013.
My idea now, is to work the detection of new 'zombies' by crawlering techniques and increase the "strike" capability requests.
Good ideas. But concerning automated searching XSS holes by crawlering. It'll be already XSS scanner, not just attacking tool for using existent vulnerabilities, and it'll give a lot of power to an attacker. No need for him to find XSS holes, your tool will do everything for him ;-). Just enter target site and UFONet will do all the work (find a lot of zombies and attack the target with all of them), so be careful with such functionality.
I have seen that your tool doesn't allows the use of proxies. It may be interesting to add that functionality.
Thanks for suggestion. I've added it to ToDo - in addition to all my ideas (which I have a lot). The reason, why I've not done it earlier and was not planning, is simple - DAVOSET is using other sites as proxies for conducting DoS attacks. So target sites after received DDoS attacks from multiple zombie sites will be seeing in logs only Google, W3C and other sites/IPs. So proxying is part of attack :-). But for paranoids, who worry that admins on zombie-sites will give their logs to admins of victim-sites (or not admins, but special services), then additional proxy will be good solution (and I'll add proxy support in the future).
+ Video: http://vimeo.com/68772290
I've seen your video. And I wrote you feedback about video and some feedback about UFONet last month. And will write more feedback soon.Keep working on your software. Concerning your release of v.0.2. Think about making more detailed changelog (not just mention concerning release of new version, but with detailed description of changes).
Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: "psy" <root () lordepsylon net>
To: "MustLive" <mustlive () websecurity com ua> Cc: <full-disclosure () lists grok org uk>; <websecurity () lists webappsec org> Sent: Wednesday, June 19, 2013 10:25 PM Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool
Hi, On 18/06/13 22:50, MustLive wrote:Hello participants of Mailing List. If you haven't read my article (written in 2010 and last week I wrote about it to WASC list) Advantages of attacks on sites with using other sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), feel free to do it. In this article I reminded you about using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), DDoS attacks via other sites execution tool (DAVOSET) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) and wrote about advantages of attacks on sites with using other sites.I have read the articles and they are very interesting, for example, the "hell" redirection. This kind of web abuse can be very powerful. Nice work! ;-)Last week I've published online my DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). It's tool for conducting of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, which I've made in 2010. Description and changelog on English are presented at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010).Curiously, I posted a tool written in python the same day. It is called: UFONet http://ufonet.sf.net At first, I designed a module for XSSer (http://xsser.sf.net) to use XFS found on third-party, on the direction of DoS attacks. But, I decided that best thing was to create a unique tool, because of the interesting subject. My idea now, is to work the detection of new 'zombies' by crawlering techniques and increase the "strike" capability requests. I have thought for example, that may be is interesting to obtain the images, flash movies, etc., like a benchmarking process on the target, to pass to the 'zombies' the places heavier on the site and do a more effective attack.This is the last version of my DAVOSET. After that I've stopped its development. But now I am planning to continue development of the software and to release new versions (I'll release v.1.0.6 today).I have seen that your tool doesn't allows the use of proxies. It may be interesting to add that functionality.For three years I was holding this tool privately, but now released it for free access. So everyone can test Abuse of Functionality vulnerabilities at multiple web sites - like Google's sites, W3C and many others, which were informed by me many times during many years (I was informing admins of web sites about such vulnerabilities since 2007), but ignored and don't want to fix these holes for a long time, and for example Google continued to create new services with Abuse of Functionality and Insufficient Anti-automation vulnerabilities, which can be used for such DoS and DDoS attacks.I would like to propose that we work together. I'm sure that the community would appreciate our agreement on a single line of development. Thank you very much for publish your research. A greeting.psy
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DDoS attacks via other sites execution tool MustLive (Jul 03)
- <Possible follow-ups>
- Re: DDoS attacks via other sites execution tool MustLive (Jul 18)