Full Disclosure mailing list archives
Re: DDoS attacks via other sites execution tool
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 3 Jul 2013 23:57:12 +0300
Hello Julius! Looks like you haven't read my articles, which I referenced in my letter. Such as Using of the sites for attacks on other sites - this is my 2010's article based on my 2009's article DoS attacks via Abuse of Functionality vulnerabilities. In new article I combined different attacks (which can be used for attacks on other sites) and added new example of vulnerable sites to draw attention to this problem. Yes, it's brilliant. And not only GET requests - since DAVOSET v.1.0.8 the tool also supports POST requests ;-). My tool is designed to automate such attacks on other sites. If you want to do the attacks manually (with using all those vulnerable sites, including those in my lists of zombies), feel free to do it. Like to use them as proxies (to hiddenly visit sites), or to send CSRF requests for different attacks on those sites, or to make DoS attacks. Which are especially effective when there are many sites combined together, i.e. to make DDoS attacks, which are using not clients, but servers as zombies. Servers have larger channels, so they are more effective weapon for conducting DDoS attacks. And exactly for automating these things I've created my tool. Yes, it can be used for attacking with only one zombie-server, but it's good with making DDoS attacks with multiple-servers (it handles any amount of servers very well). For understanding possibilities of DoS attacks via AoF vulnerabilities it's needed to read those my 2009-2010's articles. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: Julius Kivimдki
To: MustLive Cc: full-disclosure () lists grok org uk Sent: Friday, June 21, 2013 7:36 PM Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool So you made a perl script to make GET requests on a list of URLs? Brilliant. 2013/6/18 MustLive <mustlive () websecurity com ua> Hello participants of Mailing List. If you haven't read my article (written in 2010 and last week I wrote about it to WASC list) Advantages of attacks on sites with using other sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html), feel free to do it. In this article I reminded you about using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html), DDoS attacks via other sites execution tool (DAVOSET) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html), sending spam via sites and creating spam-botnets (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html) and wrote about advantages of attacks on sites with using other sites. Last week I've published online my DDoS attacks via other sites execution tool (http://websecurity.com.ua/davoset/). It's tool for conducting of DDoS attacks via Abuse of Functionality vulnerabilities on the sites, which I've made in 2010. Description and changelog on English are presented at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010). This is the last version of my DAVOSET. After that I've stopped its development. But now I am planning to continue development of the software and to release new versions (I'll release v.1.0.6 today). For three years I was holding this tool privately, but now released it for free access. So everyone can test Abuse of Functionality vulnerabilities at multiple web sites - like Google's sites, W3C and many others, which were informed by me many times during many years (I was informing admins of web sites about such vulnerabilities since 2007), but ignored and don't want to fix these holes for a long time, and for example Google continued to create new services with Abuse of Functionality and Insufficient Anti-automation vulnerabilities, which can be used for such DoS and DDoS attacks. It must bring attention to the danger of these vulnerabilities (which I was trying to do in my articles in 2010). Because in most cases owners of web sites and web developers ignore and don't fix them. Which can be used for DoS attacks as on other sites, as on the sites with Abuse of Functionality vulnerabilities themselves, about which I wrote in my article Using of the sites for attacks on other sites. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DDoS attacks via other sites execution tool MustLive (Jul 03)
- <Possible follow-ups>
- Re: DDoS attacks via other sites execution tool MustLive (Jul 18)