web bots - ctf game

Goals:

- write secure software- kill bad bots-scrape nimbly

Tuesday, June 30, 15

More info on logos in previous slide

• Ubiquiti botnet: https://threatpost.com/default-credentials-lead-to-massive-ddos-for-hire-botnet/112767

• Hola selling users’ bandwidth in botnet: http://www.digitaltrends.com/computing/hola-found-to-be-selling-users-internet-bandwidth-as-botnet/

• “GoodGoogle” exhausting competitor AdSense budgets: http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/

• RecordedFuture https://en.wikipedia.org/wiki/Recorded_Future


https://threatpost.com/default-credentials-lead-to-massive-ddos-for-hire-botnet/112767




http://www.digitaltrends.com/computing/hola-found-to-be-selling-users-internet-bandwidth-as-botnet/




http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/




https://en.wikipedia.org/wiki/Recorded_Future

https://en.wikipedia.org/wiki/Recorded_Future

http://www.cnet.com/news/bots-now-running-the-internet-with-61-percent-of-web-traffic/




Bots & Hacks


xss


More info on logos in previous slide

• LifeLock XSS: http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock-could-have-exposed-logins-and-passwords/

• Facebook doubles bug bounty: https://threatpost.com/facebook-to-double-bounty-payouts-for-ad-code-bugs/108863

• Apple CelebGate: http://appadvice.com/appnn/2014/09/apple-knew-of-icloud-vulnerabilities-that-led-to-celebgate-since-march-2014

• eBay xss password stealing bug https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/

• Google.com XSS vulnerabilities http://news.softpedia.com/news/Experts-Find-DOM-Based-XSS-Vulnerability-in-Google-com-305585.shtml


http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock-could-have-exposed-logins-and-passwords/




https://threatpost.com/facebook-to-double-bounty-payouts-for-ad-code-bugs/108863




http://appadvice.com/appnn/2014/09/apple-knew-of-icloud-vulnerabilities-that-led-to-celebgate-since-march-2014




https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/




http://news.softpedia.com/news/Experts-Find-DOM-Based-XSS-Vulnerability-in-Google-com-305585.shtml




Scrapers


Python

Mechanize


Detection & Prevention


browser fingerprinting

Traffic patterns

captcha, recaptcha

Obfuscation (ajax, headers, etc.)

trap and sleep()


Web Bots CTF


AttackersYou manage to control a script that the defenders

have included on their website

A) Modify this script to steal a cookie or username / password data

B) Automate making it past the captcha

C) Scrape all the content from behind the login

D) Don’t take the server down!


DefendersPretend you missed the XSS vulnerability (or rely

on a compromised script for your website to function)...and secure everything else.

A) Make it a bit harder for bots to login

B) Set some traps, make sure you hide them!

C) Try to differentiate legitimate users from bots

D) Don’t let the server go down!


web bots - ctf game

Documents

xss vulnerabilities

bug https

ebay xss password

xss vulnerability

bots d dont

bad bots

bots hacks

previous slide lifelock