web bots - ctf game
TRANSCRIPT
Goals:
- write secure software- kill bad bots-scrape nimbly
Tuesday, June 30, 15
Tuesday, June 30, 15
More info on logos in previous slide
• Ubiquiti botnet: https://threatpost.com/default-credentials-lead-to-massive-ddos-for-hire-botnet/112767
• Hola selling users’ bandwidth in botnet: http://www.digitaltrends.com/computing/hola-found-to-be-selling-users-internet-bandwidth-as-botnet/
• “GoodGoogle” exhausting competitor AdSense budgets: http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/
• RecordedFuture https://en.wikipedia.org/wiki/Recorded_Future
Tuesday, June 30, 15
Tuesday, June 30, 15
http://www.cnet.com/news/bots-now-running-the-internet-with-61-percent-of-web-traffic/
Tuesday, June 30, 15
Bots & Hacks
Tuesday, June 30, 15
Tuesday, June 30, 15
xss
Tuesday, June 30, 15
Tuesday, June 30, 15
More info on logos in previous slide
• LifeLock XSS: http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock-could-have-exposed-logins-and-passwords/
• Facebook doubles bug bounty: https://threatpost.com/facebook-to-double-bounty-payouts-for-ad-code-bugs/108863
• Apple CelebGate: http://appadvice.com/appnn/2014/09/apple-knew-of-icloud-vulnerabilities-that-led-to-celebgate-since-march-2014
• eBay xss password stealing bug https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/
• Google.com XSS vulnerabilities http://news.softpedia.com/news/Experts-Find-DOM-Based-XSS-Vulnerability-in-Google-com-305585.shtml
Tuesday, June 30, 15
Scrapers
Tuesday, June 30, 15
Python
Mechanize
Tuesday, June 30, 15
Detection & Prevention
Tuesday, June 30, 15
browser fingerprinting
Traffic patterns
captcha, recaptcha
Obfuscation (ajax, headers, etc.)
trap and sleep()
Tuesday, June 30, 15
Web Bots CTF
Tuesday, June 30, 15
AttackersYou manage to control a script that the defenders
have included on their website
A) Modify this script to steal a cookie or username / password data
B) Automate making it past the captcha
C) Scrape all the content from behind the login
D) Don’t take the server down!
Tuesday, June 30, 15
DefendersPretend you missed the XSS vulnerability (or rely
on a compromised script for your website to function)...and secure everything else.
A) Make it a bit harder for bots to login
B) Set some traps, make sure you hide them!
C) Try to differentiate legitimate users from bots
D) Don’t let the server go down!
Tuesday, June 30, 15