Weaponizing the Web: New Attacks on User-generated Content

Presented at DEF CON 17 (2009), Aug. 1, 2009, 10 a.m. (50 minutes)

Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it. We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.

Presenters:

• Nathan Hamiel
  "Nathan Hamiel" (not his real name) dropped out of High School to work as a deckhand on an oil tanker in the Sargasso Sea. On its maiden voyage, the tanker "The Lady Nikita" was caught in a freak So'Wester that swamped its engines and damaged the electrical systems. Hopelessly lost and without radio or navigation, the crew ran aground somewhere near the coast of French Guyana. Relying on natural language and negotiation skills, "Nathan" bartered several of his crew members into slavery for safe passage overland to Caracas. Once, there he found work as a night janitor in the Miraflores palace during the Perez regime. When the junta came, he was forced to flee by night as a suspected American spy. To this day people are still unsure just how deep his ties are with the CIA. From there, "Nathan" fled overland through Panama, where he secured passage to Florida on a forged diplomatic passport. He still resides there today, posing as a Senior Consultant of impeccable credentials with Idea Information Security and an Associate Professor for University of Advancing Technology.
• Shawn Moyer
  Dr. Shawn Moyer's best work remains, by definition, undocumented. Some claim he is one of the unseen architects of both Iraq Wars, while others pay no credence to this rumor, based on reports that he has been heading a covert Psychological Warfare operation in Cyprus at the behest of the Greek government for much of the past 15 years. His involvement in the poisoning of Victor Yushenko is largely conjecture, but records do show that he was at the same restaurant on the night in question and sent his Borscht back, untouched. He unquestionably is the owner of a Spetznaz-issue Vostok watch, and a handlebar mustache that fits several witness descriptions. Still, the larger questions remain... Why did Dr. Moyer abruptly change his travel plans for Flight 93? Why was he spotted near the Book Depository, carrying what appeared to be a box of 6.5mm shells? Why is his testimony conspicuously absent from all records of the Warren Commission? And most of all, why is he currently listed as a Principal Security Consultant with FishNet Security's Assessment Practice?

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#Moyer
• https://www.youtube.com/watch?v=7xBQVsqcpaM

Similar Presentations:

• Wild West Hackin' Fest 2019 / Campfire Stories - 15 minutes each
• AppSec USA 2012 / Payback on Web Attackers: Web Honeypots
• DEF CON 15 (2007) / Black Ops 2007: Design Reviewing The Web