Web Bots - CTF Game
-
Upload
calvin-froedge -
Category
Documents
-
view
59 -
download
2
Transcript of Web Bots - CTF Game
![Page 1: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/1.jpg)
Goals:
- write secure software- kill bad bots-scrape nimbly
Tuesday, June 30, 15
![Page 2: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/2.jpg)
Tuesday, June 30, 15
![Page 3: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/3.jpg)
More info on logos in previous slide
• Ubiquiti botnet: https://threatpost.com/default-credentials-lead-to-massive-ddos-for-hire-botnet/112767
• Hola selling users’ bandwidth in botnet: http://www.digitaltrends.com/computing/hola-found-to-be-selling-users-internet-bandwidth-as-botnet/
• “GoodGoogle” exhausting competitor AdSense budgets: http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/
• RecordedFuture https://en.wikipedia.org/wiki/Recorded_Future
Tuesday, June 30, 15
![Page 4: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/4.jpg)
Tuesday, June 30, 15
![Page 5: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/5.jpg)
http://www.cnet.com/news/bots-now-running-the-internet-with-61-percent-of-web-traffic/
Tuesday, June 30, 15
![Page 6: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/6.jpg)
Bots & Hacks
Tuesday, June 30, 15
![Page 7: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/7.jpg)
Tuesday, June 30, 15
![Page 8: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/8.jpg)
xss
Tuesday, June 30, 15
![Page 9: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/9.jpg)
Tuesday, June 30, 15
![Page 10: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/10.jpg)
More info on logos in previous slide
• LifeLock XSS: http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock-could-have-exposed-logins-and-passwords/
• Facebook doubles bug bounty: https://threatpost.com/facebook-to-double-bounty-payouts-for-ad-code-bugs/108863
• Apple CelebGate: http://appadvice.com/appnn/2014/09/apple-knew-of-icloud-vulnerabilities-that-led-to-celebgate-since-march-2014
• eBay xss password stealing bug https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/
• Google.com XSS vulnerabilities http://news.softpedia.com/news/Experts-Find-DOM-Based-XSS-Vulnerability-in-Google-com-305585.shtml
Tuesday, June 30, 15
![Page 11: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/11.jpg)
Scrapers
Tuesday, June 30, 15
![Page 12: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/12.jpg)
Python
Mechanize
Tuesday, June 30, 15
![Page 13: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/13.jpg)
Detection & Prevention
Tuesday, June 30, 15
![Page 14: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/14.jpg)
browser fingerprinting
Traffic patterns
captcha, recaptcha
Obfuscation (ajax, headers, etc.)
trap and sleep()
Tuesday, June 30, 15
![Page 15: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/15.jpg)
Web Bots CTF
Tuesday, June 30, 15
![Page 16: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/16.jpg)
AttackersYou manage to control a script that the defenders
have included on their website
A) Modify this script to steal a cookie or username / password data
B) Automate making it past the captcha
C) Scrape all the content from behind the login
D) Don’t take the server down!
Tuesday, June 30, 15
![Page 17: Web Bots - CTF Game](https://reader031.fdocuments.net/reader031/viewer/2022013115/55d189eebb61eb846f8b456b/html5/thumbnails/17.jpg)
DefendersPretend you missed the XSS vulnerability (or rely
on a compromised script for your website to function)...and secure everything else.
A) Make it a bit harder for bots to login
B) Set some traps, make sure you hide them!
C) Try to differentiate legitimate users from bots
D) Don’t let the server go down!
Tuesday, June 30, 15