Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 29: China DDoS Github, IAB endorses SSL use in ads, Cisco praising Adblock, SEA hacks Bluehost and more, Google XSS around the world, PHP file upload vuln

Hey Everybody! Welcome to this weeks HackerKast!

First story we talked about this week was the latest DDoS attack on GitHub which was coming from China this time. The fact that it was a DDoS wasn’t the interesting bit, it was the method of DDoS we were focusing on. Turns out, the avenue of attack here seemed an awful lot like Jeremiah and my BlackHat research on “Million Browser Botnet”. The attackers were utilizing Baidu analytics JavaScript to force unknowing browsers to constantly reload two specific GitHub pages. Of course, this is slightly different than ad network delivery but the concept is pretty much the same. The other scary part is that the attacking browsers were only about 1% of the Baidu analytics traffic, if this was ramped up a significant amount then who knows what it would’ve looked like.

Next, in a related ad network story, we talked about the IAB writing a blog post announcing they would encourage all their members and partners to utilize SSL properly. This got a chuckle from us because the advertising industry is advocating security. If this would happen, SSL everywhere would be one step closer to being feasible without breaking ad networks. This would’ve stopped China from Man-in-the-Middling these ads and injecting anything into them.

Also related, Jeremiah touched on a post put out by Cisco praising ad blocking to combat drive by malware downloads. We all got a laugh out of this as we’ve been saying it for years so for somebody like Cisco to say it is funny. None of us are against the idea of advertising completely, but it is dangerous on the Internet.

Back to the hacking, Robert talked about the Syrian Electronic Army hacking the umbrella company that owns BlueHost, Justhost, Hostgator, and more. Due to a few VPN hacks, the SEA is claiming they got access to the administrator panels on all of these shared hosting providers, and in turn their customers. This was a hacktivism motivated event due to these shared hosting providers hosting the Islamic State websites which the SEA is against. We wrapped up this topic with some thoughts on overall shared hosting security, seems to us like a big single point of failure on the web.

In other hacking news, a creative bounty hunter found some fun XSS recently and displayed it in a fun way. This researcher found an XSS bug in Google that not only worked on the .com domains but actually worked on *every* Google TLD around the world. This led them to create a YouTube video called “Google XSS World Tour” with some fun classical music and an ever redirecting browser demonstrating the XSS working on many international Google domains. One bug to rule them all… or something like that…

Last, we talked about a PHP file upload vulnerability that was found this week. Seems there is a core PHP function called move_uploaded_file which is vulnerable to a clever bug which avoids file type validation. With just the addition of a null byte at the end of your file name, you can upload any file type you’d like and execute malicious code on the PHP web server. With a quick search on GitHub for move_uploaded_file, we get 245,006 results of code using this vulnerable function.


Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


Syrian Electronic Army Hacks BlueHost, Justhost, Hostgator, Fastdomain, Hostmonster to go after Islamic State

Cisco recommends Adblock & Ghostery to combat malvertising

Google XSS World Tour

China’s Man-on-the-Side Attack on GitHub

Adopting Encryption: The Need for HTTPS

Exploiting PHP Upload Forms

Notable stories this week that didn’t make the cut:

Google to drop China’s CNNIC Root Certificate Authority after trust breach

Obama Declares War on Foreign Hackers

AllCrypt Hacked Using Brute Force and Password Reset

The old is new, again. CVE-2011-2461 is back!

Instagram API Bug Could Allow Malicious File Downloads

DEA Charged with Being Mole for Silkroad

Tags: Google