90 likes | 231 Views
Web Application Harvesting. Esteban Ribi čić - Individual Member - Speaker kisero at gmail dot com. Title. Content Who am I and what is all this about? How we got here? Spidering, Scrapping, “depth web”, Harvesting Example So how does it work? How does it relates to security?
E N D
Web Application Harvesting Esteban Ribičić - Individual Member - Speaker kisero at gmail dot com
Title • Content • Who am I and what is all this about? • How we got here? • Spidering, Scrapping, “depth web”, Harvesting • Example • So how does it work? • How does it relates to security? • Examples • All you need, nothing you don’t. • The right solution for the specific scenario. • Conclusions
Who am I? • What I did • Application Developer • Linux Administrator (ISP and Portals) • Network & Security Engineer • Solution Architect and PM • Lead Web App. Developments • Full time boyfriend • Article Objective • “Expose to the web (and security) community, that a trivial technique as harvesting could be lethal for the online business (the one that pays our bills).”
How did we get here? • Origins: Spidering, Search Engines boom. • Scrapping: no agreement on what to share. • Deep Web definition. • Harvesting comes to play.
How does it work? • Ingredients: • Perform reverse engineering on the target Web Application. • Re-create a normal request with a piece of code. • Run it with multiple threads. • Fast “Clicking” run them all quick!
How does it relates to security?Social Network Example • Brute Force attack • Session (cookies) • Login portal • Subject Oriented SPAM • Privacy Disclosure • DoS Attacks • Storage Exhaustion • Request Exhaustion • Etc…
How does it relates to security?Airline Example • Ratio between search / operations sold will increase. • Database off-load or mining. • Harvested: Ratio between processing capacity / request and SLO’s are lost, $ comes in to the game.
Solutions: All you need, nothing you don’t. • Token Session + Page Session • The server sends a token (created based on the original inputs –aka: credentials, etc) to the user. • Regenerates every X seconds/minutes –accommodate this to paranoia- • The web servers creates links on the html not based on classic url but using the token and mapping this to the real urls. • http://www.foo.com/page.jsp?acc=1000&type=current • http://www.foo.com/page.jsp?token=fjweofji235233 • Delta between clicks • Event Correlation • Content Presentation (images) • CAPTCHAS • Web servers, AJAX makes crawling far more complex • Monitoring