Weaponizing the Web – Shawn Moyer & Nathan Hamiel
Nathan and Shawn were two of my favorite speakers so far. They both are very smart and awesome guys, buy them beer 🙂
On that note, their talk about weaponizing the web was pretty damn cool to sit in on. For the majority of their talk they reviewed why the social web is such an easily corruptible environment. User Generated Content on an increasing number of supremely popular sites being the giant attack surface. User driven, social, collaborative content, blogs, wikis, and web communities are everywhere you look. Sometimes these things are even being integrated into “old†web media.
Some examples of issues that have popped up in recent times that Nathan and Shawn covered were Moot being voted as the Time’s person of the year, Post Micheal Jackson celebrity death hoaxes causing “legitimate†news sources to run false stories (RIP Jeff Goldblum), and New York Times aggregation fail where an article about HTML injection propagated HTML injection.
The emerging socialized web is creating a popular platform for multi-site aggregation which in the attacker’s eyes equals return on investment. Multi-point attack surfaces, APIs, “Digg This!â€, etc.
“Malware-like†legitimate functionality is becoming more widely accepted as tolerable, such as silent updates, calling home, and offsite links.
Here is the awesome part, Nathan has released a new tool. He calls it MonkeyFist and it is a PoC Dynamic CSRF Tool. It includes a small python web server, creates payload/patterns based on referrer, automates per-request “dynamic†CSRF, and constructs hidden POSTS & redirects.