1 / 9

Web Application Harvesting

Web Application Harvesting. Esteban Ribi čić - Individual Member - Speaker kisero at gmail dot com. Title. Content Who am I and what is all this about? How we got here? Spidering, Scrapping, “depth web”, Harvesting Example So how does it work? How does it relates to security?

Download Presentation

Web Application Harvesting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Application Harvesting Esteban Ribičić - Individual Member - Speaker kisero at gmail dot com

  2. Title • Content • Who am I and what is all this about? • How we got here? • Spidering, Scrapping, “depth web”, Harvesting • Example • So how does it work? • How does it relates to security? • Examples • All you need, nothing you don’t. • The right solution for the specific scenario. • Conclusions

  3. Who am I? • What I did • Application Developer • Linux Administrator (ISP and Portals) • Network & Security Engineer • Solution Architect and PM • Lead Web App. Developments • Full time boyfriend • Article Objective • “Expose to the web (and security) community, that a trivial technique as harvesting could be lethal for the online business (the one that pays our bills).”

  4. How did we get here? • Origins: Spidering, Search Engines boom. • Scrapping: no agreement on what to share. • Deep Web definition. • Harvesting comes to play.

  5. How does it work? • Ingredients: • Perform reverse engineering on the target Web Application. • Re-create a normal request with a piece of code. • Run it with multiple threads. • Fast “Clicking” run them all quick!

  6. How does it relates to security?Social Network Example • Brute Force attack • Session (cookies) • Login portal • Subject Oriented SPAM • Privacy Disclosure • DoS Attacks • Storage Exhaustion • Request Exhaustion • Etc…

  7. How does it relates to security?Airline Example • Ratio between search / operations sold will increase. • Database off-load or mining. • Harvested: Ratio between processing capacity / request and SLO’s are lost, $ comes in to the game.

  8. Solutions: All you need, nothing you don’t. • Token Session + Page Session • The server sends a token (created based on the original inputs –aka: credentials, etc) to the user. • Regenerates every X seconds/minutes –accommodate this to paranoia- • The web servers creates links on the html not based on classic url but using the token and mapping this to the real urls. • http://www.foo.com/page.jsp?acc=1000&type=current • http://www.foo.com/page.jsp?token=fjweofji235233 • Delta between clicks • Event Correlation • Content Presentation (images) • CAPTCHAS • Web servers, AJAX makes crawling far more complex • Monitoring

  9. Dziekuje!and let’s go for a beer….

More Related