DDOS with CSRF?

General technological topics without their own forum go here

DDOS with CSRF?

Post by hellow533 on Sat Apr 06, 2013 12:11 pm
([msg=74956]see DDOS with CSRF?[/msg])

So let's see if I have the concept correct or not.

I set up a website that automatically sends a partial request to example.com
example.com has a 60 second timeout before canceling the request, but for those 60 seconds a connection port is sitting there waiting.

I use CSRF to pop the link to my magic website in to an image code, which shows up to you as either a broken link, or text. However, you are actually being routed to my website, which is effectively transferring you to example.com with an incomplete request. Because of this incomplete request being due to a transfer, the attack looks like it's actually coming from whoever sees this image (or it may look like it's coming from my website, whatever the case). So if I have 500 people look at the "image" at one time, they are actually partially requesting example.com.

That about correct?
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 515
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: DDOS with CSRF?

Post by 3vilp4wn on Sat Apr 06, 2013 1:40 pm
([msg=74959]see Re: DDOS with CSRF?[/msg])

hellow533 wrote:I set up a website that automatically sends a partial request to example.com

You're doing it wrong already. If someone sends a request to *your* site, only one computer is doing it, thus it's a DoS.

Other then that, it's all good. So, just request the site from the image in the first place. In fact, I did something similar to google recently. Search for "3vilp4wn", and look at the autosuggest.

Image
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: DDOS with CSRF?

Post by hellow533 on Sat Apr 06, 2013 2:02 pm
([msg=74963]see Re: DDOS with CSRF?[/msg])

Fair enough and good point, I'm used to typing directed as a part of it now. Anyways, I have no plans on doing this, I just wanted to know if it could be done is all.

I don't think I can make a partial request through the image alone when using CSRF, that's why I thought of using channels instead. CSRF to example1.com, example1.com makes partial request to example2.com

Otherwise you'd just be giving example2.com full requests, which really won't tie up much. I guess it depends who's hosting example1 (your website)

If you're actually going to host the website on your own server, you'd be better off attacking the other server with your own partial requests instead.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 515
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests