SlideShare a Scribd company logo
1 of 27
Download to read offline
The Patsy Proxy
Getting Others To Do Your Dirty Work
Who we are
 Jen Savage
◦ Software Developer
◦ @savagejen
 Dan Crowley
◦ Managing Consultant at Trustwave
SpiderLabs
◦ @dan_crowley
What is a patsy proxy?
 Patsy (noun): A person who is easily
taken advantage of
 Proxy (noun): A person authorized to
act on the behalf of another
 A patsy proxy is anything that can be
used to unwittingly perform an attack
on the behalf of another.
Advantages of a patsy proxy
 Proxy owner is unaware of proxy
 Target is unaware that victim acts as
proxy
◦ Not publicly listed as a proxy
◦ No traditional proxy service on victim
 Logging unlikely
 IP may be privileged
Disadvantages of a patsy
proxy
 Attack capabilities may be limited
◦ May be blind
◦ May change the traffic
◦ May have a time delay
◦ May pass only certain types of traffic
 What is inside the black box?
◦ May be logged
On patsy limitations
 Patsy only allows GET params
◦ Many applications accept POST params
in GET
 Patsy only makes HEAD requests
◦ Many applications process HEAD/GET
the same
 No data will be returned
 DoS capability severely limited
 Patsy is blind
◦ Many attacks can be launched blind
Malicious uses of a patsy
proxy
Frame Someone
 Post threats, harass people, etc
 Access illegal materials
 Launch attacks
Anonymize an attack
 Attack will trace back to the patsy
◦ Is the patsy logging?
 Traditional attacks
◦ SQLi
◦ RFI
◦ DoS
Bypass IP address filtering
 Evade IP blacklist
◦ IP ban
◦ Sites which disallow proxies
 Exploit IP trust relationships
◦ Business partnerships
◦ Proxies usually disallow internal access
 Not the case with unintentional proxying
Methods to achieve a patsy
proxy
Automated Services
 URL shorteners & un-shorteners
 Web Spiders
 Twitter bots
 “Upload from URL” functionality
 Webpage translation utilities
 Link preview functionality
GOOGLE TRANSLATE
“Translate” a web page
FACEBOOK
Status update preview
Automated Services
 Malware Scanning Utilities
 Mail Gateway Scanners
◦ Thanks to Jcran for his Project Tuna data:
tuna.pentestify.com/emails
 Other
 Good job Google on the Google Safe
Browsing Database!
CLAMAV
In certain configurations, URLs in emails are
checked for malware
GEOCITIES-IZER
Hack like it’s 1996
UNKNOWN MAIL
GATEWAY AV
With ROT13 power
Traditional Vulns
 XSS / HTML Injection
 XML injection (XXE)
 SQLi
 RFI
Social Engineering
 Worth mentioning
 Not worth in-depth explanation
Could it be a vulnerability?
Recursive DoS
 Point the patsy back at itself
 Traffic amplification factor:
◦ MAX_URI / patsy URI length * 2
 Tack a large resource onto the last
iteration
 20 requests resulted in 30 minutes
downtime
◦ Over the LAN!
RECURSIVE DOS
“If it’s stupid but it works, it isn’t stupid.”
patsy.php contained fopen($_GET['site'], 'r');
WAF bypass
 Recurse once
 Double encode attack
Web
Server
WAF
Mal
DDoS through patsies
 I have 2MB up
 I have 30 patsies, each 15MB up
 I have Python
 By your powers combined…
 …I AM CAPTAIN DOWNTIME
Access to Internal Networks
 Modern proxies enforce boundaries
between internal / external
 Unintentional proxies may allow
boundary violation
◦ http://patsy.com/?site=http://10.0.0.1/admi
n.htm
Conclusion
 Attribution is Hard(er)
◦ An IP address is not a person
 IP address filtering is ineffective
 Think before generating traffic for
users
 User education is valuable for users,
too
◦ Don’t Take Candy from Internet Strangers

More Related Content

What's hot

Daniel billing exploring the security testers toolbox
Daniel billing   exploring the security testers toolboxDaniel billing   exploring the security testers toolbox
Daniel billing exploring the security testers toolboxRomania Testing
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchLior Rotkovitch
 
A7 Missing Function Level Access Control
A7   Missing Function Level Access ControlA7   Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Frank Victory
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 

What's hot (12)

Daniel billing exploring the security testers toolbox
Daniel billing   exploring the security testers toolboxDaniel billing   exploring the security testers toolbox
Daniel billing exploring the security testers toolbox
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
A7 Missing Function Level Access Control
A7   Missing Function Level Access ControlA7   Missing Function Level Access Control
A7 Missing Function Level Access Control
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP Phishing Forensics - SnowFROC - Denver Chapter of OWASP
Phishing Forensics - SnowFROC - Denver Chapter of OWASP
 
Is your app secure
Is your app secureIs your app secure
Is your app secure
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 

Similar to The Patsy Proxy

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
cybersecurity unit 5 basics of cybersecurity
cybersecurity unit 5 basics of cybersecuritycybersecurity unit 5 basics of cybersecurity
cybersecurity unit 5 basics of cybersecurityJayaMishra170943
 
Case Study on Property Portal Data Security
Case Study on Property Portal Data SecurityCase Study on Property Portal Data Security
Case Study on Property Portal Data SecurityProperty Portal Watch
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSideOWASP EEE
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Matt Lacey
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Raising the dead to save the living
Raising the dead to save the livingRaising the dead to save the living
Raising the dead to save the livingJaredPeck
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Proxy Server: A Comprehensive Guide
Proxy Server: A Comprehensive GuideProxy Server: A Comprehensive Guide
Proxy Server: A Comprehensive GuideHTS Hosting
 
Web api security
Web api securityWeb api security
Web api security9xdot
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 

Similar to The Patsy Proxy (20)

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Uses of proxies
Uses of proxiesUses of proxies
Uses of proxies
 
cybersecurity unit 5 basics of cybersecurity
cybersecurity unit 5 basics of cybersecuritycybersecurity unit 5 basics of cybersecurity
cybersecurity unit 5 basics of cybersecurity
 
How does proxy works?
How does proxy works?How does proxy works?
How does proxy works?
 
Case Study on Property Portal Data Security
Case Study on Property Portal Data SecurityCase Study on Property Portal Data Security
Case Study on Property Portal Data Security
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Raising the dead to save the living
Raising the dead to save the livingRaising the dead to save the living
Raising the dead to save the living
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Proxy Servers & Firewalls
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
 
Proxy Server: A Comprehensive Guide
Proxy Server: A Comprehensive GuideProxy Server: A Comprehensive Guide
Proxy Server: A Comprehensive Guide
 
Web api security
Web api securityWeb api security
Web api security
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 

More from BaronZor

No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksBaronZor
 
Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013BaronZor
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingBaronZor
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLolBaronZor
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all FormatsBaronZor
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesBaronZor
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File PseudonymsBaronZor
 

More from BaronZor (7)

No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto Attacks
 
Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013Home Invasion 2.0 - DEF CON 21 - 2013
Home Invasion 2.0 - DEF CON 21 - 2013
 
Why UPnP is awesome and terrifying
Why UPnP is awesome and terrifyingWhy UPnP is awesome and terrifying
Why UPnP is awesome and terrifying
 
Advanced SQL Injection with SQLol
Advanced SQL Injection with SQLolAdvanced SQL Injection with SQLol
Advanced SQL Injection with SQLol
 
Jack of all Formats
Jack of all FormatsJack of all Formats
Jack of all Formats
 
Daniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic OraclesDaniel Crowley - Speaking with Cryptographic Oracles
Daniel Crowley - Speaking with Cryptographic Oracles
 
Windows File Pseudonyms
Windows File PseudonymsWindows File Pseudonyms
Windows File Pseudonyms
 

Recently uploaded

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Recently uploaded (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

The Patsy Proxy

  • 1. The Patsy Proxy Getting Others To Do Your Dirty Work
  • 2. Who we are  Jen Savage ◦ Software Developer ◦ @savagejen  Dan Crowley ◦ Managing Consultant at Trustwave SpiderLabs ◦ @dan_crowley
  • 3. What is a patsy proxy?  Patsy (noun): A person who is easily taken advantage of  Proxy (noun): A person authorized to act on the behalf of another  A patsy proxy is anything that can be used to unwittingly perform an attack on the behalf of another.
  • 4. Advantages of a patsy proxy  Proxy owner is unaware of proxy  Target is unaware that victim acts as proxy ◦ Not publicly listed as a proxy ◦ No traditional proxy service on victim  Logging unlikely  IP may be privileged
  • 5. Disadvantages of a patsy proxy  Attack capabilities may be limited ◦ May be blind ◦ May change the traffic ◦ May have a time delay ◦ May pass only certain types of traffic  What is inside the black box? ◦ May be logged
  • 6. On patsy limitations  Patsy only allows GET params ◦ Many applications accept POST params in GET  Patsy only makes HEAD requests ◦ Many applications process HEAD/GET the same  No data will be returned  DoS capability severely limited  Patsy is blind ◦ Many attacks can be launched blind
  • 7. Malicious uses of a patsy proxy
  • 8. Frame Someone  Post threats, harass people, etc  Access illegal materials  Launch attacks
  • 9. Anonymize an attack  Attack will trace back to the patsy ◦ Is the patsy logging?  Traditional attacks ◦ SQLi ◦ RFI ◦ DoS
  • 10. Bypass IP address filtering  Evade IP blacklist ◦ IP ban ◦ Sites which disallow proxies  Exploit IP trust relationships ◦ Business partnerships ◦ Proxies usually disallow internal access  Not the case with unintentional proxying
  • 11. Methods to achieve a patsy proxy
  • 12. Automated Services  URL shorteners & un-shorteners  Web Spiders  Twitter bots  “Upload from URL” functionality  Webpage translation utilities  Link preview functionality
  • 15. Automated Services  Malware Scanning Utilities  Mail Gateway Scanners ◦ Thanks to Jcran for his Project Tuna data: tuna.pentestify.com/emails  Other  Good job Google on the Google Safe Browsing Database!
  • 16. CLAMAV In certain configurations, URLs in emails are checked for malware
  • 19. Traditional Vulns  XSS / HTML Injection  XML injection (XXE)  SQLi  RFI
  • 20. Social Engineering  Worth mentioning  Not worth in-depth explanation
  • 21. Could it be a vulnerability?
  • 22. Recursive DoS  Point the patsy back at itself  Traffic amplification factor: ◦ MAX_URI / patsy URI length * 2  Tack a large resource onto the last iteration  20 requests resulted in 30 minutes downtime ◦ Over the LAN!
  • 23. RECURSIVE DOS “If it’s stupid but it works, it isn’t stupid.” patsy.php contained fopen($_GET['site'], 'r');
  • 24. WAF bypass  Recurse once  Double encode attack Web Server WAF Mal
  • 25. DDoS through patsies  I have 2MB up  I have 30 patsies, each 15MB up  I have Python  By your powers combined…  …I AM CAPTAIN DOWNTIME
  • 26. Access to Internal Networks  Modern proxies enforce boundaries between internal / external  Unintentional proxies may allow boundary violation ◦ http://patsy.com/?site=http://10.0.0.1/admi n.htm
  • 27. Conclusion  Attribution is Hard(er) ◦ An IP address is not a person  IP address filtering is ineffective  Think before generating traffic for users  User education is valuable for users, too ◦ Don’t Take Candy from Internet Strangers

Editor's Notes

  1. Jen, Dan
  2. Dan, Jen
  3. Dan
  4. Jen
  5. Jen
  6. Dan
  7. Jen
  8. Dan
  9. Jen
  10. Jen
  11. Jen
  12. Dan
  13. Jen
  14. Dan