The concept of web-based DDoS is not new. Attacks based on refreshing images and scripts have been around for a good while. The use of HTML5 cross-origin requests to perform these attacks at much higher rates, combined with URL shortening obfuscation, is, afaik, a new concept. That is not to say that others hadn't thought of it, but I certainly haven't seen it implemented anywhere.
But yeah, if you did indeed have this idea 10 years ago, before HTML5 was even conceived, I commend you. That kind of foresight is rare.
Thank you for pointing out the extra http:/// issue, it's been fixed in the live version. Bug leftover from an earlier test version.
The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.
As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.
You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
For all those who can no longer use Scroogle, but are worried about their privacy while using Google's services, the Firefox plugin Google Sharing allows you to maintain anonymity on all of Google's unauthenticated services. Might be worth looking into.
Slashdot Mirror
The concept of web-based DDoS is not new. Attacks based on refreshing images and scripts have been around for a good while. The use of HTML5 cross-origin requests to perform these attacks at much higher rates, combined with URL shortening obfuscation, is, afaik, a new concept. That is not to say that others hadn't thought of it, but I certainly haven't seen it implemented anywhere.
But yeah, if you did indeed have this idea 10 years ago, before HTML5 was even conceived, I commend you. That kind of foresight is rare.
I'm not sure if I should be flattered or worried that my PoC got lumped in with Conficker and IE 0-days...
Thank you for pointing out the extra http:/// issue, it's been fixed in the live version. Bug leftover from an earlier test version.
The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.
As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.
You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
Metasploit module
For all those who can no longer use Scroogle, but are worried about their privacy while using Google's services, the Firefox plugin Google Sharing allows you to maintain anonymity on all of Google's unauthenticated services. Might be worth looking into.
has had this functionality for months now...
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe
Now, it's entirely possible that he found this on his own. But it's not exactly a new development...
Also, before anyone goes and claims to have found a way to get Java applets to execute arbitrary code as well:
http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_signed_applet.rb