SlideShare a Scribd company logo

Web Bots - CTF Game

Calvin Froedge
Calvin Froedge
1 of 17
Download to read offline
Goals: - write secure software - kill bad bots -scrape nimbly Tuesday, June 30, 15
Tuesday, June 30, 15
More info on logos in previous slide • Ubiquiti botnet: https://threatpost.com/default-credentials-lead-to-massive-ddos-for-hire- botnet/112767 • Hola selling users’ bandwidth in botnet: http://www.digitaltrends.com/computing/hola- found-to-be-selling-users-internet-bandwidth-as-botnet/ • “GoodGoogle” exhausting competitor AdSense budgets: http://krebsonsecurity.com/ 2014/07/service-drains-competitors-online-ad-budget/ • RecordedFuture https://en.wikipedia.org/wiki/Recorded_Future Tuesday, June 30, 15
Tuesday, June 30, 15
http://www.cnet.com/news/bots-now-running-the-internet-with-61-percent-of-web-traffic/ Tuesday, June 30, 15
Bots & Hacks Tuesday, June 30, 15
Tuesday, June 30, 15
xss Tuesday, June 30, 15
Tuesday, June 30, 15
More info on logos in previous slide • LifeLock XSS: http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock- could-have-exposed-logins-and-passwords/ • Facebook doubles bug bounty: https://threatpost.com/facebook-to-double-bounty- payouts-for-ad-code-bugs/108863 • Apple CelebGate: http://appadvice.com/appnn/2014/09/apple-knew-of-icloud- vulnerabilities-that-led-to-celebgate-since-march-2014 • eBay xss password stealing bug https://grahamcluley.com/2014/09/ebay-password- stealing-security-hole-existed-months/ • Google.com XSS vulnerabilities http://news.softpedia.com/news/Experts-Find-DOM- Based-XSS-Vulnerability-in-Google-com-305585.shtml Tuesday, June 30, 15
Scrapers Tuesday, June 30, 15
Python Mechanize Tuesday, June 30, 15
Detection & Prevention Tuesday, June 30, 15
browser fingerprinting Traffic patterns captcha, recaptcha Obfuscation (ajax, headers, etc.) trap and sleep() Tuesday, June 30, 15
Web Bots CTF Tuesday, June 30, 15
Attackers You manage to control a script that the defenders have included on their website A) Modify this script to steal a cookie or username / password data B) Automate making it past the captcha C) Scrape all the content from behind the login D) Don’t take the server down! Tuesday, June 30, 15
Defenders Pretend you missed the XSS vulnerability (or rely on a compromised script for your website to function)...and secure everything else. A) Make it a bit harder for bots to login B) Set some traps, make sure you hide them! C) Try to differentiate legitimate users from bots D) Don’t let the server go down! Tuesday, June 30, 15

Recommended

FOSFOR - BAHAN GALIAN INDUSTRI - BONITA
FOSFOR - BAHAN GALIAN INDUSTRI - BONITAFOSFOR - BAHAN GALIAN INDUSTRI - BONITA
FOSFOR - BAHAN GALIAN INDUSTRI - BONITABonita Susimah
 
Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionHack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionCasey Ellis
 
Technical writing and social media - friends with benefits
Technical writing and social media - friends with benefitsTechnical writing and social media - friends with benefits
Technical writing and social media - friends with benefitsRadu Valentin Băzăvan
 
IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)
IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)
IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)IWMW
 
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...G3 Communications
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Casey Ellis
 
Bug Bounty Career.pdf
Bug Bounty Career.pdfBug Bounty Career.pdf
Bug Bounty Career.pdfVishal318796
 
2019-06-14:5 - Componenti per reti neurali
2019-06-14:5 - Componenti per reti neurali2019-06-14:5 - Componenti per reti neurali
2019-06-14:5 - Componenti per reti neuraliuninfoit
 

Recommended

FOSFOR - BAHAN GALIAN INDUSTRI - BONITA
FOSFOR - BAHAN GALIAN INDUSTRI - BONITAFOSFOR - BAHAN GALIAN INDUSTRI - BONITA
FOSFOR - BAHAN GALIAN INDUSTRI - BONITABonita Susimah
 
Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionHack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionCasey Ellis
 
Technical writing and social media - friends with benefits
Technical writing and social media - friends with benefitsTechnical writing and social media - friends with benefits
Technical writing and social media - friends with benefitsRadu Valentin Băzăvan
 
IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)
IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)
IWMW 2001: Practical Web Strategies: Conflict, Ethics and Your Web Site (5)IWMW
 
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...
StubHub's Field Guide To Preventing Competitor Price Scraping, Unwanted Trans...G3 Communications
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Casey Ellis
 
Bug Bounty Career.pdf
Bug Bounty Career.pdfBug Bounty Career.pdf
Bug Bounty Career.pdfVishal318796
 
2019-06-14:5 - Componenti per reti neurali
2019-06-14:5 - Componenti per reti neurali2019-06-14:5 - Componenti per reti neurali
2019-06-14:5 - Componenti per reti neuraliuninfoit
 
Confection Investor Pitch Deck
Confection Investor Pitch DeckConfection Investor Pitch Deck
Confection Investor Pitch DeckQuimby Melton
 
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...Distil Networks
 
MaureenYoder CMTC2023 ChatGPT
MaureenYoder CMTC2023 ChatGPTMaureenYoder CMTC2023 ChatGPT
MaureenYoder CMTC2023 ChatGPTmaureenyoder
 
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상Jean Ryu
 
150225 Cognitoys PPT
150225 Cognitoys PPT150225 Cognitoys PPT
150225 Cognitoys PPTSamantha Hautea
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
Innotech2008
Innotech2008Innotech2008
Innotech2008Silona Bonewald
 
Innotech2008
Innotech2008Innotech2008
Innotech2008Silona Bonewald
 
Independent Objective Reviews of Anti-Fraud Companies by Augustine Fou
Independent Objective Reviews of Anti-Fraud Companies by Augustine FouIndependent Objective Reviews of Anti-Fraud Companies by Augustine Fou
Independent Objective Reviews of Anti-Fraud Companies by Augustine FouDr. Augustine Fou - Independent Ad Fraud Researcher
 
Hogyan tegyük a vásárlást élménnyé egy webáruházban?
Hogyan tegyük a vásárlást élménnyé egy webáruházban?Hogyan tegyük a vásárlást élménnyé egy webáruházban?
Hogyan tegyük a vásárlást élménnyé egy webáruházban?István Kolozsi
 
Tracking across devices
Tracking across devices Tracking across devices
Tracking across devices Marga Rodríguez
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienJulien Dereumaux
 
Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014Jan-Willem Bobbink - Freelance SEO Consultant
 
Session 12 digital tools to help
Session 12 digital tools to helpSession 12 digital tools to help
Session 12 digital tools to helpHow To Do Digital Marketing
 
Digital cultural heritage spring 2015 day 3
Digital cultural heritage spring 2015 day 3Digital cultural heritage spring 2015 day 3
Digital cultural heritage spring 2015 day 3Stefano A Gazziano
 
PUM 23-01-2020 BUAS
PUM 23-01-2020 BUASPUM 23-01-2020 BUAS
PUM 23-01-2020 BUASJeroen Vinkesteijn
 
Bot detection deck 042514 final
Bot detection deck 042514 finalBot detection deck 042514 final
Bot detection deck 042514 finalVindicoGroup
 
Digital ad fraud superheroes the good guys by augustine fou
Digital ad fraud superheroes the good guys by augustine fouDigital ad fraud superheroes the good guys by augustine fou
Digital ad fraud superheroes the good guys by augustine fouDr. Augustine Fou - Independent Ad Fraud Researcher
 
We are Digital Puppets
We are Digital PuppetsWe are Digital Puppets
We are Digital PuppetsSecpro - Security Professionals
 
The Dark Social: The Future of Sharing - Nik Badminton
The Dark Social: The Future of Sharing - Nik BadmintonThe Dark Social: The Future of Sharing - Nik Badminton
The Dark Social: The Future of Sharing - Nik BadmintonSocial Media Camp
 

More Related Content

Similar to Web Bots - CTF Game

Confection Investor Pitch Deck
Confection Investor Pitch DeckConfection Investor Pitch Deck
Confection Investor Pitch DeckQuimby Melton
 
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...Distil Networks
 
MaureenYoder CMTC2023 ChatGPT
MaureenYoder CMTC2023 ChatGPTMaureenYoder CMTC2023 ChatGPT
MaureenYoder CMTC2023 ChatGPTmaureenyoder
 
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상Jean Ryu
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
Hogyan tegyük a vásárlást élménnyé egy webáruházban?
Hogyan tegyük a vásárlást élménnyé egy webáruházban?Hogyan tegyük a vásárlást élménnyé egy webáruházban?
Hogyan tegyük a vásárlást élménnyé egy webáruházban?István Kolozsi
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienJulien Dereumaux
 
Digital cultural heritage spring 2015 day 3
Digital cultural heritage spring 2015 day 3Digital cultural heritage spring 2015 day 3
Digital cultural heritage spring 2015 day 3Stefano A Gazziano
 
Bot detection deck 042514 final
Bot detection deck 042514 finalBot detection deck 042514 final
Bot detection deck 042514 finalVindicoGroup
 
The Dark Social: The Future of Sharing - Nik Badminton
The Dark Social: The Future of Sharing - Nik BadmintonThe Dark Social: The Future of Sharing - Nik Badminton
The Dark Social: The Future of Sharing - Nik BadmintonSocial Media Camp
 

Similar to Web Bots - CTF Game (20)

Confection Investor Pitch Deck
Confection Investor Pitch DeckConfection Investor Pitch Deck
Confection Investor Pitch Deck
 
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
Field Guide To Preventing Competitor Price Scraping, Unwanted Transactions, B...
 
MaureenYoder CMTC2023 ChatGPT
MaureenYoder CMTC2023 ChatGPTMaureenYoder CMTC2023 ChatGPT
MaureenYoder CMTC2023 ChatGPT
 
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
Debunking Myths about Malicious Bots / 악성 봇의 허상과 실상
 
150225 Cognitoys PPT
150225 Cognitoys PPT150225 Cognitoys PPT
150225 Cognitoys PPT
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainment
 
Innotech2008
Innotech2008Innotech2008
Innotech2008
 
Innotech2008
Innotech2008Innotech2008
Innotech2008
 
Independent Objective Reviews of Anti-Fraud Companies by Augustine Fou
Independent Objective Reviews of Anti-Fraud Companies by Augustine FouIndependent Objective Reviews of Anti-Fraud Companies by Augustine Fou
Independent Objective Reviews of Anti-Fraud Companies by Augustine Fou
 
Hogyan tegyük a vásárlást élménnyé egy webáruházban?
Hogyan tegyük a vásárlást élménnyé egy webáruházban?Hogyan tegyük a vásárlást élménnyé egy webáruházban?
Hogyan tegyük a vásárlást élménnyé egy webáruházban?
 
Tracking across devices
Tracking across devices Tracking across devices
Tracking across devices
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
 
Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014
 
Session 12 digital tools to help
Session 12 digital tools to helpSession 12 digital tools to help
Session 12 digital tools to help
 
Digital cultural heritage spring 2015 day 3
Digital cultural heritage spring 2015 day 3Digital cultural heritage spring 2015 day 3
Digital cultural heritage spring 2015 day 3
 
PUM 23-01-2020 BUAS
PUM 23-01-2020 BUASPUM 23-01-2020 BUAS
PUM 23-01-2020 BUAS
 
Bot detection deck 042514 final
Bot detection deck 042514 finalBot detection deck 042514 final
Bot detection deck 042514 final
 
Digital ad fraud superheroes the good guys by augustine fou
Digital ad fraud superheroes the good guys by augustine fouDigital ad fraud superheroes the good guys by augustine fou
Digital ad fraud superheroes the good guys by augustine fou
 
We are Digital Puppets
We are Digital PuppetsWe are Digital Puppets
We are Digital Puppets
 
The Dark Social: The Future of Sharing - Nik Badminton
The Dark Social: The Future of Sharing - Nik BadmintonThe Dark Social: The Future of Sharing - Nik Badminton
The Dark Social: The Future of Sharing - Nik Badminton
 

Web Bots - CTF Game

  • 1. Goals: - write secure software - kill bad bots -scrape nimbly Tuesday, June 30, 15
  • 3. More info on logos in previous slide • Ubiquiti botnet: https://threatpost.com/default-credentials-lead-to-massive-ddos-for-hire- botnet/112767 • Hola selling users’ bandwidth in botnet: http://www.digitaltrends.com/computing/hola- found-to-be-selling-users-internet-bandwidth-as-botnet/ • “GoodGoogle” exhausting competitor AdSense budgets: http://krebsonsecurity.com/ 2014/07/service-drains-competitors-online-ad-budget/ • RecordedFuture https://en.wikipedia.org/wiki/Recorded_Future Tuesday, June 30, 15
  • 6. Bots & Hacks Tuesday, June 30, 15
  • 10. More info on logos in previous slide • LifeLock XSS: http://techcrunch.com/2015/06/30/vulnerability-in-security-service-lifelock- could-have-exposed-logins-and-passwords/ • Facebook doubles bug bounty: https://threatpost.com/facebook-to-double-bounty- payouts-for-ad-code-bugs/108863 • Apple CelebGate: http://appadvice.com/appnn/2014/09/apple-knew-of-icloud- vulnerabilities-that-led-to-celebgate-since-march-2014 • eBay xss password stealing bug https://grahamcluley.com/2014/09/ebay-password- stealing-security-hole-existed-months/ • Google.com XSS vulnerabilities http://news.softpedia.com/news/Experts-Find-DOM- Based-XSS-Vulnerability-in-Google-com-305585.shtml Tuesday, June 30, 15
  • 14. browser fingerprinting Traffic patterns captcha, recaptcha Obfuscation (ajax, headers, etc.) trap and sleep() Tuesday, June 30, 15
  • 15. Web Bots CTF Tuesday, June 30, 15
  • 16. Attackers You manage to control a script that the defenders have included on their website A) Modify this script to steal a cookie or username / password data B) Automate making it past the captcha C) Scrape all the content from behind the login D) Don’t take the server down! Tuesday, June 30, 15
  • 17. Defenders Pretend you missed the XSS vulnerability (or rely on a compromised script for your website to function)...and secure everything else. A) Make it a bit harder for bots to login B) Set some traps, make sure you hide them! C) Try to differentiate legitimate users from bots D) Don’t let the server go down! Tuesday, June 30, 15