30th December 2011
|
Administrator
|
|
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
|
|
28C3: Denial-of-Service attacks on web applications made easy
From http://h-online.com/-1401863
Quote:
At the 28th Chaos Communication Congress (28C3) in Berlin on Wednesday, security researchers pointed out dangerous vulnerabilities in popular scripting languages and web application platforms such as PHP, ASP.NET, Java and Python. Alexander 'alech' Klink from security firm n.runs and TU Darmstadt researcher Julian Wälde warned that the hashing methods used to find individual objects in large amounts of data are vulnerable to simple attacks which could, in turn, be exploited to launch massive "Denial-of-Service" (DoS) attacks.
[snip]
Klink explained that web programming languages tend to use the DJBX33A or DJBX33X hash functions developed by Daniel Bernstein. He said that identical string segments can be detected, and the described collisions triggered, in DJBX33A; this hash function is used in such languages as PHP5, Ruby 1.8 and Java, as well as in systems based on Java, such as Tomcat and Glassfish. PHP4, ASP.NET, Python and JavaScript use DJBX33X or comparable algorithms and can be compromised via "Meet in the Middle" attacks, added Klink.
|
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|