[Owasp-leaders] Wiki For Function Injection and Memcached Injection

Matt Tesauro matt.tesauro at owasp.org
Thu Sep 1 17:53:34 UTC 2016


FYI:  Fady - your account just got approved.

Happy wiki editing.

Cheers!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Thu, Sep 1, 2016 at 11:51 AM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Fady,
>
> While I generally agree with Dave's advice, there's one thing he may not
> know since he's had a wiki account, well, almost forever. ; )
>
> The wiki has been, off and on, flooded with bogus account requests
> starting in early 2016.  At the peak, we were seeing ~700 account requests
> per month with a peak at 966.  Kate has been doing heroic efforts to allow
> only legitimate requests through.  The ones that slip through have been
> SPAM'ing the wiki, in some cases 250+ new or edited pages.  When multiple
> SPAM'ers got through, we had SPAMers editing other SPAMers' pages which
> breaks the built-in wiki cleanup tools.  So much so, that I wrote a custom
> program to clean up really bad SPAM attacks [1].
>
> So, let me know here that you put in a request for a wiki account after
> you confirm your email address per the email sent from the wiki so I can
> get you the access you deserve.
>
> FOR THE REST OF YOU:  At least in the near term, please submit the form
> and confirm your address THEN submit a ticket in the Contact Us form at
> https://www.tfaforms.com/308703 with "IT Support" as your type of help
> and tell us what bit you want to edit/add.  That will help us distinguish
> the real from the bogus.
>
> I have generally not talked much about this primarily to keep the SPAMer
> in the dark in the case they are closely looking at our wiki and mail
> lists.  However, I'd like to community to know why getting a wiki account
> isn't as easy as it once was AND, that we're working on fixing this issue.
> I'll be spending a good chuck of the upcoming US holiday weekend doing
> updates on the wiki for this and other reasons.
>
> ---------
>
> To try to answer potential questions:
>
> (1) Use anti-automation [something] or a CAPTCHA to remove these requests
>
> These are not normal script kiddie blunt automation attacks.  For the
> SPAMer accounts that got through, they submitted a request, verified an
> email address, and submitted a "Contact Us' request asking for their
> account to be approved.  These include getting past a CAPTCHA.  They also
> directly emailed Kate, myself, webmaster at owasp.org, admin at owasp.org at
> various times and for various accounts.
>
> Also, we're asking for a short bio now when you request a wiki account.
> These request aren't just "asdf" or random text for the bios but decently
> written and legit sounding bios that are unique per request like this
> SPAMer example:
>
> Hi my name is Trilok Sharma. I am a software professional with more than
> 10 years of desktop , web and mobile application development experience. i
> have completed many of the projects. I have expertise in c , c++ , Java ,
> microsoft .net , java script , HTMl , CSS and object reporting technologies
> . i want to create a comutiny for active and well skilled software
> professionals. I have purchased a membership account also. kindly create my
> account. Thanking you.
>
>
> I suspect that the submissions are done by 'wet-ware' aka humans where
> labor costs are low enough to make this effective.  BTW, Trilok Sharma is
> not a paid OWASP member - big surprise. ;)
>
> (2) Why?
>
> I'm not 100% sure on this one.  They have been adding SPAM about
> Quickbooks support services.  Since we average between 7.5 and 8 million
> hits per week on the wiki, so I suspect SPAM on our wiki gives them lots of
> Google Foo as far as the search engine is concerned.
>
> (3) Don't they just move to the next target once we stop approving their
> accounts and or start monitoring for SPAM more closely?
>
> It kinda looks like we might be at that point.  The velocity of requests
> is starting to slow down but is still much higher then 'normal'.  There
> have been fewer SPAM cleanups - last one was in early August.  I don't have
> a handle on the value of SPAM'ing our wiki which is a good proxy on how
> much pain we need make their interactions with before they move on.
>
> However, I can say two things about this SPAM'ing effort:
>
> They are patient.  I've seen accounts that got approved stay dormant for
> weeks before 'waking up' and SPAM'ing the wiki.
>
> They are persistent.  I've see an account sit dormant for a week, wake up
> and start SPAM'ing, then have the SPAM content removed.  After removing the
> SPAM, I notices HEAD requests for the URL of the SPAM page which 404 after
> removal.  About 2 hours after they start 404'ing, a new SPAM'er account
> wakes up and starts SPAM'ing.
>
> ---------
>
> So, we're working on this and trying to find the right amount of scrutiny
> to place on requests before they get approved.  This may slow you down a
> bit.  We're sorry about that and we're actively working on getting things
> shored up to remove that slow-down.
>
> Cheers!
>
> [1] https://github.com/mtesauro/random-docs/tree/master/
> scripts/mediawiki/spam-cleanup
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
>
> On Thu, Sep 1, 2016 at 9:34 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
>
>> Fady,
>>
>> That's it. Just request an account on the wiki and it should be approved
>> in short order and then you can create whatever pages your want and edit
>> existing pages as well. 99% of what's on the OWASP wiki is publicly
>> editable by anyone with a wiki account.  And once you have the new pages
>> ready for release, let us all know about them and ask for a quick
>> review/sanity check.
>>
>> Thanks for offering to contribute.
>>
>> -Dave
>>
>>
>> On Thu, Sep 1, 2016 at 9:58 AM, Fady Othman <fady.othman at owasp.org>
>> wrote:
>>
>>> Dears,
>>>
>>> I was discussing "function injection" with a friend of mine who brought
>>> to my attention that a "function injection" page doesn't exist in OWASP
>>> website.
>>>
>>> I also found that there's no "memcached injection" page.
>>>
>>> I can work on both pages if you want but I don't know the steps, should
>>> I simply send a request to sign up for the wiki or is it more complicated
>>> than that?
>>>
>>> Thanks,
>>>
>>> Fady Othman
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160901/44de476e/attachment.html>


More information about the OWASP-Leaders mailing list