[Owasp-leaders] Wiki For Function Injection and Memcached Injection

Fady Othman fady.othman at owasp.org
Thu Sep 1 17:55:18 UTC 2016

Thanks Matt,

Cheers! and have a great day.

On Thu, Sep 1, 2016 at 7:53 PM, Matt Tesauro <matt.tesauro at owasp.org> wrote:

> FYI:  Fady - your account just got approved.
> Happy wiki editing.
> Cheers!
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
> On Thu, Sep 1, 2016 at 11:51 AM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>> Fady,
>> While I generally agree with Dave's advice, there's one thing he may not
>> know since he's had a wiki account, well, almost forever. ; )
>> The wiki has been, off and on, flooded with bogus account requests
>> starting in early 2016.  At the peak, we were seeing ~700 account requests
>> per month with a peak at 966.  Kate has been doing heroic efforts to allow
>> only legitimate requests through.  The ones that slip through have been
>> SPAM'ing the wiki, in some cases 250+ new or edited pages.  When multiple
>> SPAM'ers got through, we had SPAMers editing other SPAMers' pages which
>> breaks the built-in wiki cleanup tools.  So much so, that I wrote a custom
>> program to clean up really bad SPAM attacks [1].
>> So, let me know here that you put in a request for a wiki account after
>> you confirm your email address per the email sent from the wiki so I can
>> get you the access you deserve.
>> FOR THE REST OF YOU:  At least in the near term, please submit the form
>> and confirm your address THEN submit a ticket in the Contact Us form at
>> https://www.tfaforms.com/308703 with "IT Support" as your type of help
>> and tell us what bit you want to edit/add.  That will help us distinguish
>> the real from the bogus.
>> I have generally not talked much about this primarily to keep the SPAMer
>> in the dark in the case they are closely looking at our wiki and mail
>> lists.  However, I'd like to community to know why getting a wiki account
>> isn't as easy as it once was AND, that we're working on fixing this issue.
>> I'll be spending a good chuck of the upcoming US holiday weekend doing
>> updates on the wiki for this and other reasons.
>> ---------
>> To try to answer potential questions:
>> (1) Use anti-automation [something] or a CAPTCHA to remove these requests
>> These are not normal script kiddie blunt automation attacks.  For the
>> SPAMer accounts that got through, they submitted a request, verified an
>> email address, and submitted a "Contact Us' request asking for their
>> account to be approved.  These include getting past a CAPTCHA.  They also
>> directly emailed Kate, myself, webmaster at owasp.org, admin at owasp.org at
>> various times and for various accounts.
>> Also, we're asking for a short bio now when you request a wiki account.
>> These request aren't just "asdf" or random text for the bios but decently
>> written and legit sounding bios that are unique per request like this
>> SPAMer example:
>> Hi my name is Trilok Sharma. I am a software professional with more than
>> 10 years of desktop , web and mobile application development experience. i
>> have completed many of the projects. I have expertise in c , c++ , Java ,
>> microsoft .net , java script , HTMl , CSS and object reporting technologies
>> . i want to create a comutiny for active and well skilled software
>> professionals. I have purchased a membership account also. kindly create my
>> account. Thanking you.
>> I suspect that the submissions are done by 'wet-ware' aka humans where
>> labor costs are low enough to make this effective.  BTW, Trilok Sharma is
>> not a paid OWASP member - big surprise. ;)
>> (2) Why?
>> I'm not 100% sure on this one.  They have been adding SPAM about
>> Quickbooks support services.  Since we average between 7.5 and 8 million
>> hits per week on the wiki, so I suspect SPAM on our wiki gives them lots of
>> Google Foo as far as the search engine is concerned.
>> (3) Don't they just move to the next target once we stop approving their
>> accounts and or start monitoring for SPAM more closely?
>> It kinda looks like we might be at that point.  The velocity of requests
>> is starting to slow down but is still much higher then 'normal'.  There
>> have been fewer SPAM cleanups - last one was in early August.  I don't have
>> a handle on the value of SPAM'ing our wiki which is a good proxy on how
>> much pain we need make their interactions with before they move on.
>> However, I can say two things about this SPAM'ing effort:
>> They are patient.  I've seen accounts that got approved stay dormant for
>> weeks before 'waking up' and SPAM'ing the wiki.
>> They are persistent.  I've see an account sit dormant for a week, wake up
>> and start SPAM'ing, then have the SPAM content removed.  After removing the
>> SPAM, I notices HEAD requests for the URL of the SPAM page which 404 after
>> removal.  About 2 hours after they start 404'ing, a new SPAM'er account
>> wakes up and starts SPAM'ing.
>> ---------
>> So, we're working on this and trying to find the right amount of scrutiny
>> to place on requests before they get approved.  This may slow you down a
>> bit.  We're sorry about that and we're actively working on getting things
>> shored up to remove that slow-down.
>> Cheers!
>> [1] https://github.com/mtesauro/random-docs/tree/master/scri
>> pts/mediawiki/spam-cleanup
>> --
>> -- Matt Tesauro
>> OWASP AppSec Pipeline Lead
>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>> OWASP WTE Project Lead
>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>> site
>> On Thu, Sep 1, 2016 at 9:34 AM, Dave Wichers <dave.wichers at owasp.org>
>> wrote:
>>> Fady,
>>> That's it. Just request an account on the wiki and it should be approved
>>> in short order and then you can create whatever pages your want and edit
>>> existing pages as well. 99% of what's on the OWASP wiki is publicly
>>> editable by anyone with a wiki account.  And once you have the new pages
>>> ready for release, let us all know about them and ask for a quick
>>> review/sanity check.
>>> Thanks for offering to contribute.
>>> -Dave
>>> On Thu, Sep 1, 2016 at 9:58 AM, Fady Othman <fady.othman at owasp.org>
>>> wrote:
>>>> Dears,
>>>> I was discussing "function injection" with a friend of mine who brought
>>>> to my attention that a "function injection" page doesn't exist in OWASP
>>>> website.
>>>> I also found that there's no "memcached injection" page.
>>>> I can work on both pages if you want but I don't know the steps, should
>>>> I simply send a request to sign up for the wiki or is it more complicated
>>>> than that?
>>>> Thanks,
>>>> Fady Othman
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160901/3c35406f/attachment-0001.html>

More information about the OWASP-Leaders mailing list