Explore the potential of browser-based botnets in this 48-minute OWASP Foundation conference talk by Jeremiah Grossman and Matt Johanssen. Discover how online advertising networks can be exploited to distribute malicious JavaScript, creating large-scale browser botnets for pennies. Learn about the real-world implications of this technique, including DDoS attacks, spam campaigns, and password cracking. Examine the power of HTML5 and JavaScript in commandeering browsers without leaving traces. Understand why traditional methods of creating botnets fall short compared to leveraging advertising networks. Gain insights into the economics of browser renting and witness live demonstrations of attacks against well-protected targets. Delve into topics such as Cross-Site Request Forgery, application-level DDoS, and the challenges of web security in this eye-opening presentation.
Million Browser Botnet - Creating a JavaScript-Driven Browser Botnet for DDoS Attacks
Overview
Syllabus
Intro
White Hat Security
Matts Background
How the Web Works
Browser Bots
More Aggressive
Login Detection
Like Button
Internet Hacking
Cross Site Scripting
iframes
Raavan
Application Level Distributed Denial of Service
Browser Scope
Firefox
Conclusion
Traditional Methods
Advertising Ecosystem
Advertising Network
Kobi
Browser Renting
The Economics
The Ad Network
Demo
PhantomJS
Browserminute
Ad Network
Connection Flood
Ass Badge
Traffic
Half a gig
Almost a gig
Total hits
I was still counting up
I had bought 10000
We had tacit permission to Akamai
Deploying the FTP Bypass
Turning it off
Why attack this way
OpenX vulnerability
Web security challenges
Taught by
OWASP Foundation
