Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Stressing a server with iframes
Posted by: Jonas
Date: February 16, 2007 12:58PM

Hi,

My first post here. Be gentle :)

In theory :) I'd like to stress an external website, loading several server-intensive php-scripts in iframes on my website. I have lots of unique ip's.
My problem is changing the referer-variable. This can be done with cgi/php-scripts. But I would then stress my own server.

Can I make these http-request with fake referer-variables any other way?
Any ideas?
Xss/javascript/flash?

Thanks for your time guys!

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: rsnake
Date: February 19, 2007 10:55PM

Flash can create fake headers, and you can get rid of referers entirely with META Refresh. Hope that helps! Good luck DoSing the site. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: Jonas
Date: March 22, 2007 01:23PM

Could you give me some hints as to how I could achieve this? :) Just a few ideas, maybe?

Thanks for your help!

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: rsnake
Date: March 22, 2007 01:48PM

Most of this has been discussed here: http://ha.ckers.org/blog/20060725/forging-http-request-headers-with-flash/

and here: http://ha.ckers.org/blog/20070203/flash-80-fixes-certain-header-spoofing-issues/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: Jonas
Date: March 22, 2007 02:00PM

rsnake,

Thanks for the links! It seems as if Flash 8 makes faking the referer-variable impossible, right? I guess I just have to use cgi/php if that's the case.

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: rsnake
Date: March 22, 2007 06:16PM

I haven't given up hope that there may be a trick to overwriting them, but I haven't been successful thus far.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: hackathology
Date: March 28, 2007 07:14AM

Nice one..

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: Jonas
Date: March 28, 2007 08:55AM

Tell me something...
In regard to the cg-script I'd like to develop...
I say I want to load php-strings in iframes using the visitors ip's...
Problem: won't the cgi-script faking the referer-string overwrite the visitors ip's - so it will be the ip of where the script is loaded that will show up in the logs?

Any way to overcome this problem, besides using proxies?

Thanks!

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: rsnake
Date: March 28, 2007 08:27PM

You can't "fake" IPs other than using proxies or being on the same subnet. However, you can use Location: headers to redirect users. I guess I'm not sure what you are asking when you said "I say I want to load php-strings in iframes using the visitors ip's... " Could you be more clear? It might help me/others come up with ideas on how to do whatever it is you are aiming for.

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: Jonas
Date: March 29, 2007 04:04AM

Okay,

I mean putting an iframe on my website - with the targets php-heavy url inside. Then when a visitor visits my website a cgi-script executes and fakes the referer-string, but still using the visitors ip. This won't work I just found out as it will be the ip of the server where the cgi-script is hosted that will show up in the logs of the target.

Another thing: you wrote that Meta-refresh can strip the 'referer'. Would you share that code?

Thanks!

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: ma1
Date: March 29, 2007 11:05AM

Jonas Wrote:
-------------------------------------------------------
> I mean putting an iframe on my website - with the
> targets php-heavy url inside. Then when a visitor
> visits my website a cgi-script executes and fakes
> the referer-string, but still using the visitors
> ip. This won't work I just found out as it will
> be the ip of the server where the cgi-script is
> hosted that will show up in the logs of the
> target.

In facts, I guess you're stressing your "fake referer" CGI script first, then handling your server's IP to the "victim" (which will be soon after you).

> Another thing: you wrote that Meta-refresh can
> strip the 'referer'. Would you share that code?

Just load this page into your iframe:

<html>
<head>
<meta http-equiv="refresh" content="0;hxxp://yourvictim.com/heavyload.php" />
</head>
</html>

Target web server's log will record your visitor's IP and no referer.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 03/29/2007 02:09PM by ma1.

Options: ReplyQuote
Re: Stressing a server with iframes
Posted by: Jonas
Date: March 29, 2007 11:30AM

Thanks a lot mate!

ma1 Wrote:
-------------------------------------------------------
> Jonas Wrote:
> --------------------------------------------------
> -----
> > I mean putting an iframe on my website - with
> the
> > targets php-heavy url inside. Then when a
> visitor
> > visits my website a cgi-script executes and
> fakes
> > the referer-string, but still using the
> visitors
> > ip. This won't work I just found out as it
> will
> > be the ip of the server where the cgi-script is
> > hosted that will show up in the logs of the
> > target.
>
> In facts, I guess you're stressing your "fake
> referer" CGI script first, then handling your
> server's IP to the "victim" (which will be soon
> after you).
>
> > Another thing: you wrote that Meta-refresh can
> > strip the 'referer'. Would you share that
> code?
>
> Just load this page into your iframe:
>
>
>
>
> http-equiv="refresh"
> content="0;hxxp://yourvictim.com/heavyload.php"
> />
>
>
>
>
> Target web server's log will record your visitor's
> IP and no referer.

Options: ReplyQuote


Sorry, only registered users may post in this forum.