Home page logo

bugtraq logo Bugtraq mailing list archives

Anonymous Web Attacks via Dedicated Mobile Services
From: Petko Petkov <ppetkov () gnucitizen org>
Date: Wed, 20 Jul 2005 10:21:28 +0100

Hash: SHA1
Security Notice: Anonymous Web Attacks via Dedicated Mobile Services
Security Risk: UNKNOWN
Publish Data: 2005 July 16

Security Researcher: Petko Petkov
Contact Information: ppetkov () gnucitizen org
PGP Key: http://pdp.gnucitizen.org/ppetkov.asc

- ---------

Various Mobile Services provide malicious users with an intermediate
point to anonymously browse Web Resources and execute attacks against

Affected Applications
- ----------------------

 * Google's WMLProxy

- ------------

WAP stands for Wireless Application Protocol, a communication standard
primarily designed for Information Exchange on various Wireless
Terminals such as mobile telephones. WAP devices work with WML
(Wireless Markup Language), a markup language similar to HTML but more
strict because of its XML nature. WML and HTML are totally different
in semantics. As such, there are applications located on The Internet
that are able to transcode from HTML/XHTML to WML.

- ------------

An attacker can take advantage of the Google's WMLProxy Service by
sending a HTTP GET request with carefully modified URL of a malicious
nature. Such request hides the attacker's IP address and may slow down
future investigations on a successful breakin since Google's Services
are often over-trusted.

The following URL should reveal the current IP address:

However, a similar request proxied through WMLProxy:
results to: which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it
is primarily designed for PDAs and Smart Phones. Still, IYHY can be
used as an intermediate point for launching anonymous attacks. For
example the following URL reveals IYHY IP address:

Attackers are able to chain Google's WMLProxy and IYHY in order to
obscure their IP address further. For example, the following URL goes
through WMLProxy and IYHY before getting to http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com () 2f9g65o

- -------

Misuse of Services like Google's WMLProxy and IYHY must be considered
as a hight risk in situations where they are over-trusted. Google's
entries are often filtered out from the logs making all possible
attacks undetectable. Moreover, attackers can make use of mobile
devices to request dangerous URLs in order to compromise vulnerable
Web Applications. If such requests are not monitored by the particular
mobile network, there is no way to detect where the attack is launched

- -------------

Mobile Services can offer cleaver parameter filtering features to
prevent the execution of dangerous requests. However, it is important
to understand that simple input validation technique can be easily
circumvented. The tinyurl service can be used to obscure the dangerous
URLs, bypassing the input validation checks that an application may have.
It is also worth to mention that modifying the requests, in order to
stop certain XSS and SQL Injection attacks, may completely brake the
logic of the proxided Web Site leaving the users with unsatisfactory
Version: GnuPG v1.4.1 (MingW32)

  By Date           By Thread  

Current thread:
  • Anonymous Web Attacks via Dedicated Mobile Services Petko Petkov (Jul 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]