SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, April 16, 2010

Vulnerable Sites Database: More Intrusion as a Service

Posted on 1:01 PM by Unknown
Last year I blogged about Shodan, and today thanks to Team Cymru I learned of the latest evolution of Intrusion as a Service. It's called the Vulnerable Sites Database.

According to the site, to be listed as a vulnerable site a submitter must provide "1. site name 2. vulnerability or JPG proof." This reminds me of a Web defacement archive where the submitter demonstrates having defaced a Web site, but with www.vs-db.info we get details like "local file inclusion" or "SQL injection."

All we need now is to pair the search capability of a site like Shodan with the vulnerability data for an entire site as provided by the Vulnerable Sites Database. How about a cross-reference against sites currently whitelisted by Web proxy providers and others who use reputation to permit access? Something like:

Select sites where the reputation is GOOD, that are hosted in the US, and are vulnerable to SQL injection?

Next, exploit vulnerable sites and use them for hosting malware, acting as command and control servers, and so on.

While neat, I thought Shodan was dangerous enough to attract LE attention and be shut down. I wonder how long www.vs-db.info will last. A site like I just described would probably really cross the line. I hope.

Update: Thanks to @jeremiahg for pointing me towards www.xssed.com.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Review of Intelligence, 4th Ed Posted
    Amazon.com just posted my five star review of Intelligence: From Secrets to Policy, 4th Ed by Mark Lowenthall . From the review : I was a...
  • Practice of Network Security Monitoring Table of Contents
    Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monito...
  • Review of Robust Control System Networks Posted
    Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner . From the review : I am not an industrial ...
  • Bejtlich Teaching at Black Hat West Coast Trainings
    I'm pleased to announce that I will be teaching at  Black Hat West Coast Trainings  9-10 December 2013 in Seattle, Washington. This is a...
  • Bejtlich's Thoughts on "Why Our Best Officers Are Leaving"
    Twenty-two years ago today I flew to Colorado Springs, CO and reported for Basic Cadet Training with the class of 1994 at the United States ...
  • Risk Modeling, not "Threat Modeling"
    Thanks to the great new book Metasploit (review pending), I learned of the Penetration Testing Execution Standard . According to the site,...
  • Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
    Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed public...
  • Tort Law on Negligence
    If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service , some comments claim ...
  • Bejtlich Teaching at Black Hat DC 2011
    Over the holiday break I've been putting the finishing touches on TCP/IP Weapons School 3.0 , to be presented first at Black Hat DC 2011...
  • Happy 7th Birthday TaoSecurity Blog
    Today, 8 January 2010, is the 7th birthday of TaoSecurity Blog . I wrote my first post on 8 January 2003 while working as an incident resp...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ▼  April (15)
      • Blame the Bullets, not PowerPoint
      • Review of The Rootkit Arsenal Posted
      • Snort Near Real Time Detection Project
      • Thoughts on New OMB FISMA Memo
      • Still Looking for Infrastructure Administrator for...
      • Review of Handbook of Digital Forensics and Invest...
      • Review of The Victorian Internet Posted
      • Measurement Over Models
      • Vulnerable Sites Database: More Intrusion as a Ser...
      • "Cyber insecurity is the paramount national securi...
      • Response to Dan Geer Article on APT
      • Last Chance for TCP/IP Weapons School 2.0 in Las V...
      • Bejtlich on Visible Risk Podcast
      • Defense Security Service Publishes 2009 Report on ...
      • BeyondTrust Report on Removing Administrator: Corr...
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile