We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEliza Divine
Modified over 4 years ago
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me
© 2008 Security Compass inc. Tom Aratyn –Software Developer at Security Compass –Developed the Exploit Me tools Who are we? 2
© 2008 Security Compass inc. Jamie –Security Consultant for Security Compass –Background in security research, penetration testing, and software development Who are we? 3
© 2008 Security Compass inc. Cross-site scripting, really a danger? State of web application security XSS-Me SQL Inject-Me Access Me Agenda 4
© 2008 Security Compass inc. We know XSS can be dangerous, but can we use it to rob a bank? –AJAX + CSRF + XSS = Major problem XSS – Really a Danger? 5
© 2008 Security Compass inc. Reflected –Spit back as soon as it goes in –XSS-Me helps here Stored –Saving it for someone else –XSS-Me future version Two Exciting Flavours 6
© 2008 Security Compass inc. AJAX is adding a new element into these attacks –AJAX was used in the IBDBank attack Attacker can play with data as if the victim is doing it –Send –Receive –Parse Someone Changed my App 8
© 2008 Security Compass inc. State of Web App Insecurity 9 Web app exploits outnumber buffer overflows in CVE Large portion of web apps suffer from XSS or SQL Injection
© 2008 Security Compass inc. Various tools exist –OWASP tools, commercial, Open Source Work very well –For what they were built to do Testing Tools 10
© 2008 Security Compass inc. Most tools not for developers or QA Developers and QA must be checking for security vulnerabilities Need lightweight tools The Missing Piece 11
© 2008 Security Compass inc. Firefox extension to test for cross-site scripting XSS-Me 0.4 to the Rescue 12
© 2008 Security Compass inc. Pick forms & fields to test Firefox 3 Import/export/add/remove XSS strings Test & Surf Heuristics to limit tests XSS-Me Features 13
© 2008 Security Compass inc. Checking all attacks against all fields is slow. –No, trust me, it’s slow Heuristic tests limit the fields we have to check by determining if we can inject them –Passes set of characters and checks if they’re returned (;\/<>=‘”) Heuristics? 14
© 2008 Security Compass inc. Attempts to set document.vulnerable=true into the DOM If property set, attack worked Also checks for plain text string, a potential vulnerability –OnMouseOver injection Behind the Magic 15
© 2008 Security Compass inc. Everyone says use Struts to protect yourself –Sure, just don’t follow the supplied examples Thank $deity for Struts 16
© 2008 Security Compass inc. Being Bobby 17 sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'" User Input: username = jimmy password = blah’ OR ‘1’=‘1 SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’ Since “WHERE 1=1” is true for all records the entire table is returned! Courtesy XKCD.com
© 2008 Security Compass inc. Defence is well known and faster than what you’re doing now –Prepared Statements –Stored Procedure Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right? No Excuse 18
© 2008 Security Compass inc. Firefox extension to check for SQL injection SQL Inject-Me 0.4 19
© 2008 Security Compass inc. Pick what you test Configure attack and success strings Large default string set Firefox 3 Test & Surf SQL Inject-Me Features 20
© 2008 Security Compass inc. Web/application servers maybe vulnerable to HTTP Verb Tampering attacks Bypasses common authorization configurations What’s your method 21
© 2008 Security Compass inc. Access Me 0.2 22 Firefox extension to check for authentication issues
© 2008 Security Compass inc. Checks for unauthenticated access vulnerabilities Checks for HTTP verb vulnerabilities Regular expression based parameter detection Automatic test as you surf Access Me Features 23
© 2008 Security Compass inc. Detecting Access Vulnerabilities 24 Failed if response status is 200 and response too similar Warning if response status is 200 or response too similar
© 2008 Security Compass inc. Available off of our website –www.securitycompass.comwww.securitycompass.com Extra XSS-Me attack strings also available from site Open sourced under GPL v3 Where can you get ‘em 25
© 2008 Security Compass inc. May include –Spidering Stored attacks The Future... 26
© 2008 Security Compass inc. Lets have ‘em –firstname.lastname@example.org@securitycompass.com –email@example.com@securitycompass.comQuestions 27
© 2002 D & D Enterprises 1 Linking Images For Navigation & Clickable Image Maps.
Advanced Piloting Cruise Plot.
A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Nick Feamster CS 6262 Spring 2009
SecuBat: An Automated Web Vulnerability Detection Framework
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Tutorial 9 – Creating On-Screen Forms Using Advanced Table Techniques
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Introduction to HTML, XHTML, and CSS
Child Health Reporting System (CHRS) How to Submit VHSS Data
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
1 NatQuery 3/05 An End-User Perspective On Using NatQuery To Extract Data From ADABAS Presented by Treehouse Software, Inc.
Cross-site Request Forgery (CSRF) Attacks
© 2018 SlidePlayer.com Inc. All rights reserved.