Description of Project in Authors Terms,

This project is an attempt to create a well maintained, informative and categorized cheat sheet to highlight HTML5 as well as other client side and related security issues and ways to avoid them. The project is meant to target web developers as well as security researchers and especially browser vendors since many of the problems we found are based on faulty or quirky implementations. Focus is on completeness, comprehensibility and timeliness as well as continuity – benefits many other related cheat sheets don’t exactly provide.

Time to this site if are a developer or security analyst.

HTML5 CheatSheet

HTML5 CheatSheet Info
App Name	HTML5 CheatSheet
License	free
Type	online
App URL
More Info	link

WebSecurify is available in major OS platforms – Windows, Mac and Linux. Its even available as a Chrome extension.

Post Updated:

• Target site that requires authentication
• Info on Chrome Plugin

Running the Scanner

Initiating a scan with Websecurify is simple and is achieved in 2-3 steps.

1. Select ‘Start new automated test’, Enter Workspace Name and the Target application URL.

2. If application requires login, select ‘login or initialize target’. This opens the browser and asks you to enter the credentials. Close the browser window after login. (This step is optional).

You should new be authenticated to the application. After post login pages are displayed, close websecurify browser window.

3. Click on ‘Ok’ to start the scan

Once the Scan is Complete

Once the scan is complete, scan results are displayed, sorted based on the severity of the vulnerabilities discovered. Clicking on each of the category will further display the instances found and the technical details of analysis.

Scan results can be rendered in a report format by clicking on the Report Tab and can be exported in CSV, HTM, XML and JSON formats.

Comments/Observations

1. A scan was initiated for an average sized application during evaluation of websecurify and following were identified
2. Memory consumption was increasing with time but its far better than many other free/commercial scanners
3. Progress of scan was normal till it reached almost 97% (in around 2 hrs), then it stayed in 97-98 and back to 97 for a loooong time. So I had it running and checked it the next day.
4. This tool doesn’t provide the statistics of the scan, like pages crawled, time consumed, etc.
5. This tool has the simplest interface of all the other tools available in the market.

Chrome Extension

WebSecurify has a chrome extension too. Once installed, we can initiate the scan from within Chrome.

Test Report can be displayed on a new page once the scan is complete.

https://chrome.google.com/webstore/detail/emclbdbpcnhmopfkidjhlinikkohlkpn#

Websecurify Info
App Name	Websecurify
License	free
Type
App URL
More Info	link

You can also select one or more cookie files, and then copy them to the clipboard, save them to text/html/xml file or delete them.

Flash Cookie Viewer

System Requirements

This utility works on any version of Windows, starting from Windows 2000 and up to Windows 7. Also, FlashCookiesView can work with any Web browser, because the Flash component always save flash cookies in the same place and in the same format, regardless the Web browser that you use.

Using FlashCookiesView

FlashCookiesView doesn’t require any installation process or additional DLL files. In order to start using it, simply copy the files to any folder you like, and run the executable file – FlashCookiesView.exe 
The main window of FlashCookiesView contains 2 panes: The upper pane displays the list of all cookies files found in your flash cookies folder. When you select a cookies file in the upper pane, the lower pane displays the content of the cookie. By default, FlashCookiesView parse the cookie file and display it in name/value format, but you can also view the content of the cookie file as Hex Dump, by choosing ‘Hex Dump’ view from Options->Display Mode (or simply by pressing F3).

You can also select one or more cookie files in the upper pane, and then use ‘Save Selected Items’ option to export the cookies list to text/html/xml/csv file, or ‘Delete Selected Cookies Files’ to delete unneeded flash cookies.

If you want to view the Flash cookies of another computer/operating system/user profile, simply press F9 and select the right base cookies folder.

Download FlashCookieViewer:

As per their FAQ it takes around half an hour to scan normal sized websites, but as soon as I initiated scan for my website, I got a notification mail saying that it takes around 72 hours to complete the scan but I got the results emailed in about 5 hours.

Start the Scan

1. Create a text file with the name ‘zerodayscan.txt’ which contains the unique random key generated at zerodayscan.com site.
2. Submit the  Site URL and Email Id to which the scan results are to be mailed.
3. Start the scan. (Scan results will be emailed once its complete)

Scan Results

Output of the scan result is a pdf document which will be emailed to the user and contains the following information

1. Summary of the Scan (check the above pic)
2. Details of the Critical, High, Medium and Low Vulnerabilities
3. Whois information of the website.

Sample Summary Table in the Report

ZeroDay Scan Summary Table

The results gives us an approximate idea on the vulnerabilities of the target though it obviously does not have as much capabilities as a commercial webapp scanner.

Features

• No installation is required. It is an online service
• Detects Cross Site Scripting attacks (XSS)
• Detects Hidden Directories and Backup Files
• Looks for Known Security Vulnerabilities
• Searches for SQL Injection Vulnerabilities
• Automatically detects zero day bugs
• Performs Website Fingerprinting
• Generates free reports

Features

There are a number of features which CAT has to enable a wide variety of testing to be conducted:

• Request Repeater – Used for repeating a single request
• Proxy – Classic Inline proxy
• Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
• Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
• Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
• SSL Checker – Request a specific page with various SSL ciphers and versions.
• Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
• Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.

Reasons to use CAT

There are a number of differences between CAT and currently available web proxies. Some key differences are:

• Uses Internet Explorer’s rendering engine for accurate HTML representation
• Supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
• Integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• Free!

Proxy & Authentication Checker

I generally use multiple browsers during web app assessments. This helps me to analyze the difference in the responses received from the server for same requests sent with different login credentials. This can also help me during the tests performed for horizontal/vertical privilege escalations. CAT listens to multiple ports at the same time, which means that you can use 2 browsers (or browser profiles) and direct the traffic to one proxy – CAT. CAT displays the traffic from different sources in different tabs.

Multiple Browsers Via Proxies

CAT Listening Via Multiple Proxies

While doing the authentication testing, we can login with the user having higher privilege in browser 1 and user with lower privilege in browser 2. Access various pages in browser 1 and identical requests are sent using the cookies stored in browser 2. CAT leaves us the response pairs behind for manual analysis.

Auth Checker

SSL Strength Check

Why use SSLDigger/Open SSL if your proxy has built-in SSL strength checking feature.

SSL Strength Checker

Download:   (More Info here )

HTML Comparison Chart

Quick Install

1
2
3
4
5
6

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
 
    $purifier = new HTMLPurifier();
    $clean_html = $purifier->purify($dirty_html);
?>

View Before-After XSS Filtering

View Demo: HTML Purifier

Download HTML Purfier : (More Info at: http://htmlpurifier.org/)

SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.

An ‘addon collector‘ addon is to be installed to get the SecFox updates. So if any new addon added to SecFox collection gives an alert to the subscriber.

Check the video below which explains how.

Download Secfox Collection :

WebApp Sec Checklist

This checklist is completely based on OWASP Testing Guide v 3. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application and web service security issues.

The main intention of creating this checklist is to minimize our effort we would have put if we had to go through the 350 page OWASP Testing guide everytime during our testing.

I’ve added 66 test cases falling under different categories and you can add your own test by inserting a row in the Checklist and then changing the Overall status formulas.

Quick Completion Status

This section gives the details on the total checks completed, vulnerabilities noticed so far, and overall status in percentage.

Overall Status

Risk Metric Chart

Displays the number of High, Medium, Low and Info risk items. This can help us to give a quick glance on the ratio of High risk items.

Risk Metric Chart

Note: The Security Tester has to decide upon the rating of risk for each vulnerability. Check the OWASP Guide for more details

Alerts Displayed

Alerts are displayed whenever there is some inconsistency with the task completion marked and the risk value updated.

Alerts Displayed

Alert symbol (!!) is displayed when.

• Status is marked as ‘Done’ but Risk rating is not updated
• Risk is marked but Status still shows ‘Not Done’

Features

• Quick Status on completion of the tasks
• Reference Sheet which contains short info on each test case
• Risk Metric Chart displays the distribution of vulnerabilities based on the risk rating
• Tiny alerts displayed if task is marked complete, but risk level is not mentioned (and vice versa)
• List of tools to be used for various test cases (not completely updated)

Download Web AppSec Checklist Excel Sheet: Mirror :

“CrossSite Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.” – OWASP

Understanding XSS or to make one understand it ain’t easy. Too much of theory will confuse the person rather than helping him out. The best way of explaining it!; through flash animations and that is how virtualforge guys have done. This animation is intended for both a layman and a security analyst.

They have published two set of flash applications which demonstrates XSS. Here cookie theft and file access are demonstrated.

Screenshot

Check the following links

Example 1 : Car Auction

http://www.virtualforge.de/vmovie/xss_lesson_1/xss_selling_platform_v1.0.swf

Example 2 : Online Application

http://www.virtualforge.de/vmovie/xss_lesson_2/xss_selling_platform_v2.0.swf

Read More about XSS at Wiki and OWASP

See CrossSiteRequestForgery (XSRF) in action, here.

1. Manipulate integer values:

Click on Load URL and then Split URL. Now select the Integer under interest and click on the INT +1 or INT -1 as required. This will automatically load the page with the new modified param value. This can help us while checking for ‘forceful browsing’ or ‘revealing hidden pages’ kind of tests.

Change Integer Value

2. Calculate MD5 of selected string

Some of the sites amateur developers might do poor encoding for the sensitive data which is communicated between server and the client. But with Hackbar the values can be easily decoded with a single click.

Hash Selected Value

3. Calculate MySQL Char code of selected string.

MySQL CHAR() button can help us in calculating the charcode of the selected string. This can help in injecting the char code value during some tests which usually are not stripped of while performing server side validation.

Calculate Char Code

Features

• Increment/Decrement the numeric value of the params (e.g. change pageid to reveal hidden page, session ids etc)
• Above operation on HEX values
• SQL and XSS vectors string construction
• Built-In string encryption options (MD5, SHA-1, SHA-256)
• Encode and Decode URL (Base 64, URL Encoding)
• Strings for performing BoF attacks.

Download Hackbar :