a4apphack

NotScripts gives you a high degree of “NoScript” like control over what javascript, iframes, and plugins runs in your browser to increase security and lower the CPU usage. It is useful to help mitigate some attacks like certain cross-site scripting (XSS) vulnerabilities and drive by downloads by blocking the third-party content before it even runs with it’s default deny policy.

You can whitelist the sites you want through an easy to use url bar icon and drop down menu.

NotScripts uses a unique and novel method to provide this “NoScript” like functionality in Google Chrome that was not previously possible. It introduces a break through technique of intelligent HTML5 storage caching to over come the limitations in Google Chrome that prevented an extension like this from being made before. NotScripts blocks third-party content BEFORE they load and it does this while also having a whitelist. This is one of the key extensions that many people have been waiting for since Google Chrome came out.

Read the rest of this entry »

Gruyere is a vulnerable application which can be used to learn and understand web vulnerabilities. Detailed documentation is provided on the type of the vulnerabilities present in the application and ways to exploits it.

Update: Jarlsberg is now Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:

• How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
• How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

Documentation Here

Read the rest of this entry »

An XSS vulnerability has been discovered and disclosed to public in SharePoint Server 2007 and Microsoft Windows SharePoint Services 3.0. The vulnerability could allow an attacker to run arbitrary script that could result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment.

This vulnerability is discovered by High-Tech Bridge SA and has been notified to Microsoft 12 April 2010. On the day of writing of this post, the vulnerability remains unfixed.

Read HTBridge advisory here

Vulnerable URL :

http://TARGETSITE/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X

Screenshot

Read more at Microsoft Security Advisory (983438)

Skipfish is an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Installation on Ubuntu/BackTrack (via Redspin)

Use the following commands in the terminal windows to install and run Skipfish. Replace OUTPUT_FOLDER and TARGETSITE with the domain name and the target’s URL respectively. Also change the wget URL to the URL of the latest version of Skipfish download available.

wget http://skipfish.googlecode.com/files/skipfish-1.29b.tgz
tar zxvf skipfish-1.01b.tgz
sudo apt-get install libidn11-dev
cd skipfish
make
cp dictionaries/default.wl skipfish.wl
./skipfish -o OUTPUT_FOLDER http://www.TARGETSITE.com

Trial Run

Installed SkipFish and ran on the target site, specs below.

Guest OS : BackTrack4 VM

Host OS : Windows Vista

RAM : 512MB

Application Size : Medium ( < 1000 Unique Pages )

Internet Speed : 1 MBPS

Skipfish Verbose

Skipfish displays the scan run statistics continuously during the run. Once the scan run is complete, we get to see the scan summary (shown in the below screenshot).

Skipfish Console (Click to Enlarge)

Read the rest of this entry »

Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. This tool automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.

WebSecurify is available in major OS platforms – Windows, Mac and Linux. Its even available as a Chrome extension.

Post Updated:

• Target site that requires authentication
• Info on Chrome Plugin

Read the rest of this entry »

ZeroDayScan is an online web application scanner which crawls through the app and discovers the vulnerabilities in the application. It attempts to find out the common web vulnerabilities like XSS, SQL Injection and all the way down to web app fingerprinting.

As per their FAQ it takes around half an hour to scan normal sized websites, but as soon as I initiated scan for my website, I got a notification mail saying that it takes around 72 hours to complete the scan but I got the results emailed in about 5 hours.

Read the rest of this entry »

Its very rare to find out a good n effective web application security assessment tool and would make it almost impossible if you want it for free. After a long time of hunt, I found one; CAT – Context App Tool. Although its free, it offers a good GUI and powerful features along with the basic ones which comes with a every proxy available.

Features

There are a number of features which CAT has to enable a wide variety of testing to be conducted:

• Request Repeater – Used for repeating a single request
• Proxy – Classic Inline proxy
• Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc.
• Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified.
• Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls.
• SSL Checker – Request a specific page with various SSL ciphers and versions.
• Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc.
• Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer’s rendering engine.

Reasons to use CAT

There are a number of differences between CAT and currently available web proxies. Some key differences are:

• Uses Internet Explorer’s rendering engine for accurate HTML representation
• Supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes
• Integrated SQL Injection and XSS Detection
• Synchronised Proxies for Authentication and Authorisation checking
• Faster due to HTTP connection caching
• SSL Version and Cipher checker using OpenSSL
• Greater flexibility for importing/exporting logs and saving projects
• Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs
• The ability to repeat and modify a sequence of requests (particularly useful in SSO testing)
• Free!

Read the rest of this entry »

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will remove all malicious code (efficient filtering of XSS scripts) with a thoroughly audited, secure yet permissive whitelist.

HTML Comparison Chart

Quick Install

1
2
3
4
5
6

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
 
    $purifier = new HTMLPurifier();
    $clean_html = $purifier->purify($dirty_html);
?>

View Before-After XSS Filtering

View Demo: HTML Purifier

Download HTML Purfier : (More Info at: http://htmlpurifier.org/)

In this part of SecFox series, detection of XSS vulnerabilities with FireFox is explained. Here, we talk about XSSMe addon which can be is used to automate the tests for XSS thereby saving our precious time.

“The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system” – Security Compass

Read the rest of this entry »

If you are a security tester and forced to use IE for testing, make sure that you know about IE8 built-in security features before you upgrade your current IE. Some of the security features will stop us from revealing the vulnerabilities in the website. This post talks about the XSS Filter in IE8, which is enabled by default, and how to disable it for security testing.

NOTE: This post is intended only for the security testers/analysts and not for a normal internet user. Please do not mess up the default security settings in IE8, unless you know what you are doing.

XSS Filtering

XSS Filter Enabled

Read the rest of this entry »