Forum latest

ExploitMe: Free Firefox Plug-Ins Test Web Apps
Written by Daniel   
Thursday, 25 October 2007 11:01
Tools run directly on the browser and target pervasive XSS, SQL injection vulnerabilities in Web apps
OCTOBER 24, 2007 | 5:40 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading

Canadian researchers have built a set of free exploit tools for Web applications that run as Firefox browser plug-ins; the so-called ExploitMe suite includes tools for cross-site scripting (XSS) and SQL injection, two of the most common vulnerabilities found on Websites.

Nishchal Bhalla, founder of Security Compass, and his fellow researchers at the firm will demonstrate and release the new exploit tools -- aimed at facilitating penetration testing of Web applications -- at next month's SecTor security conference in Toronto. The tools let researchers, Web app developers, and quality assurance staffers "fuzz" their Web apps for vulnerabilities to XSS and SQL injection attacks.

"We actually plugged it [the tools] right into the browser logic so it sees things the way the browser does," says Oliver Lavery, principal consultant with Security Compass and one of the developers of the ExploitMe tools.

And having the exploit, or penetration testing, tool inside the browser is especially helpful when it comes to detecting bugs, such as XSS, which actually gets exploited via the browser. "Because cross-site scripting exists within the browser, it's harder to detect" with other tools that run outside the browser, Lavery says.

There are other handy Web app hacking tools available for free today, such as Paros Proxy, Burp Suite, and WebScarab, but unlike ExploitMe, they are basically proxy tools that emulate the browser. "They intercept requests, and tend to do XSS on the basis of the data they collect," SecurityCompass' Bhalla says. "They emulate a browser, which is where problems happen with detection. Ours is tied into the browser." (See Weaponizing All Browsers.)

Renowned researcher HD Moore, creator of the popular Metasploit pen-testing tool, says the browser-based exploit approach indeed makes it easier for security researchers to detect bugs in sites that are "heavy on client-side scripting," such as XSS.... Much More   Comment in the Forums

See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either