2007-12-09

Visio's Built in Web Spider

There is this really great feature in visio 2003 that is excellent for website spidering and mapping. I rarely find a need for a microsoft product but this one is actually very useful. If you have installed the web diagram options for visio then you can start a web site map. As soon as you select this link you are prompted for a URL. After entering the URL visio will spider the entire site and create a nice mapping of most areas of the site. It even shows you broken links. The only problem is that currently i dont see a way to log in to protected sites automatically but you can click on a node from the generated Visio and start interactive mode. This will start a browser in visio that will allow you to log in and navigate the site as well as record your movements on the visio diagram.





This could be very useful for both blackbox and white box testing. It may even uncover parts of the site you missed during your initial investigation of your audit target. I just started looking into it so i don't know how much it will assist me but






Slashdot Slashdot It!

2007-12-08

WebScarab Scripting and Fuzzing.

I have been really busy and have therefore not posted in a while. Work has really consumed me and I was studying to take the CEH (Certified Ethical Hacker) on Dec. 1st. Which a am very proud to say that I am now a Certified Ethical Hacker! Well, I have spent a lot of time working on fuzzers and ways to make my penetration testing more efficient. I have recently discovered the scripting options in webscarab (written by Rogan Dawes) and been trying to make some use of this feature. What I wrote was simple script that once an XSS exploit has been found it will write a screen scrape of that page to the file system. This way you can quickly identify which attacks worked and which ones did not using the Fuzzer plugin within WebScarab. Here is the script:


import org.owasp.webscarab.model.ConversationID;

import org.owasp.webscarab.model.HttpUrl;

import org.owasp.webscarab.model.Request;

import org.owasp.webscarab.model.Response;

import java.text.DateFormat;

import java.text.SimpleDateFormat;

import java.io.BufferedReader;

import java.io.BufferedWriter;

import java.io.FileReader;

import java.io.FileWriter;

import javax.swing.JOptionPane;





String xssFile = "/home/ascetik/xss.txt";
// Load xss strings
DateFormat df = new SimpleDateFormat( "yyyyMMdd-hhmmss" );

String date = df.format(new java.util.Date());

String outFile = "/home/ascetik/screenScrapes/ss-" + date + ".html";
// save file based on date
BufferedReader xssStrings = new BufferedReader(new FileReader(xssFile));

BufferedWriter bfOut = new BufferedWriter(new FileWriter(outFile));

Response response = conversation.getResponse();
// conversation Response
Request request = conversation.getRequest();
// conversation Request
byte[] hexResp = response.getContent();
// get the screen scrape
String raw = new String(hexResp);
// convert it to string

// Test the Response to see if our string is echoed back
String xss;

while ((xss = xssStrings.readLine()) != null) {

if ( raw.indexOf(xss) != -1 && xss != "") {

bfOut.write(raw);

bfOut.close();

//JOptionPane.showMessageDialog(null, "Possible XSS Found");

}



}



Now let me explain. This script is run after the response is received from the server. I have a file called xss.txt that contains xss exploits that I also use as the input source for the Fuzzer plugin (i'll explain more later) but I also use it in this script to search for the strings in the server response. If the string is found in the response there is a fairly good chance the exploit was successful.
When one of the xss string is found I write an html file that is a screen scape of the response and the file name looks like “ss-20071201-041504.html”. Which is ss + the date and time down to the second.

To use this script you need to load it to the webscarab framework via Tools->Script Manager at the top of the WebScarab application.
Then there is a tree view that displays Framework->AddConversation.
Click Add at the top.
Now every time a conversation is added to the Summary of WebScarab this script will run as long as the checkbox is selected next to the script in the Script Manager.



Using the Fuzzer
Once you have the above script loaded in the Script Manager go to the Summary tab and find a conversation that you want to fuzz. You can look at the parameters column to find a fuzzable request. Now right click and select Use as fuzz template. Select the Fuzzer tab now and you will see your request added here with all the parameters broken out.
Click Source in the middle of the Fuzzer plugin and add the same xss.txt file that you have listed in the above script. Once this is done you can use this file to fuzz the parameters in the fuzz template.
Select the fuxx source for each parameter from a drop down box.

Now click start. If any of your fuzzing executed an XSS you will see files appearing in your folder you assigned in the Script Manager.



As you can see this can be used for several different things. You could have sql injection strings listed in the fuzzer sources and then have partial sql error messages be in the file you use as input to the script you added to the Script Manager. Once you know your way around WebScarab and which hooks are available you are only limited by your imagination.


More on Webscarab and Scripting.
In the script manager you will see descriptions of the hooks available to you. I just explained the conversation options but there are Proxy options as well. You can have special scripts run on both the request and response for the proxy. I used the conversation because I could not query the responses from the fuzzer plugin via the proxy scripts. Some ideas I have thought about implementing are alerts that pop up when patterns in the responses like hidden error messages, ip address strings, etc. are found.










Slashdot Slashdot It!