SlideShare uma empresa Scribd logo

ImmuniWeb® Self-Fuzzer Firefox Extension

High-Tech Bridge SA (HTBridge)
High-Tech Bridge SA (HTBridge)

ImmuniWeb® Self-Fuzzer is a simple Firefox browser extension designed to detect Cross-Site Scripting and SQL Injection vulnerabilities in web applications. It demonstrates how rapidly and easily these two most common types of web vulnerabilities can be found even by a person who is not familiar with web security. It is a sort of decision-making tool or Proof-of-Concept for SMBs and private persons who hesitate whether to order ImmuniWeb® Security Assessment or not. Addon page: https://addons.mozilla.org/en/firefox/addon/immuniweb-self-fuzzer/ Original publication: https://www.htbridge.com/publications/immuniweb_self_fuzzer_firefox_extension.html

Tecnologia
1 de 23
Baixar para ler offline
©2013 High-Tech Bridge SA – www.htbridge.com Web Application Security and ImmuniWeb® Self-Fuzzer Firefox Extension September 10, 2013 Xavier ROUSSEL Security Auditor at High-Tech Bridge
©2013 High-Tech Bridge SA – www.htbridge.com SUMMARY I. Web Application Security in Brief II. ImmuniWeb® SaaS in Brief III. ImmuniWeb® Self-Fuzzer Firefox Extension
©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Introduction  Web applications are the most widespread applications on the internet. Almost all companies in the world have a web site.  Web applications quite often host sensitive data like customer database containing personal information, passwords, credit cards numbers, etc.  Even web applications that do not host sensitive data are targeted by hackers. Once compromised, they are used as proxies by hackers to attack bigger resources, to spread malware among website visitors turning their PCs into zombies, or simply to perform phishing campaigns.  Web applications vulnerabilities are usually much easier to exploit than “low level” vulnerabilities, such as buffer overflows in binaries for example.
©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Introduction  The amount of sensitive information that web applications contain today and simplicity of web attack vectors drastically expose web applications to both massive and targeted attacks.  Depending on the complexity and the size of a website, security assessment services, such as penetration test or security audit, can be quite expensive and long.  As a consequence, many SMBs simply do not perform any kind of web security assessments at all, leaving their website an easy entry point to their local networks and other corporate IT assets for hackers.  More information about web applications security can be found in Frost & Sullivan White Paper written in collaboration with MITRE, OTA and High- Tech Bridge experts: “The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security” and in its video version.
©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Common web applications vulnerabilities According to Net-Security, the following graph represents distribution of the most common web vulnerabilities : 26% 16% 16% 13% 8% 6% 5% 5% 3% 2% Web Applications Vulnerabilities Distribution XSS Info leakage Session Management Authentification & Authroization CSRF SQL injection Web Server Version Remote Code Execution Web Server Configuration Unauthorized Directory Access
©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Cross-Site Scripting  Cross-Site Scripting [CWE-79], also known as XSS, is the most widespread vulnerability affecting web applications.  Basically, if a user-controlled variable is outputted in the source code of HTML page without being properly filtered, it is possible to execute arbitrary JavaScript code on the client side, and steal sensitive information, such as cookies, authentication sessions or even browsing history.  The vulnerability is present on the server side (in web application) but affects the client (website visitor) as malicious code is executed in client’s browser. Example : Normal request : Your name is <b>Peter</b> Not filtered, vulnerable: Your name is <b><script>alert(‘xss’)</script></b> Filtered, not vulnerable: Your name is <b>&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;</b>
©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security SQL Injection  SQL Injection [CWE-89] is another well-known web application vulnerability, permitting attacker to alter SQL queries sent by vulnerable web application to a database and get almost any information, such as user’s logins and passwords, from the database.  Basically, SQL injection occurs when user-controlled variable is not filtered correctly (e.g. to escape characters such as double quote or single quote) and passed directly to SQL query. Example : Normal request : SELECT * FROM users WHERE username=“peter” Result : “peterpasswd” Not filtered, injection : SELECT * FROM users WHERE username=“peter” or username=“admin” Result : “adminpasswd” Filtered : SELECT * FROM users WHERE username=“peter” or username=“admin” Result : null
©2013 High-Tech Bridge SA – www.htbridge.com SUMMARY I. Web Application Security in Brief II. ImmuniWeb® SaaS in Brief III. ImmuniWeb® Self-Fuzzer Firefox Extension
©2013 High-Tech Bridge SA – www.htbridge.com II. ImmuniWeb® SaaS About ImmuniWeb®  ImmuniWeb® is a next-generation web application security assessment solution with Software-as-a-Service (SaaS) delivery model, entirely developed and supported by High- Tech Bridge.  ImmuniWeb® is a hybrid of advanced automated web vulnerability scanning and accurate manual web application penetration testing performed in parallel.  ImmuniWeb® SaaS consists of three main parts: ImmuniWeb® Portal, ImmuniWeb® Security Scanner and ImmuniWeb® Auditors.  ImmuniWeb® enables people to assess their websites security in a simple, fast, accurate and cost-affordable manner.
©2013 High-Tech Bridge SA – www.htbridge.com II. ImmuniWeb® SaaS ImmuniWeb® Security Assessment  ImmuniWeb® Security Assessment detects the following types of web application vulnerabilities:  To get more information about ImmuniWeb® SaaS please visit our website: http://www.htbridge.com/immuniweb/ or read Frost & Sullivan Movers & Shakers publication: «High-Tech Bridge Moves Ethical Hacking to the Cloud with ImmuniWeb® SaaS»
©2013 High-Tech Bridge SA – www.htbridge.com SUMMARY I. Web Application Security in Brief II. ImmuniWeb® SaaS in Brief III. ImmuniWeb® Self-Fuzzer Firefox Extension
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Presentation  ImmuniWeb® Self-Fuzzer is a simple Firefox browser extension designed to detect Cross-Site Scripting and SQL Injection vulnerabilities in web applications.  ImmuniWeb® Self-Fuzzer is not a web application security scanner or crawler, but a real-time web fuzzer. Once being activated by user in his browser, it carefully follows user’s HTTP requests and fuzzes them in real time, carefully checking all HTTP parameters passed within the requests. Results of fuzzing are also displayed in real-time, notifying user immediately upon vulnerability detection.  It demonstrates how rapidly and easily these two most common types of web vulnerabilities can be found even by a person who is not familiar with web security. It is a sort of decision-making tool or Proof-of-Concept for SMBs and private persons who hesitate whether to order ImmuniWeb® Security Assessment or not.
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Key advantages  The main advantage of ImmuniWeb® Self-Fuzzer is that it allows user to control the process of fuzzing in real-time, providing user with flexible configuration of the process.  Quite often security scanners cannot follow human logic implemented in web application, or complex web 2.0 application structure, and simply do not arrive to certain “far away” zones of web applications. ImmuniWeb® Self- Fuzzer carefully follows the user and fuzzes all the HTTP requests user performs, efficiently replacing a crawler.  Just carefully following the user in real-time, ImmuniWeb® Self-Fuzzer will not fuzz any potentially dangerous zones where arbitrary or non-standard HTTP requests may destroy the entire database behind the web application (of course if user won’t do it himself).  ImmuniWeb® Self-Fuzzer can be safely used even in production environment, because it does not send any potentially dangerous requests that may damage database (it uses only “AND” operator checking for blind SQL injections, to prevent altering data in UPDATE, DELETE or INSERT SQL statements).
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Key features  The extension is user-friendly and does not require any technical skills from the user. Fuzzing process may be started and stopped by just one click.  Being a Firefox extension it does not require any additional configuration of Firefox browser, which user have to do for proxy-based web security testing tools for example.  The extension quickly searches Cross-Site Scripting and SQL Injection vulnerabilities in pages that user visit.  It locks the fuzzing on one target domain to avoid accidental fuzzing of others websites, which user may not intend to scan.
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Vulnerability detection techniques  To detect vulnerabilities ImmuniWeb® Self-Fuzzer fuzzes various input vectors: POST and GET HTTP requests, COOKIE field and even the URL itself if HTTP parameters are encapsulated into the URL by mod-rewrite for example.  User can manually select which input vectors to use. The vectors can be selected in the configuration panel of the extension.  Once configured, the extension will automatically identify and fuzz all the variables passed via selected input vectors.  As, already mentioned ImmuniWeb® Self-Fuzzer does not use “dangerous” injection patterns for blind SQL injection detection.
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Vulnerability detection – fuzzing variables  Fuzzing technique varies depending on vulnerability type that we are trying to detect.  For SQL injection detection ImmuniWeb® Self-Fuzzer will fuzz the variables using special SQL characters (to trigger errors), like :  XSS detection is performed by injecting HTML special characters (to check if they are filtered before being displayed), like :  Example : http://www.site.com/page.php?var=1 Vector : GET Variable : var ; Value : 1 Fuzzed Variable Value : 1’”’” Char NUL BS TAB LF CR SUB " % ' _ Hex 0x00 0x08 0x09 0x0a 0x0d 0x1a 0x22 0x25 0x27 0x5c 0x5f Char & < > " ' / Hex 0x26 0x3C 0x3E 0x22 0x27 0x2F
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Vulnerability detection – identification  Vulnerabilities are detected by parsing the content returned by web server, depending on the HTTP request previously sent.  For example to identify SQL injection vulnerability, ImmuniWeb® Self- Fuzzer searches for SQL database error messages.  XSS vulnerabilities are identified by searching for non-filtered HTML special characters in page source code previously sent to the script.
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage - installation  Download and install the extension from Firefox add-ons page: https://addons.mozilla.org/en/firefox/addon/immuniweb-self-fuzzer/  Restart Firefox, and a little icon will appear next to the navigation bar:  Go to the website you want to fuzz and click on the icon, the toolbar will appear with the name of the website. The number at the right displays the number of detected vulnerabilities:
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage – control panel  Move the mouse cursor over the bar to display the control panel:  There are 5 buttons on this panel : Start/stop the fuzzing process (it queues captured packets) Display results Reset the counter of detected vulnerabilities Enable/disable packets capture Display configuration panel
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage – control panel  Two progress bars show the fuzzing status for each fuzzer (SQL injection and XSS), and the third one indicates the global progress of fuzzing (at the very bottom of the panel).  Click the configuration button to choose which fuzzing vector(s) to use:
©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage – fuzzing & results  After you have configured the extension, just browse the website you want, every variable used in the selected input vector will be automatically fuzzed while you are surfing:  Results can be displayed by clicking the second button:
©2013 High-Tech Bridge SA – www.htbridge.com References ImmuniWeb® Self-Fuzzer home page: https://addons.mozilla.org/en/firefox/addon/immuniweb-self-fuzzer/ ImmuniWeb® Self-Fuzzer video: http://www.youtube.com/watch?v=2USAnmzuRB8 CWE vulnerabilities glossary: https://www.htbridge.com/vulnerability/ ImmuniWeb® SaaS home page: https://www.htbridge.com/immuniweb/ Help Net Security web vulnerabilities statistics by Cenzic: http://www.net-security.org/secworld.php?id=14556 OWASP project: https://www.owasp.org/
©2013 High-Tech Bridge SA – www.htbridge.com Thank you for reading! Your questions are always welcome: xavier.roussel [at] htbridge.com

Recomendados

Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitHigh-Tech Bridge SA (HTBridge)
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Inline Hooking in Windows
Inline Hooking in WindowsInline Hooking in Windows
Inline Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0High-Tech Bridge SA (HTBridge)
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkHigh-Tech Bridge SA (HTBridge)
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatHigh-Tech Bridge SA (HTBridge)
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 

Recomendados

Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitHigh-Tech Bridge SA (HTBridge)
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Inline Hooking in Windows
Inline Hooking in WindowsInline Hooking in Windows
Inline Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0High-Tech Bridge SA (HTBridge)
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkHigh-Tech Bridge SA (HTBridge)
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatHigh-Tech Bridge SA (HTBridge)
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackHigh-Tech Bridge SA (HTBridge)
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Welcome in the World Wild Web
Welcome in the World Wild WebWelcome in the World Wild Web
Welcome in the World Wild WebHigh-Tech Bridge SA (HTBridge)
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Edgar allan poe
Edgar allan poeEdgar allan poe
Edgar allan poeteresamarraja
 
一個使用者體驗部門都在做什麼
一個使用者體驗部門都在做什麼一個使用者體驗部門都在做什麼
一個使用者體驗部門都在做什麼Wan Jen Huang
 
Question 7
Question 7 Question 7
Question 7 nctcmedia12
 
Research Into Target Audience
Research Into Target AudienceResearch Into Target Audience
Research Into Target Audiencenctcmedia12
 
Hzz ve ra birlikleri defans
Hzz ve ra birlikleri defansHzz ve ra birlikleri defans
Hzz ve ra birlikleri defanshaseleonore
 
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...Erwin Chiquete, MD, PhD
 
ç
çç
çSantiago Alvarez
 
The Internet is Broken
The Internet is BrokenThe Internet is Broken
The Internet is BrokenJohn Coulter MBA
 
Moyano mónica the wine marking process
Moyano mónica the wine marking processMoyano mónica the wine marking process
Moyano mónica the wine marking processMonica Moyano
 
Consulta digite direccion
Consulta digite direccionConsulta digite direccion
Consulta digite direccionkode99
 
Vizitka navros v_n
Vizitka navros v_nVizitka navros v_n
Vizitka navros v_nAntonina Navros
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Mais conteúdo relacionado

Destaque

Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackHigh-Tech Bridge SA (HTBridge)
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
一個使用者體驗部門都在做什麼
一個使用者體驗部門都在做什麼一個使用者體驗部門都在做什麼
一個使用者體驗部門都在做什麼Wan Jen Huang
 
Research Into Target Audience
Research Into Target AudienceResearch Into Target Audience
Research Into Target Audiencenctcmedia12
 
Hzz ve ra birlikleri defans
Hzz ve ra birlikleri defansHzz ve ra birlikleri defans
Hzz ve ra birlikleri defanshaseleonore
 
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...Erwin Chiquete, MD, PhD
 
Moyano mónica the wine marking process
Moyano mónica the wine marking processMoyano mónica the wine marking process
Moyano mónica the wine marking processMonica Moyano
 
Consulta digite direccion
Consulta digite direccionConsulta digite direccion
Consulta digite direccionkode99
 

Destaque (17)

Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Welcome in the World Wild Web
Welcome in the World Wild WebWelcome in the World Wild Web
Welcome in the World Wild Web
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Edgar allan poe
Edgar allan poeEdgar allan poe
Edgar allan poe
 
一個使用者體驗部門都在做什麼
一個使用者體驗部門都在做什麼一個使用者體驗部門都在做什麼
一個使用者體驗部門都在做什麼
 
Question 7
Question 7 Question 7
Question 7
 
Research Into Target Audience
Research Into Target AudienceResearch Into Target Audience
Research Into Target Audience
 
Hzz ve ra birlikleri defans
Hzz ve ra birlikleri defansHzz ve ra birlikleri defans
Hzz ve ra birlikleri defans
 
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
Cerebral Venous Thrombosis in a Mexican Multicenter Registry of Acute Cerebro...
 
ç
çç
ç
 
The Internet is Broken
The Internet is BrokenThe Internet is Broken
The Internet is Broken
 
Moyano mónica the wine marking process
Moyano mónica the wine marking processMoyano mónica the wine marking process
Moyano mónica the wine marking process
 
Consulta digite direccion
Consulta digite direccionConsulta digite direccion
Consulta digite direccion
 
Vizitka navros v_n
Vizitka navros v_nVizitka navros v_n
Vizitka navros v_n
 

Último

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

ImmuniWeb® Self-Fuzzer Firefox Extension

  • 1. ©2013 High-Tech Bridge SA – www.htbridge.com Web Application Security and ImmuniWeb® Self-Fuzzer Firefox Extension September 10, 2013 Xavier ROUSSEL Security Auditor at High-Tech Bridge
  • 2. ©2013 High-Tech Bridge SA – www.htbridge.com SUMMARY I. Web Application Security in Brief II. ImmuniWeb® SaaS in Brief III. ImmuniWeb® Self-Fuzzer Firefox Extension
  • 3. ©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Introduction  Web applications are the most widespread applications on the internet. Almost all companies in the world have a web site.  Web applications quite often host sensitive data like customer database containing personal information, passwords, credit cards numbers, etc.  Even web applications that do not host sensitive data are targeted by hackers. Once compromised, they are used as proxies by hackers to attack bigger resources, to spread malware among website visitors turning their PCs into zombies, or simply to perform phishing campaigns.  Web applications vulnerabilities are usually much easier to exploit than “low level” vulnerabilities, such as buffer overflows in binaries for example.
  • 4. ©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Introduction  The amount of sensitive information that web applications contain today and simplicity of web attack vectors drastically expose web applications to both massive and targeted attacks.  Depending on the complexity and the size of a website, security assessment services, such as penetration test or security audit, can be quite expensive and long.  As a consequence, many SMBs simply do not perform any kind of web security assessments at all, leaving their website an easy entry point to their local networks and other corporate IT assets for hackers.  More information about web applications security can be found in Frost & Sullivan White Paper written in collaboration with MITRE, OTA and High- Tech Bridge experts: “The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security” and in its video version.
  • 5. ©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Common web applications vulnerabilities According to Net-Security, the following graph represents distribution of the most common web vulnerabilities : 26% 16% 16% 13% 8% 6% 5% 5% 3% 2% Web Applications Vulnerabilities Distribution XSS Info leakage Session Management Authentification & Authroization CSRF SQL injection Web Server Version Remote Code Execution Web Server Configuration Unauthorized Directory Access
  • 6. ©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security Cross-Site Scripting  Cross-Site Scripting [CWE-79], also known as XSS, is the most widespread vulnerability affecting web applications.  Basically, if a user-controlled variable is outputted in the source code of HTML page without being properly filtered, it is possible to execute arbitrary JavaScript code on the client side, and steal sensitive information, such as cookies, authentication sessions or even browsing history.  The vulnerability is present on the server side (in web application) but affects the client (website visitor) as malicious code is executed in client’s browser. Example : Normal request : Your name is <b>Peter</b> Not filtered, vulnerable: Your name is <b><script>alert(‘xss’)</script></b> Filtered, not vulnerable: Your name is <b>&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;</b>
  • 7. ©2013 High-Tech Bridge SA – www.htbridge.com I. Web applications security SQL Injection  SQL Injection [CWE-89] is another well-known web application vulnerability, permitting attacker to alter SQL queries sent by vulnerable web application to a database and get almost any information, such as user’s logins and passwords, from the database.  Basically, SQL injection occurs when user-controlled variable is not filtered correctly (e.g. to escape characters such as double quote or single quote) and passed directly to SQL query. Example : Normal request : SELECT * FROM users WHERE username=“peter” Result : “peterpasswd” Not filtered, injection : SELECT * FROM users WHERE username=“peter” or username=“admin” Result : “adminpasswd” Filtered : SELECT * FROM users WHERE username=“peter” or username=“admin” Result : null
  • 8. ©2013 High-Tech Bridge SA – www.htbridge.com SUMMARY I. Web Application Security in Brief II. ImmuniWeb® SaaS in Brief III. ImmuniWeb® Self-Fuzzer Firefox Extension
  • 9. ©2013 High-Tech Bridge SA – www.htbridge.com II. ImmuniWeb® SaaS About ImmuniWeb®  ImmuniWeb® is a next-generation web application security assessment solution with Software-as-a-Service (SaaS) delivery model, entirely developed and supported by High- Tech Bridge.  ImmuniWeb® is a hybrid of advanced automated web vulnerability scanning and accurate manual web application penetration testing performed in parallel.  ImmuniWeb® SaaS consists of three main parts: ImmuniWeb® Portal, ImmuniWeb® Security Scanner and ImmuniWeb® Auditors.  ImmuniWeb® enables people to assess their websites security in a simple, fast, accurate and cost-affordable manner.
  • 10. ©2013 High-Tech Bridge SA – www.htbridge.com II. ImmuniWeb® SaaS ImmuniWeb® Security Assessment  ImmuniWeb® Security Assessment detects the following types of web application vulnerabilities:  To get more information about ImmuniWeb® SaaS please visit our website: http://www.htbridge.com/immuniweb/ or read Frost & Sullivan Movers & Shakers publication: «High-Tech Bridge Moves Ethical Hacking to the Cloud with ImmuniWeb® SaaS»
  • 11. ©2013 High-Tech Bridge SA – www.htbridge.com SUMMARY I. Web Application Security in Brief II. ImmuniWeb® SaaS in Brief III. ImmuniWeb® Self-Fuzzer Firefox Extension
  • 12. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Presentation  ImmuniWeb® Self-Fuzzer is a simple Firefox browser extension designed to detect Cross-Site Scripting and SQL Injection vulnerabilities in web applications.  ImmuniWeb® Self-Fuzzer is not a web application security scanner or crawler, but a real-time web fuzzer. Once being activated by user in his browser, it carefully follows user’s HTTP requests and fuzzes them in real time, carefully checking all HTTP parameters passed within the requests. Results of fuzzing are also displayed in real-time, notifying user immediately upon vulnerability detection.  It demonstrates how rapidly and easily these two most common types of web vulnerabilities can be found even by a person who is not familiar with web security. It is a sort of decision-making tool or Proof-of-Concept for SMBs and private persons who hesitate whether to order ImmuniWeb® Security Assessment or not.
  • 13. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Key advantages  The main advantage of ImmuniWeb® Self-Fuzzer is that it allows user to control the process of fuzzing in real-time, providing user with flexible configuration of the process.  Quite often security scanners cannot follow human logic implemented in web application, or complex web 2.0 application structure, and simply do not arrive to certain “far away” zones of web applications. ImmuniWeb® Self- Fuzzer carefully follows the user and fuzzes all the HTTP requests user performs, efficiently replacing a crawler.  Just carefully following the user in real-time, ImmuniWeb® Self-Fuzzer will not fuzz any potentially dangerous zones where arbitrary or non-standard HTTP requests may destroy the entire database behind the web application (of course if user won’t do it himself).  ImmuniWeb® Self-Fuzzer can be safely used even in production environment, because it does not send any potentially dangerous requests that may damage database (it uses only “AND” operator checking for blind SQL injections, to prevent altering data in UPDATE, DELETE or INSERT SQL statements).
  • 14. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Key features  The extension is user-friendly and does not require any technical skills from the user. Fuzzing process may be started and stopped by just one click.  Being a Firefox extension it does not require any additional configuration of Firefox browser, which user have to do for proxy-based web security testing tools for example.  The extension quickly searches Cross-Site Scripting and SQL Injection vulnerabilities in pages that user visit.  It locks the fuzzing on one target domain to avoid accidental fuzzing of others websites, which user may not intend to scan.
  • 15. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Vulnerability detection techniques  To detect vulnerabilities ImmuniWeb® Self-Fuzzer fuzzes various input vectors: POST and GET HTTP requests, COOKIE field and even the URL itself if HTTP parameters are encapsulated into the URL by mod-rewrite for example.  User can manually select which input vectors to use. The vectors can be selected in the configuration panel of the extension.  Once configured, the extension will automatically identify and fuzz all the variables passed via selected input vectors.  As, already mentioned ImmuniWeb® Self-Fuzzer does not use “dangerous” injection patterns for blind SQL injection detection.
  • 16. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Vulnerability detection – fuzzing variables  Fuzzing technique varies depending on vulnerability type that we are trying to detect.  For SQL injection detection ImmuniWeb® Self-Fuzzer will fuzz the variables using special SQL characters (to trigger errors), like :  XSS detection is performed by injecting HTML special characters (to check if they are filtered before being displayed), like :  Example : http://www.site.com/page.php?var=1 Vector : GET Variable : var ; Value : 1 Fuzzed Variable Value : 1’”’” Char NUL BS TAB LF CR SUB " % ' _ Hex 0x00 0x08 0x09 0x0a 0x0d 0x1a 0x22 0x25 0x27 0x5c 0x5f Char & < > " ' / Hex 0x26 0x3C 0x3E 0x22 0x27 0x2F
  • 17. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Vulnerability detection – identification  Vulnerabilities are detected by parsing the content returned by web server, depending on the HTTP request previously sent.  For example to identify SQL injection vulnerability, ImmuniWeb® Self- Fuzzer searches for SQL database error messages.  XSS vulnerabilities are identified by searching for non-filtered HTML special characters in page source code previously sent to the script.
  • 18. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage - installation  Download and install the extension from Firefox add-ons page: https://addons.mozilla.org/en/firefox/addon/immuniweb-self-fuzzer/  Restart Firefox, and a little icon will appear next to the navigation bar:  Go to the website you want to fuzz and click on the icon, the toolbar will appear with the name of the website. The number at the right displays the number of detected vulnerabilities:
  • 19. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage – control panel  Move the mouse cursor over the bar to display the control panel:  There are 5 buttons on this panel : Start/stop the fuzzing process (it queues captured packets) Display results Reset the counter of detected vulnerabilities Enable/disable packets capture Display configuration panel
  • 20. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage – control panel  Two progress bars show the fuzzing status for each fuzzer (SQL injection and XSS), and the third one indicates the global progress of fuzzing (at the very bottom of the panel).  Click the configuration button to choose which fuzzing vector(s) to use:
  • 21. ©2013 High-Tech Bridge SA – www.htbridge.com III. ImmuniWeb® Self-Fuzzer Firefox Extension Usage – fuzzing & results  After you have configured the extension, just browse the website you want, every variable used in the selected input vector will be automatically fuzzed while you are surfing:  Results can be displayed by clicking the second button:
  • 22. ©2013 High-Tech Bridge SA – www.htbridge.com References ImmuniWeb® Self-Fuzzer home page: https://addons.mozilla.org/en/firefox/addon/immuniweb-self-fuzzer/ ImmuniWeb® Self-Fuzzer video: http://www.youtube.com/watch?v=2USAnmzuRB8 CWE vulnerabilities glossary: https://www.htbridge.com/vulnerability/ ImmuniWeb® SaaS home page: https://www.htbridge.com/immuniweb/ Help Net Security web vulnerabilities statistics by Cenzic: http://www.net-security.org/secworld.php?id=14556 OWASP project: https://www.owasp.org/
  • 23. ©2013 High-Tech Bridge SA – www.htbridge.com Thank you for reading! Your questions are always welcome: xavier.roussel [at] htbridge.com