#LNUG Suite - Next Generation of Web Application Security Tools

Transcript

1. SUITE Next Generation of Web Application Security Tools #LNUG Tuesday,

   29 January 2013

2. @pdp Tuesday, 29 January 2013

3. THE THING Tuesday, 29 January 2013

4. dis·or·gan·ized /disˈôrgəˌnīzd/ Tuesday, 29 January 2013

5. JAVASCRIPT + SECURITY Tuesday, 29 January 2013

6. ...inspiration for this work... Tuesday, 29 January 2013

7. JIKTO Tuesday, 29 January 2013

8. ATTACKAPI Tuesday, 29 January 2013

9. MYSPACEWORM Tuesday, 29 January 2013

10. 3 Evil Plans Tuesday, 29 January 2013

11. EVIL PLAN 01 WEB VICTIM VICTIM ATTACKER TARGET TARGET User

    the victim’s browser to attack other web targets. Tuesday, 29 January 2013

12. Evil Plan 01 JIKTO Tuesday, 29 January 2013

13. EVIL PLAN 02 NETWORK VICTIM RESOURCE RESOURCE ATTACKER User the

    victim’s browser to compromise the local network. Tuesday, 29 January 2013

14. Evil Plan 02 ★ JavaScript Port Scanner ★ JavaScript Authorisation

    Brutforcer ★ Attacking UPnP ★ CSRF and Authentication Bypass in home routers ★ Attacking Linksys cameras ★ Attacking other embedded network devices Tuesday, 29 January 2013

15. EVIL PLAN 03 SOCIAL NETWORK VICTIM VICTIM VICTIM ATTACKER User

    the victim’s browser to attack other people’s profiles. Tuesday, 29 January 2013

16. Evil Plan 03 ALL OF ‘EM Tuesday, 29 January 2013

17. ...but there is also this... Tuesday, 29 January 2013

18. BONUS EVIL PLAN OS TORJY VIRI VIRI TROJY User the

    victim’s browser to compromise the system. Tuesday, 29 January 2013

19. Bonus Evil Plan ★ Attacking Browsers and Browser Chrome ★

    Abuse Browser Extension System ★ Weaken Browser Security Controls ★ Use other system tools like JScript, etc. 2005, 2006, 2007, 2008 Tuesday, 29 January 2013

20. TOOLS Tuesday, 29 January 2013

21. && JUST ...but also... SET, XSSF, XSSER, WebSploit Client-Side Exploitation

    Tuesday, 29 January 2013

22. ...how about using the browser for security testing.... Tuesday, 29

    January 2013

23. THE WEB IN A BOX Tuesday, 29 January 2013

24. 2009, 2010, 2011, 2012 Tuesday, 29 January 2013

25. JS Port Scanner AttackAPI Websecurify Suite Weaponry Tuesday, 29 January

    2013

26. Weapony ... Tuesday, 29 January 2013

27. ★ Create a Client-side Security Scanner ★ Create Client-side Security

    Tools Tuesday, 29 January 2013

28. BUT JAVASCRIPT ****S Tuesday, 29 January 2013

29. ARCHITECTURE TARGET COMPILER OBJECTIVE-C CODE JAVASCRIPT OTHER Tuesday, 29 January

    2013

30. ARCHITECTURE BROWSER PLUGIN ENGINE BROWSER Tuesday, 29 January 2013

31. I BELIEVE IN THIS Tuesday, 29 January 2013

32. DEMO Playing with the Suite Tuesday, 29 January 2013

33. WITH NODEJS Tuesday, 29 January 2013

34. ★ First security scanner created April 2011 ★ Based on

    the pure JavaScript testing engine. ★ Fairly unstable. Nodejs Experiments I Tuesday, 29 January 2013

35. LOGIN SCREEN... Tuesday, 29 January 2013

36. TARGET SCREEN... Tuesday, 29 January 2013

37. PROCESS SCREEN... Tuesday, 29 January 2013

38. ★ Multiprocess architecture is better. ★ Statically compiled vs dynamic.

    Nodejs Lessons Tuesday, 29 January 2013

39. DEMO Nodejs Experiment Tuesday, 29 January 2013

40. ★ The scanner is fairly stable and well performant. ★

    We scanned the Internet for low- hanging-fruit - under 10 minutes. ★ Some interesting issues were identified. ★ Some bug-bounties won. Nodejs Experiments II Tuesday, 29 January 2013

41. ★ XMLHttpRequest hacked and monkey patched. ★ Sqlite3 has concurrency

    problems. ★ Request send vs Socket timeout is important. Nodejs Lessons Tuesday, 29 January 2013

42. DEMO The Internet Enumerator Experiment Tuesday, 29 January 2013

43. ★ Invest into a server application on Nodejs. ★ Combined

    client-side and server-side testing capabilities. ★ When it is ready will show it at #LNUG. Nodejs Experiments III Tuesday, 29 January 2013

44. THE END This Was Difficult Tuesday, 29 January 2013

45. SLIDE 45 Tuesday, 29 January 2013