Beruflich Dokumente
Kultur Dokumente
'%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}$&
N%_)$*()$*R"_)][%](%[x])%a][$*"$-
9]_%'
'%64_[^!_%65/%aa?F%64_D)_(F%64)_%36
([)({}%33){()}$&N%55_)$*()$*R"_)][%55]
(%66[x])%ba
][$*"$-9]_%54' bypasses modsecurity
_*r/a)__(r/b)__(rd)_
%n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n
]!%
%_[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaa[! -z]@$!_%
Wrong Attempts
Valid Username enumeration - Login Page,
New User Reg Page, Password Reset Page
if you have received a response (or a
lack of) that makes you believe
that the overflow has occurred,
attempt to make another request to
the server and see if it still responds.
Submit large inputs and check how the
server responds
If the
application does not pose an upper limit to
the number of items that can be in any
given moment inside the user electronic
cart, you can write an automated script
that keeps adding items to the user cart
until the cart object fills the server
memory.
if the user can directly or indirectly assign a
value that will be
used as a counter in a loop function, this
can cause performance problems on the
server.
1. The tester submits an extremely long
value to the server in the request, and the
application logs the value directly
without having validated that it conforms
to what was expected.
2. The application may have data validation
to verify the submitted value being well
formed and of proper length, but
then still log the failed value (for auditing or
error tracking purposes) into an application
log.
Anapplicationlocksafileforwriting,and
then an exception occurs but does not
explicitly close and unlock the file
Memoryleakinginlanguageswherethe
developer is responsible for memory
management such as C & C++. In the
case where an error causes normal logic
flow to be circumvented, the allocated
memory may not be removed and
may be left in such a state that the garbage
collector does not know it should be
reclaimed
UseofDBconnectionobjectswherethe
objects are not being freed if an exception
is thrown. A number of such
repeated requests can cause the application
to consume all the DB connections, as the
code will still hold the open
DB object, never releasing the resource.
The developer may have chosen
to cache the records in the session instead
of returning to the database for the next
block of data. If this is suspected,
create a script to automate the creation of
many new sessions with the server and run
the request that is suspected of
caching the data within the session for each
one. Let the script run for a while, and then
observe the responsiveness of the
application for new sessions. It may be
possible that a Virtual Machine (VM) or
even the server itself will begin to run out of
memory because of this attack.
curl --request POST --header
Contenttype:text/xml
--data @my_request.xml
http://api.google.com/search/beta2
* inurl:wsdl site:example.com
* Web Services Discovery DISCO, UDDI
* http://seekda.com
* http://www.wsindex.org
* http://www.soapclient.com
* A web service utilizing DOM-based
parsing can be "upset" by including a very
large payload in the XML message, which
the
parser would be obliged to parse
* Binary attachments - Large BLOB
* WSDigger contains sample attack plug-ins
for SQL injection, XSS, XPATH injection
attacks
1) SQL Injection or XPath injection
2) Buffer Overflow and
3) Command Injection.
https://www.ws.com/accountinfo?account
number=12039475' exec
master..xp_cmdshell 'net user Vxr
pass /Add &userId=asi9485jfuhe92
Attach a test virus attachment using a non-
destructive virus like EICAR, to a SOAP
message and post to the target Web
Service.
Capture the Traffic with sniffers/proxy and
replay the request
* XMLHttpRequest Vulnerabilitie, SQL
Injectio, XSS, DOM based XSS,
JSON/XML/XSLT Injection
* AJAX Bridging - Cross website requests
are sent through this method
* Cross Site Request Forgery (CSRF)
* DOS - Multiple XMLHttpRequests
Parse the HTML and JavaScript files and
using a proxy to observe traffic.
Tools
HTTrack,Wikto/Nikto
Goolag scanner, Google Hacking
db (Johny), Goolge, Kartoo
Paros, Webscarab, Tamper IE,
Tamper Data
HTTP Print, NetCraft
nMap,telnet, nessus,
host,NetcraftSearchDNSservice,
DNS Stuff Reverse IP Lookup,
nslookup, wikto
Software Proxies, Wikto
nMap, Nessus, OpenSSL, SSLDigger
Integrigy lsnrcheck, LSNRCTL, TNS
Listener
Curl, wget, web mirroring tool,
Nessus, Nikto
HTTrack,Wikto/Nikto, Goolag,
Spike Proxy
Webscarab,
Netcat, TamperIE, Webscarab etc
Wireshark, Proxy
Webscarab
Brutus, THC Hydra, Burp Intruder,
Cain & Abel
Brutus, THC Hydra, Burp Intruder,
Cain & Abel, John the Ripper,
OPHCRACK, Rainbow Tables
Webscarab
Webscarab, Add N Edit Cookies
CAPTCHA Decoders -PWNtcha,The
Captcha Breaker, Captcha
Decoder, Online Captcha Decoder.
Webscarab,BurpProxy, FoundStone
Cookie Digger
Webscarab,BurpProxy,Paros,
TamperIE/Data
Webscarab
Grep, Nikto, Burp Suite, Paros,
Webscarab
Proxy Tools
Automated tools fails
CAL9000, Rsnake XSSdb, XSSMe
firefox addon, XSS proxy,
WebScarab, Rat proxy, Burp Proxy
CAL9000, Hackvertor, XSSProxy,
BeEF, WebScarab
Automated tools fails
SWFIntruder, Flare, Flasm
OWASP SQLiX
SQL Power Injector
sqlbftools
sqlmap
SqlDumper
sqlninja
Softerra LDAP Browser
Burp Suit, WebScarab, Paros
Webscarab
OllyDbg, Spike, Brute Force Binary
Tester (BFB), Metasploit. RATS,
Flawfinder and ITS4 are available
for analyzing C-style languages
XSS-proxy, Paros, Burp, Metasploit
Net Square wsPawn,
SOAPClient4XG, CURL, Perl -
SOAPlite, OWASP WebScarab: Web
Services plugin, WSDigger
WebScarab, WSDigger
WebScarab, WSDigger
WebScarab, MetaSploit
WebScarab, Ethreal, WireShark,
TCPReplay
Proxy tools, Firebug
OWASP Sprajax
Tools Category OS
Wikto Windows
Nikto Linux
Paros Web App Proxy Windows
TamperIE Data Tampering
Nessus
Vulnerability
Scanner
Nmap
Web Server
Assessment Tool
Wget Web Mirroring
SamSpade Web Spidering
Spike Proxy Web Crawler
Xenu
Curl Secure FTP
OpenSSL Encryption tools
BURP Proxy
Web Vulnerability
Scanners
SSLDigger Encryption tools
HTTrack
HTTPrint
Webserver
Fingerprinting
tool
Webscarab
Web Vulnerability
Analysis
Foundstone Cookie Digger
Comments
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing
HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a
web traffic recorder, web spider, hash calculator, and a scanner for testing common web
application attacks such as SQL injection and cross-site scripting.
Enables HTML-form tampering for penetration testing of web apps
The Nessus vulnerability scanner, is the world-leader in active scanners, featuring high speed
discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability
analysis of your security posture. Nessus scanners can be distributed throughout an entire
enterprise, inside DMZs, and across physically separate networks.
Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or
security auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network,
what services (application name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of
other characteristics.
curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP,
HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. curl supports SSL certificates, HTTP
POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy
tunneling and a busload of other useful tricks.
Assess the strength of SSL servers by testing the ciphers
Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It
operates as a man-in-the-middle between the end browser and the target web server, and
allows the user to intercept, inspect and modify the raw traffic passing in both directions.
Burp Proxy allows you to find and exploit application vulnerabilities by monitoring and
manipulating critical parameters and other data transmitted by the application. By modifying
browser requests in various malicious ways, Burp Proxy can be used to perform attacks such as
SQL injection, cookie subversion, privilege escalation, session hijacking, directory traversal and
buffer overflows.
SSLDigger v1.02 is a tool to assess the strength of SSL servers by testing the ciphers supported.
Some of these ciphers are known to be insecure.
httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately
identify web servers, despite the fact that they may have been obfuscated by changing the
server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be
used to detect web enabled devices which do not have a server banner string, such as wireless
access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is
very easy to add signatures to the signature database
WebScarab is a framework for analysing applications that communicate using the HTTP and
HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has
several modes of operation, implemented by a number of plugins. In its most common usage,
WebScarab operates as an intercepting proxy, allowing the operator to review and modify
requests created by the browser before they are sent to the server, and to review and modify
responses returned from the server before they are received by the browser. WebScarab is able
to intercept both HTTP and HTTPS communication.
Link
http://www.sensepos
t.com/research/wikto
/
http://www.nessus.or
g
http://curl.haxx.se/