OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Proof of Concept Tool on Web Application Security

From: Einecker, Leah (Leah_EineckerIntuit.com)
Date: Thu Apr 10 2003 - 16:56:43 CDT


David Endler and Michael Sutton did a presentation on bruteforcing session
IDs at DEFCON last year. Links to the presentation, the "iDefense Session
Auditor tool", and a video of the talk are all available at:
http://www.defcon.org/html/links/defcon-media-archives.html

Cheers,
-L

>-----Original Message-----
>From: Indian Tiger [mailto:indiantigermailandnews.com]
>Sent: Tuesday, April 15, 2003 11:06 AM
>To: pen test
>Subject: Proof of Concept Tool on Web Application Security
>
>
>Hi all,
>
>I have tried a lot to find any Proof of Concept Tool on Web Application
>Security but still I am not able to find a single one. Let me give some
>specific details.
>
>Session ID
>Generally session ID is big enough and act as authentication
>token. Most of
>the time it only changes last few digits, lets say only three
>digits from
>the end. Even its doing this only its very tuff to guess these
>last three
>digits. I have made a testing site and tried but was not able
>to do that. I
>knew session ID is not the only authentication parameter. It
>can contain
>cookie, session tokens etc as well. I have tried Achilles, Web
>Sleuth, Web
>Inspect, Spike Proxy etc. I think at least they don't do such
>brute force.
>Is there any tool which does brute force on this and give session ID.
>
>Cookie Manipulation
>Several Articles talk about Cookie Manipulation. How to get cookies of
>others even in a LAN seems very tuff or not possible as per my
>study on Web.
>If a Attacker is able to redirect other person's traffic to
>any Proxy like
>Achilles, Web Sleuth than he can perform attacks. Now nobody
>is allowing to
>change his proxy setting and sending his output through
>Attacker (Proxy).
>Is there any tool which can give access/manipulate the cookie remotely?
>
>This manipulation can also be achieved if an Attacker can put
>his Proxy (Web
>Sleuth) on intermediate Router/Proxy. One Example is I am
>accessing Hotmail
>and on my ISP Router/Proxy, An attacker installs tool like Web
>Sleuth. But
>again question comes Router works on OSI layer 3 so attacker
>can't put tool
>like Web Sleuth. If intermediate hop is Proxy which is on
>Application level,
>there should be some tool which can be placed here.
>
>XSS
>Cross Site Scripting has to use Client site scripting only.
>What could be
>the maximum impact of this? Can Attacker format a machine or
>steal data by
>this? If yes how?
>
>Please also tell any other Proof of Concept Tool on Web Application
>Security. I read OWASP guides, WebGoat and some more to
>understand three
>things deeply and develop Proof of Concept Tool but no successes accept
>Hidden field manipulation. Please recommend some good guides on this.
>
>Any help on this would be highly appreciated.
>
>Thanking You.
>Sincerely,
>
>Indian Tiger, CISSP
>
>
>--------------------------------------------------------------
>Costs are climbing and complaints are rising
>as SPAM overloads your e-mail servers and Inboxes
>SurfControl E-mail Filter puts the brakes on spam & viruses
>and gives you the reports to prove it.
>http://www.securityfocus.com/SurfControl-pen-test2
>Download a free trial and see just
>what's going in and out of your organization.
>--------------------------------------------------------------
>
>

--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization.
--------------------------------------------------------------