0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for September 2008

Framing via Facebook ==> FaceFraming?

with 3 comments

So, i was posting on the wall of a friend in facebook today, alluding to how we should steal my car back from the fascist towing company who took it. I realize it’s probably a bad idea to even hint at this, but what the hell. I can account for my time, and i truly have no intentions of stealing it.

Regardless, it occurred to me that it’s getting easier & easier to damage a reputation online, or to frame someone for a crime they didn’t do.

Imagine if i wanted someone knocked off. If i wanted to create a convincing argument for another person, i could simply log into the framed person’s account, and post a menacing statement like: “I hate everybody today. I think i’m gonna snap soon. @#$# _______” Cheesy? Sure. But convincing enough for a jury? We will see.  It’s now a matter of a public record (how much so depends on your privacy concerns / settings), and can be used against you.

I think we’re going to see a lot more of this type of evidence in the future. Here are a couple examples of it being used in court (drunk driving cases):

Written by jcran

September 30, 2008 at 3:02 AM

Posted in attack, web2.0

Tagged with , , ,

The future will be 0day.

leave a comment »

Browsing through my collection of papers & presentations and ran across these:

The IPO of 0day by Justine Aitel and 0day – How hacking really works by Dave Aitel

They’re both quite old (the latter is 3 years old), but relevant.

Reading them brings the interesting observation that the product space simply can’t address the 0day threat. You really need to hire a hacker or hire a pentesting team if you’re concerned about addressing the possibility. Did your last pentest address the threat??

Justine brings up the fact that there are 3 types of pentesters (and if you hire the lower tier, you might as well do the work yourself, heh):

  • Top tier: Can find / exploit 0day.
  • Middle tier: Can utilize tools that exploit 0day.
  • Bottom tier: Run a scanner.

Many companies I’ve worked with don’t even consider 0day as a threat. (In fact, i’m trying to think of a single one…) Maybe it’s viewed as a too remote a possibility, maybe it’s not considered relevant for the typical organization, or maybe it’s just too damn difficult to protect against.

Should you? I’m not convinced that every company needs to. But who does? Surely financial organizations, banks, insurance companies, government institutions. Who else? Anyone running financial transactions over custom (probably old / lightly maintained) software…

Is it valid to consider as a real threat? How much time / money should be invested to mitigate the risk?

Written by jcran

September 26, 2008 at 6:41 AM

Posted in attack

Tagged with , , , ,

McCain vs Obama on the Internet

leave a comment »

Interesting & enlightening article on Slate. Details the difference between the Obama & McCain camp on Internet policy. Essentially, boils down to:

McCain: Internet is a Product, and should be commoditized & sold. Market will take care of itself, and no regulation is necessary. Anti Net-Neutrality.

Obama: Internet is an platform, and should be protected as an open economy. Prescriptive regulation is likely necessary. Pro Net-Neutrality.

Strongly with Obama on this, but draw your own conclusions.

Written by jcran

September 24, 2008 at 8:15 PM

Posted in Uncategorized

Firefox Extensions Dump

leave a comment »

This is a dump of my current set of Firefox extensions. Some of these are absolutely critical for pentesting: HackBar, TamperData, FireBug and ModifyHeaders. Some are not so critical, but helpful: Shazou (Geolocation), FormFox (See where forms submit to), PDF Download (yeah.), etc.

Aardvark – aardvark.xpi
Powerful and user-friendly selector utility for selecting elements and doing various actions on them. It can be used for cleaning up a page prior to printing it (by removing and isolating elements), for making the page more readable, and (most appreciated by web developers), for analyzing the structure of a page.

Add N Edit Cookies – add_n_edit_cookies-
Cookie Editor that allows you add and edit “session” and saved cookies.

AS Number – asnumber-1.0beta9-fx.xpi
The AS Number Extension displays interesting information the Internet Service Provider of every website visited. Along with it come some additional statistics for those who want to know what happens behind the Webs shiny surface.

Book Burro – bookburro.xpi
An extension for FireFox & Flock web browsers to save you time and money when browsing books.

Cert Viewer Plus – cert_viewer_plus-1.4-fx+tb+sm.xpi
Certificate viewer enhancements: PEM format view, file export

Cookie Monster – cookie_monster-0.94-fx.xpi
Cookie Monster features: – Temporary Permission for sites to leave cookies (permission removed and cookies deleted for site with temporary permission upon restart of Firefox) – New option to set general Firefox setting to block all cookies – Updated menu structure – Menu options to view cookies for current site or all sites – A panel indicating the current status of cookies for the current site and domain appears while hovering over the cookie status indicating icon in the status bar In a nutshell, Cookie Monster allows for easier managing of what sites a user allows to set cookies and what sites cannot. It works best for users who do NOT accept cookies by default, although this is not necessary.

Cookie Safe – cookiesafe-3.0.3-fx+tb+sm.xpi
This extension will allow you to easily control cookie permissions. It will appear on your statusbar. Just click on the icon to allow, block, or temporarily allow the site to set cookies. You can also view or clear the cookies and exceptions by…

Cookie Watcher – cookie_watcher-0.7-fx.xpi
It is a simple extension. It helps testing web applications – it quickly can wipe ‘session’ cookie or it helps to identify cluster node in clustered environments using cookie value.

Delicious Bookmarks – delicious_bookmarks-2.0.104-fx.xpi
Delicious Bookmarks is the official Firefox add-on for Delicious, the world’s leading social bookmarking service (formerly del.icio.us). It integrates your bookmarks and tags with Firefox and keeps them in sync for easy, convenient access.

Download Statusbar – download_statusbar-
View and manage downloads from a tidy statusbar – without the download window getting in the way of your web browsing.

Edit Cookies – EditCookies.xpi
Edit your cookies right in Firefox!

Extended Cookie Manager – extended_cookie_manager-0.9-fx.xpi
Easier cookie managment for Firefox

FasterFox – Fasterfox{2.0.0}.xpi
Performance and network tweaks for Firefox

FireBug – firebug-1.2.1-fx.xpi
Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

FireCookie – firecookie-0.6-fx.xpi
Firecookie is an extension for Firebug that makes possible to view and manage cookies in your browser

FlagFox – flagfox-3.3.1-fx.xpi
Displays a country flag depicting the location of the current website’s server and provides quick access to detailed location and webserver information.

FormFox – formfox-1.6.2-fx.xpi
Do you know where your form information is going? This extension displays the form action (the site to which the information you’ve entered is being sent.)

FoxyProxy – foxyproxy-2.8.5-fx.xpi
FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s limited proxying capabilities. It offers more features than SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, TorButton, etc.

GreaseMonkey – greasemonkey-0.8.20080609.0-fx.xpi
Allows you to customize the way a webpage displays using small bits of JavaScript. Hundreds of scripts, for a wide variety of popular sites, are already available at http://userscripts.org. You can write your own scripts, too. Check out http://wiki.greasespot.net/ to get started.

HackBar – hackbar-1.3.2-fx.xpi
Simple security audit / Penetration test tool.

HeaderSpy – HeaderSpy{1.2.2}.xpi
Shows HTTP headers on statusbar.

Hide Navigation Bar – hide_navigation_bar-1.2-fx.xpi
This extension enables you to hide the navigation bar through a toggle button. Currently the toggle button is the F2 key. You can change the key in the extensions options, as well as configure whether you want the Navigation Bar to be displayed on an initial Firefox launch. Also allows you to enable an Auto-Hide mode if you wish to use that instead.

HttpFox – httpfox-0.8.2-fx.xpi
An HTTP analyzer addon for Firefox

IETab – ietab-1.5.20080618-addons
This is a great tool for web developers, since you can easily see how your web page displayed in IE with just one click and then switch back to Firefox.

IMacros For Firefox – imacros_for_firefox-
Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***

JSView – jsview-2.0.5-fx+sm.xpi
ll browsers include a “View Source” option, but none of them offer the ability to view the source code of external files. Most websites store their javascripts and style sheets in external files and then link to them within a web page’s source code. Previously if you wanted to view the source code of an external javascript/stylesheet you would have to manually look through the source code to find the url and then type that into your browser.rnrnWell now there’s a much easier way.

Live HTTP Headers – live_http_headers-0.14-fx+sm.xpi
View HTTP headers of a page and while browsing.

Live IP Address – live_ip_address-1.82-fx.xpi
Retrieves your Live IP Address and displays it on Firefox’s status bar… Additional features: i) Easy copy of IP address to the clipboard, ii)Set update interval iii) Force update option

LocationBar – Locationbar{0.9.1}.xpi
Puts emphasis on the domain to reduce spoofing risk. Linkifies URL segments (press Ctrl, Meta, Shift or Alt). More URL formatting options configurable.

Modify Headers – modify_headers-0.6.4-fx+mz+sm.xpi
Add, modify and filter http request headers. You can modify the user agent string, add headers to spoof a mobile request (e.g. x-up-calling-line-id) and much more.

NoScript – noscript-
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS attacks.

PDF Download – pdf_download-
Use PDF Download to do whatever you like with PDF files on the Web. Regain control of them and eliminate browser problems, view PDFs directly in Firefox as HTML, and use the all-new Web-to-PDF toolbar to save and share Web pages as high-quality PDF files.

Poster – poster-1.7.1-fx.xpi
A developer tool for interacting with web services and other web resources that lets you make HTTP requests, set the entity body, and content type. This allows you to interact with web services and inspect the results…

RefControl – refcontrol-0.8.11-fx.xpi
Control what gets sent as the HTTP Referer on a per-site basis.

ReloadEvery – reloadevery-2.0-fx.xpi
Reloads web pages every so many seconds or minutes. The function is accessible via the context menu (menu you get when you right click on a web page) or via a drop down menu on the reload button

Shazou – shazou-2.1-fx.xpi
Finally mapping is integrated with the Firefox browser. The product called Shazou (pronounced Shazoo it is Japanese for mapping) enables the user with one-click to map and geo-locate any website they are currently viewing.

ShowIP – showip-0.8.08r14b0251-fx+mz.xpi

Show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right mouse button) and hostname (left mouse button), like whois, netcraft. Additionally you can copy the IP address to the clipboard.

SQL Inject Me – sqlime-0.2.xpi [Doesn’t Work with FF3]
SQL Injection vulnerabilites can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

Tab Mix Plus – tab_mix_plus-dev-build.xpi
Tab Mix Plus enhances Firefox’s tab browsing capabilities. It includes such features as duplicating tabs, controlling tab focus, tab clicking options, undo closed tabs and windows, plus much more. It also includes a full-featured session manager.

TamperData – tamper_data-10.1.0-fx.xpi

Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test web applications by modifying POST parameters.

TrashMail.net – trashmail.net-1.0.12-fx.xpi
Create free disposable email addresses and paste them directly in forms. This helps to protect you from spam mails and could be useful when subscribing to forums or newsletters

TwitterFox – twitterfox-1.7-fx.xpi
TwitterFox is a Firefox extension that notifies you of your friends’ statuses of Twitter.

User Agent Switcher – user_agent_switcher-0.6.11-fx+sm.xpi
Adds a menu and a toolbar button to switch the user agent of the browser.

Web Developer Toolbar – web_developer-1.1.6-fx.xpi
Adds a menu and a toolbar with various web developer tools.

XSS Inject Me – xssme-0.2.1.xpi [Doesn’t Work with FF3]
Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS

you can download them all as one big zip here.

Written by jcran

September 23, 2008 at 7:16 PM

Posted in attack

Tagged with , , , ,

The One

leave a comment »

If you want a glimpse into the future of the web, you NEED to watch this video. Kevin Kelly of WIRED raps on on the semantic web, the coming connection of everything, and why the web is really ONE machine.


Written by jcran

September 13, 2008 at 9:43 PM

Posted in Uncategorized

Tagged with , , , , ,

Google Calendar Search for Fun & Profit

with 2 comments

In the same vein as the earlier post on searching for vulnerabilities with Google Code Search, I realized tonight that you can search for private calendars on Google Calendar Search by simply typing ‘private’ in the search box. You’ll be surprised by how many results you get (960 at time of writing).

With such nuggets as:


Presentation in Bern [work]


Mon Sep 1 12pm – Mon Sep 1 4pm


Created By


It’s certainly not a great deal of work to trace other public details, and find out exactly who this might be.  Interestingly, he’s also praying at 1AM today, and rowing at 2PM. He looks to be a bit worried about his skills.

This post ties closely to an observation made by stan over at n0where.org. What if a bank were able to access your calendar while you were planning to make a week-long trip to vegas? Do you think they’d still be eager to give you that home-loan? Food for thought, no?

UPDATE 09/02/08:
Google: John Gomez! Are you really sure you want to share this with the world?
John Gomez: *clicks yes*
Google: Are you sure??
John Gomez: just do it, it’s handy!
Google: Okay, but don’t say I didn–
John Gomez: DO IT!
Google: fine. idiot.
[Except this doesn’t happen, and people have NO IDEA they’re sharing this info most likely]

Delta Air Lines #616, 01:15 PM PDT

WhenFri, Sep 26, 4:15pm – 10:01pm
WhereSFO – JFK (map)
Description Record Locator: MXNYGI Flight: Delta Air Lines #616 Confirmation: CYT0L0 Departure Location: San Francisco International Airport (SFO) Departure Time: Friday, September 26 at 01:15 PM PDT Departure Terminal: 1 Arrival Location: John F. Kennedy International Airport (JFK) Arrival Time: Friday, September 26 at 10:01 PM EDT Arrival Terminal: 3
UPDATE (09/02/08) (2):
Looks like our boy John is in good company at least… 680 results for the term ‘Record Locator.’ Ouch.
So how do you take advantage of this?
– Impersonate them
– Break into their house / steal their car while they’re away
– Frame them for a crime happening in their vicinity
– Call the airport, impersonate an authority (you’ve got all the details, right?.. right.)

Out of curiosity, is anyone doing a taxonomy of real-world attacks? The final attack listed above is analogous to a DOS attack, but these are all straight-forward. I’d love to see a taxonomy of possible ways to exploit a piece of information (vulnerability).

Written by jcran

September 2, 2008 at 4:24 AM

webFileScanner.pl – simple file & directory brute-force utility

leave a comment »

Here’s a simple utility i coded up using perl + lwp to blindly request files from a webserver + print the status code that’s returned. Functionally, it’s similar to the excellent ‘Dirbuster,’ but without the overhead of Java.


jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl
Usage: ./webFileScanner.pl [ip or hostname] [file with urls] [https?])]


jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl http://0x0e.com ../../wordlist/directory-list-1.0.txt


url: http://0x0e.com/healthyliving - status: 404
url: http://0x0e.com/healthy_living - status: 404
url: http://0x0e.com/pl0p - status: 200
url: http://0x0e.com/relationships - status: 404
url: http://0x0e.com/his - status: 404
url: http://0x0e.com/history - status: 404
url: http://0x0e.com/ancient - status: 404
url: http://0x0e.com/family - status: 404

The output is grep-able & LWP makes it quite simple to add additional features as needed. For instance, you could quickly instruct LWP to save ‘status: 200’ pages to disk.

You can download the file here.

Written by jcran

September 1, 2008 at 4:30 PM

Posted in attack

Tagged with , , ,

HTTP Response Splitting Explained

leave a comment »

j0e of LearnSecurityOnline.com recently mentioned that he was actively looking for examples of ‘HTTP Response Splitting.’ I was aware of the vulnerability, but always considered it somewhat theoretical, and didn’t fully understand the concepts. OWASP has a good blurb on it, and this is how I had initially become aware of it.

After examining it closer, I discovered that the vulnerability is nothing more than a more powerful version of XSS. In this case, you’re allowed to inject to the response HEADERS as opposed to (simply) the BODY with XSS. Response Splitting is a more dangerous vulnerability because of this. It will allow you to take full control of the body, and depending on the injection point, set arbitrary values in the HTTP Response header.

How does the vulnerability work? Fundamentally, it’s just an untrusted input and un-encoded output problem (though you can be vulnerable to certain payloads even if you encode output). When unverified input is used to set a value in the HTTP Response Headers, the vulnerability can be used.

For instance, suppose there are 2 pages: http://www.0x0e.org/page1.php and http://www.0x0e.org/page2.php.

  • First, a form value (lets call it ‘x’) from page1.php is passed to page2.php and accessed via $_POST[‘x’], $_REQUEST[‘x’], $HTTP_POST_VARS[‘x’], or $x (if register globals is on). If this value is used without verification, we have a problem.
  • To make a HTTP Response Splitting vulnerability, x must be used to set a value in the HTTP Response. This can be done in PHP using the Header(“Arbitrary-Header-Example: $x) call.

Now, an attacker can use this to his advantage by placing input in the form variable x on page1.php which is passed to page2.php. This input might look something like:

Value of Arbitrary Header%0d%0A
<html><body> 0wned. </body></html>%0d%0A

which would be placed before the original (correct) response, be parsed by the victim’s browser, and displayed on their screen. The full HTTP response would look something like:

GET /page2.php HTTP/1.1
Host    http://www.0x0e.org
User-Agent    "SparkyBrowse 2.0"
Accept    */*
Accept-Language    en-us,en;q=0.5
Accept-Encoding    gzip,deflate
Accept-Charset    ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive    300
Connection    keep-alive
Referer    http://www.0x0e.org
If-Modified-Since    Thu, 21 Aug 2008 00:10:17 GMT
Cache-Control    max-age=0
Arbitrary-Header-Example: Value of Arbitrary Header
<html><body> 0wned. </body></html>
[original page2.php body -- not processed by the browser]
<head> Page2.php </head>
<body> This is the original Page2.php </body></html>

Notice how the %0d%0A disappeared in the full response? It’s being processed by the webserver, and depending on the OS, the attacker must tailor the input (just LF on *nix, CRLF on win*)

The most important thing to take away from this: HTTP Response Splitting is a stronger form of XSS. Nothing More.

Written by jcran

September 1, 2008 at 6:58 AM

Google Code Search for Fun & Profit

with one comment

While toying around with Google code search to look for HTTP Response Splitting vulnerabilities, i discovered that code search is a treasure trove of vulnerabilities. For instance, simply try searching for “vulnerability”.

Looks like I’m about 2 years behind on this:

UPDATE (09/01/2008):

Regular expression search rocks. Why can’t you do this with regular search?

Written by jcran

September 1, 2008 at 4:37 AM