XssSniper google chrome extensions: Automatically Detect DOM-XSS Vulnerabilities – Penetration Testing

Introduction to XssSniper extensions

The implicitly exported DomXSS vulnerability has been difficult to discover by traditional scanning tools, and XssSniper relies on the expansion of the Chrome browser to quickly and accurately discover the DomXSS vulnerability through dynamic resolution.

In addition, this extension not only finds implicit output of XSS, but also displays display output for DomXSS, Reflective XSS, automatically finds JSONP’s XSS, and detects SOME vulnerabilities (homologous method execution).

Principle

XSS detection principle

This extension uses two methods to detect DOMXSS.

The first method: FUZZ

This detection method is very low false alarm rate, as long as they are detected are all loopholes. But the cost is false rate is relatively high. Specifically, in the current page to create a stealth iframe, in this iframe using different combinations of characters truncated payload to fuzz the current page of each url parameters, and location.hash parameters. If the payload is executed, the vulnerability must exist.

The second method: monitoring js wrong changes

If the xss exists in a way that is relatively subtle, or requires a very complex combination of characters to cut off, payload is not normal execution, but nevertheless, payload may cause some js syntax exception, the expansion only need to detect these exceptions can be. And then prompt the user to the wrong location, the wrong content, the wrong number of rows, so that users manually to this way to detect XSS, less reported, but the price is false positives higher.

Two kinds of detection methods combined with each other, learn from each other.

Download

Usage

Open the control panel

Add your target website on “Target List” box and click “Save Target”

Option: you can add more xss payload on “Payload List” box and click “Save payload”

Click “Switch to Open” button

Go to target website. When you browse these sites, XSS detection start automatically. So, open the fuzz, you only need to browse these sites can be normal.

Demo

Source: 0kee

The post XssSniper google chrome extensions: Automatically Detect DOM-XSS Vulnerabilities appeared first on Penetration Testing. http://ift.tt/2rg585x http://ift.tt/2aM8QhC

Anúncios

XSS-Radar: detects parameters and fuzzes for finding XSS vulnerability – Penetration Testing

XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
It’s also the first tool developed by the Bug Bounty Forum community!

How do I install it?

At present, we’re only supporting the widely used Google Chrome. We hope to support Firefox in the future.

First, git clone http://ift.tt/2rgbmlP
Visit chrome://extensions/
Enable Developer Mode via the checkbox
Select “Load Unpacked Extension”
Finally, locate and select the extension folder

How do I use it?

Visit a target page, open the extension and select Fuzz!

Demo

Source: Github

The post XSS-Radar: detects parameters and fuzzes for finding XSS vulnerability appeared first on Penetration Testing. http://ift.tt/2sz82WY http://ift.tt/2aM8QhC

Grow Your Own Tin Crystals

[The Plutonium Bunny] saw homegrown tin crystals on YouTube and reckoned he could do better—those crystals were flimsy and couldn’t stand up outside of the solution in which they were grown. Having previously tackled copper crystals, he applied the same procedure to tin.

Beginning with a 140 ml baby food jar filled with a solution of tin II chloride, 90 grams per liter, with a small amount of HCl as the electrolyte. A wire at the bottom of the jar was connected to a blob of tin and served as the anode, while the cathode, a loop of tin, stuck down from above. A LM317-based adjustable voltage regulator circuit was used to manage the power running through the solution. Because [The Plutonium Bunny]’s technique involves days or even weeks of very low current, he used six diodes to drop the circuit’s voltage from 1.5 V to 0.25 V, giving him around 13 mA.

His first attempt seemed to go well and he got some nice shiny crystal faces, but he couldn’t get the current bellow 10 mA without it dropping to the point where no tin was depositing. Rather than reset the experiment he made some changes to the project: he changed the solution by removing 30 ml of the electrolyte and topping it off with water. He also made a gentle agitator out of a DC motor and flattened plastic tube from a pen, powering it with another low-voltage LM317 circuit so he could get the lowest RPM possible.

With this new setup [The Plutonium Bunny] began to get much better results, proving his hypothesis that low current with a lower concentration of Sn2+ was the ticket for large crystal growth. We featured his copper crystal experiments last year and he’s clearly making good progress! Video after the break.

Filed under: chemistry hacks http://ift.tt/2rfLeb2 http://ift.tt/2aM8QhC

Grow Your Own Tin Crystals

[The Plutonium Bunny] saw homegrown tin crystals on YouTube and reckoned he could do better—those crystals were flimsy and couldn’t stand up outside of the solution in which they were grown. Having previously tackled copper crystals, he applied the same procedure to tin.

Beginning with a 140 ml baby food jar filled with a solution of tin II chloride, 90 grams per liter, with a small amount of HCl as the electrolyte. A wire at the bottom of the jar was connected to a blob of tin and served as the anode, while the cathode, a loop of tin, stuck down from above. A LM317-based adjustable voltage regulator circuit was used to manage the power running through the solution. Because [The Plutonium Bunny]’s technique involves days or even weeks of very low current, he used six diodes to drop the circuit’s voltage from 1.5 V to 0.25 V, giving him around 13 mA.

His first attempt seemed to go well and he got some nice shiny crystal faces, but he couldn’t get the current bellow 10 mA without it dropping to the point where no tin was depositing. Rather than reset the experiment he made some changes to the project: he changed the solution by removing 30 ml of the electrolyte and topping it off with water. He also made a gentle agitator out of a DC motor and flattened plastic tube from a pen, powering it with another low-voltage LM317 circuit so he could get the lowest RPM possible.

With this new setup [The Plutonium Bunny] began to get much better results, proving his hypothesis that low current with a lower concentration of Sn2+ was the ticket for large crystal growth. We featured his copper crystal experiments last year and he’s clearly making good progress! Video after the break.

Filed under: chemistry hacks http://ift.tt/2rfLeb2 http://ift.tt/2aM8QhC

Android Arsenal – Static Analysis Tools – Penetration Testing

Amandroid
Amandroid is a static analysis framework for Android apps.The Android platform is immensely popular. However, malicious or vulnerable applications have been reported to cause several security problems. Currently there is no effective method that a market operator can use to vet apps entering a market (e.g., Google Play).

Prior works using static analysis to address Android app security problems more focus on specific problems and built specialized tools for them. We observe that a large portion of those security issues can be resolved by addressing one underlying core problem – capturing semantic behaviors of the app such as object points-to and control-/data-flow information. Thus, we designed a new approach to conducting static analysis for vetting Android apps, and built a generic framework, called Amandroid, which does flow- and context-sensitive data flow analysis in an inter-component way.

Our approach shows that a comprehensive (tracking all objects) static analysis method on Android apps is totally feasible in terms of computation resources, and the Amandroid framework is flexible and easy to be extended for many types of specialized security analyses.

Since Amandroid directly handles Inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps. Amandroid analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on the Android runtime and its library.

On top of Amandroid we performed certain specific security analyses, for instance, a) user password flow tracking, b) intent injection detection, and c) crypto API misuse checking. We apply those analyses on hundreds of apps collected from Google Play’s popular apps and a third-party security company, and the results show that it is capable of finding real security issues and efficient enough in terms of analysis time.

AndrowarnAndrowarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.

APKInspector
A powerful GUI tool for analysts to analyze Android applications .

Droid-hunterAndroid application vulnerability analysis and Android pentest tool
A. Support
> App info check
> Baksmaling android app
> Decompile android app
> Extract class file
> Extract java code
> Pattern base Information Leakage

Error-ProneError Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.

FindBugs + FindSecurityBugsFindSecurityBugs is an extension of FindBugs, including Java application security rules. It will find the encryption problem and the specific problems of Android.

FlowDroidFlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. Unlike many other static-analysis approaches for Android we aim for an analysis with very high recall and precision. To achieve this goal we had to accomplish two main challenges: To increase precision we needed to build an analysis that is context-, flow-, field- and object-sensitive; to increase recall we had to create a complete model of Android’s app lifecycle.

LintAndroid Studio provides a code scanning tool called lint that can help you to identify and correct problems with the structural quality of your code without your having to execute the app or write test cases. Each problem detected by the tool is reported with a description message and a severity level, so that you can quickly prioritize the critical improvements that need to be made. Also, you can lower the severity level of a problem to ignore issues that are not relevant to your project, or raise the severity level to highlight specific problems.

The lint tool checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization. When using Android Studio, configured lint and IDE inspections run whenever you build your app. However, you can manually run inspections or run lint from the command line.

Smali CFGs

Smali Control Flow Graph’s

The SPARTAThe SPARTA project (Static Program Analysis for Reliable Trusted Apps) is building a toolset to verify the security of mobile phone applications.

SPARTA is a research project funded by the DARPA Automated Program Analysis for Cybersecurity (APAC) program. SPARTA aims to detect certain types of malware in Android applications, or to verify that the app contains no such malware. SPARTA’s verification approach is type-checking: the developer states a security property, annotates the source code with type qualifiers that express that security property, then runs a pluggable type-checker to verify that the type qualifiers are right (and thus that the program satisfies the security property).

In addition to type-checking, SPARTA also provides tools to aide in manual identification of malware in source code. These tools include a tool to show what permissions are needed for each API call used and a tool to report the use of suspicious APIs.

ThresherThresher is a static analysis tool that specializes in checking heap reachability properties. Its secret sauce is using a coarse up-front points-to analysis to focus a precise symbolic analysis on the alarms reported by the points-to analysis. See our PLDI ’13 paper for more details.

VectorAttackScannerThis is a tool to analyze android, linux and windows, to detect points to attack, as intents, receivers, services, processes and libraries.

This tool uses a static analysis methods to do this, the vector attack founded by this tool, can be attacked by fuzzing methods to discover vulnerabilities..

More security researchers, bug hunters, exploit writers, malware developers find a problems as unsecure compilation flags, methods/functions exposes, with this tool is more easy, this tool search by you automatically.

It is well known in the world of IT Security, that have been created countermeasures and memory protections to prevent easily create exploits and prevent programmers to write programs that execute arbitrary code, as RELRO, PAX, ASLR, PIE, NX, SSP, StackCanary and others, this tool search this flags to do the job.

The post Android Arsenal – Static Analysis Tools appeared first on Penetration Testing. http://ift.tt/2rYY8ge http://ift.tt/2aM8QhC

File upload XSS – Vulnerabilities,XSS via file upload,Unrestricted File Upload

A file upload point is an excellent opportunity to execute XSS applications. Many sites have user rights to upload personal data pictures of the upload point, you have a lot of opportunities to find the relevant loopholes. If it happens to be a self-XSS, you can look at this article.

First of all, basically we can find an entry similar to the following entry point, I think this is not difficult.

File name method
The file name itself may be reflected on the page so that a file with XSS naming can play an attack.

Metadata
The use of ExifTool this tool can change the EXIF metadata and then a certain chance to cause some reflection:

$ exiftool -field = XSS FILE

E.x

$ exiftool -Artist=’“>’ brute.jpeg

SVG formatIf the application allows uploading files in SVG format (actually an image type), then files with the following content can be used to trigger XSS:

GIF image
Create a GIF image carrying a JavaScript payload as the source of a script. It alert(1) is useful to circumvent the CSP (content security policy) to protect “script-src ‘self” (that is, it is not allowed to use the XSS mode of the example ), but only if we can successfully inject in the same domain.To create such an image you need this as content and name, and use the .gif extension:

GIF89a/**/=alert(document.domain)//;

The GIF picture header – GIF89a, as the alert function of the variables assigned to the alert function. But between them, there is a marked XSS variable used to prevent the picture is restored to text / HTML MIME file type, so just send a request for this file payload can be executed.

As we see below, the file class UNIX command and the exif_imagetype() and getimagesize() in the PHP function recognize it as a GIF file. So if an application only uses these methods to verify whether it is an image, then the file will be able to upload successfully (but may be killed after upload).

The post File upload XSS – Vulnerabilities appeared first on Penetration Testing. http://ift.tt/2rYY6F8 http://ift.tt/2aM8QhC

Android Malware Analysis Tools,android malware analysis sandbox

TOOLS

» AFLogical – Android forensics tool developed by viaForensics
» Amandroid – Is a static analysis framework for Android apps
» Android backup extractor – Android backup extractor
» Android Loadable Kernel Modules
» Android SDK
» Android4me – J2ME port of Google’s Android
» Android-forensics – Open source Android Forensics app and framework
» Android-random – Collection of extended examples for Android developers
» Androwarn – Is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application
» ApkAnalyser – Static, virtual analysis tool
» Apk-extractor – Android Application (.apk) file extractor and Parser for Android Binary XML
» Apkinspector – Powerful GUI tool for analysts to analyze the Android applications
» Apk-recovery – Recover main resources from your .apk file
» Audit tools
» bunq fuzzer – Program for testing a mobile app by sending it semi-random inputs
» Canhazaxs – A tool for enumerating the access to entries in the file system of an Android device
» ConDroid – Symbolic/concolic execution of Android apps
» DDMS – Dalvik Debug Monitor Server
» Decaf-platform – DECAF Binary Analysis Platform
» Device Monitor – Graphical user interface for several Android application debugging and analysis tools
» Dexinfo – A very rudimentary Android DEX file parser
» Dexter – Static android application analysis tool
» Dexterity – Dex manipulation library
» Dextools – Miscellaenous DEX (Dalvik Executable) tools
» DidFail – Uses static analysis to detect potential leaks of sensitive information within a set of Android apps
» Drozer – Comprehensive security audit and attack framework for Android
» FindBugs – Find Bugs in Java Programs
» Find Security Bugs – The FindBugs plugin for security audits of Java web applications.
» FlowDroid – Is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications
» Heimdall – Cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung mobile devices
» Hidex – Demo application where a method named thisishidden() in class MrHyde is hidden from disassemblers but no called by the app
» Hooker – Automated Dynamic Analysis of Android Applications
» Maldrolyzer – Simple framework to extract “actionable” data from Android malware (C&Cs, phone numbers etc.)
» mbfuzzer (Mobile Application Fuzzer via SSL MITM) – Mobile Application Fuzzer via SSL MITM
» PScout – Analyzing the Android Permission Specification
» Scalpel – A surgical debugging tool to uncover the layers under your app
» SPARTA – Is building a toolset to verify the security of mobile phone applications
» Apk Sign – Sign.jar automatically signs an apk with the Android test certificate.
» SIIS Tools – This page contains a list of software tools created by the SIIS lab
» Smali – An assembler/disassembler for Android’s dex format
» Smali-CFGs – Smali Control Flow Graph’s
» SmaliEx – A wrapper to get dex from oat
» SmaliSCA – Static Code Analysis for Smali files
» Soot – Java Optimization Framework
» STAMP – STatic Analysis of Mobile Programs
» Systrace – Analyze the performance capturing and displaying execution times of your applications and other Android system processes
» TaintDroid – Tracking how apps use sensitive information required
» Traceview – Graphical viewer for execution logs saved by your application
» Undx – Bytecode translator
» XML-apk-parser – Print AndroidManifest.xml directly from apk file

VULNERABILITIES

» AndroBugs Framework – Is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
» Devknox – Autocorrect security issues as you write code
» JAADAS – Joint Advanced Defect assEsment for android applications
» QARK – Quick Android Review Kit – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
» Quixxi – Free automated vulnerability test.
» SUPER Android Analyzer – Secure, Unified, Powerful and Extensible Rust Android Analyzer

FUZZING

» IntentFuzzer – is a tool that can be used on any device using the Google Android operating system (OS)
» Radamsa Fuzzer – An Android port of radamsa fuzzer
» Honggfuzz – Security oriented fuzzer with powerful analysis options
» Melkor – An Android port of the melkor ELF fuzzer
» MFFA – Media Fuzzing Framework for Android
» AndroFuzz – A fuzzing utility for Android that focuses on reporting and delivery portions of the fuzzing process

UNPACKERS / DEOBFUSCATORS

» Android Unpacker – Android Unpacker presented at Defcon 22 – Android Hacker Protection Level 0
» Dehoser – Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header
» Kisskiss – Unpacker for various Android packers/protectors
» Simplify – Generic Android Deobfuscator
» ClassNameDeobfuscator – Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.

PACKERS / OBFUSCATORS

» Allatori
» APKfuscator – A generic DEX file obfuscator and munger
» APKProtect
» Bangcle
» DexGuard – Optimizer and obfuscator for Android
» HoseDex2Jar – Adds some instructions to the classes.dex file that Dex2Jar can not process
» ProGuard – Shrinks, optimizes, and obfuscates the code by removing unused code and renaming classes, fields, and methods with semantically obscure names

RE

» AndBug – A Scriptable Android Debugger
» AndroChef – Java Decompiler apk, dex, jar and java class-files
» Androguard – powerful, integrates well with other tools
» Android Framework for Exploitation
» APK Studio – Android Reverse Engineering Tool By Vaibhav Pandey a.k.a VPZ
» Apktool – really useful for compilation/decompilation (uses smali)
» ART – GUI for all your decompiling and recompiling needs
» Bypass signature and permission checks for IPCs
» Android OpenDebug – make any application on device debuggable (using cydia substrate)
» Dare – .dex to .class converter
» Dava – Decompiler for arbitrary Java bytecode
» DecoJer – Java Decompiler
» Dex2Jar – dex to jar converter
» Dex-decomplier – Dex decompiler
» Enjarify – dex to jar converter from Google
» Dedexer – is a disassembler tool for DEX files
» Fino – Android small footprint inspection tool
» Frida – inject javascript to explore applications and a GUI tool for it
» Indroid – thread injection kit
» IntentSniffer – is a tool that can be used on any device using the Google Android operating system (OS)
» Introspy – Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues
» JAD – Java decompiler
» JADX – Dex to Java decompiler
» JD-GUI – Java decompiler
» JEB Decompiler – The Interactive Android Decompiler
» CFR – Java decompiler
» Krakatau – Java decompiler
» Luyten – Java Decompiler Gui for Procyon
» Procyon – Java decompiler
» FernFlower – Java decompiler
» Redexer – apk manipulation
» Smali viewer
» Simplify Android deobfuscator – Generic Android Deobfuscator
» Bytecode viewer – A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
» Radare2 – Unix-like reverse engineering framework and commandline tools
» Reverse Android – Reverse-engineering tools for Android applications
» Xenotix-APK-Decompiler – APK decompiler powered by dex2jar and JAD
» ZjDroid – Android app dynamic reverse tool based on Xposed framework

NETWORK

» Android tcpdump
» Canape
» Nogotofail
» ProxyDroid
» Wireshark

TOOLKITS

» Android Malware Analysis Toolkit
» Android Tamer
» Androl4b
» APK Resource Toolkit
» Appie – Android Pentesting Portable Integrated Environment
» AppUse
» AuditdAndroid
» CobraDroid
» CuckooDroid
» MARA_Framework
» Mem
» MobiSec
» Open Source Android Forensics Toolkit
» ProbeDroid
» Santoku
» Vezir-Project
» viaLab Community Edition

FRAMEWORKS

» MobSF – Mobile Security Framework
» Needle

SANDBOXES

» Android Sandbox
» AndroTotal
» Anubis
» APK Analyzer
» APP-RAY
» AppCritique
» Appknox
» AVCaesar
» AVC UnDroid
» CopperDroid
» Droidbox
» Eacus – MobiSec Lab
» HackApp
» Mobile Malware Analysis
» Mobile Sandbox
» NVISO ApkScan
» SandDroid
» Tracedroid
» VisualThreat

The post Android Malware Analysis Tools appeared first on Penetration Testing. http://ift.tt/2rtICp7 http://ift.tt/2aM8QhC