Portcullis Labs » FM https://labs.portcullis.co.uk Research and Development en-US hourly 1 http://wordpress.org/?v=3.8.5 XSS Tunnelling https://labs.portcullis.co.uk/whitepapers/xss-tunnelling/ https://labs.portcullis.co.uk/whitepapers/xss-tunnelling/#comments Fri, 26 Apr 2013 17:42:49 +0000 http://wordpress.65535.com/blogtest/?p=97 XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. This paper explains the idea and the real world implementation.

The post XSS Tunnelling appeared first on Portcullis Labs.

]]>
XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. This paper explains the idea and the real world implementation.

XSS-Tunnelling
XSS-Tunnelling.pdf
April 26, 2013
257.4 KiB
MD5 hash: 6fc8c1b79fd57a8e351b1b1c8ecdbdb5
Details

The post XSS Tunnelling appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/whitepapers/xss-tunnelling/feed/ 0
Insecure Trends in Web 2.0 Applications https://labs.portcullis.co.uk/presentations/insecure-trends-in-web-2-0-applications/ https://labs.portcullis.co.uk/presentations/insecure-trends-in-web-2-0-applications/#comments Fri, 26 Apr 2013 18:02:53 +0000 http://wordpress.65535.com/blogtest/?p=148 Non technical talk about insecure trends in Web 2.0 applications. Explains what’s wrong with today’s Web 2.0 applications and why new comers keep repeating these.

The post Insecure Trends in Web 2.0 Applications appeared first on Portcullis Labs.

]]>
Non technical talk about insecure trends in Web 2.0 applications. Explains what’s wrong with today’s Web 2.0 applications and why new comers keep repeating these.

Insecure-Web-20-Trends
555.5 KiB
MD5 hash: 742863b8a96fb362c15a9bedd7f7f3ff
Details

The post Insecure Trends in Web 2.0 Applications appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/insecure-trends-in-web-2-0-applications/feed/ 0
Flash Security https://labs.portcullis.co.uk/presentations/flash-security/ https://labs.portcullis.co.uk/presentations/flash-security/#comments Fri, 26 Apr 2013 18:06:17 +0000 http://wordpress.65535.com/blogtest/?p=154 This presentation given at RIATalks, it’s about fundamental flash security issues, attack surface of Flash and secure development. During the presentation there was stealing data through vulnerable Crossdomain.xml files, you can download source code of this file – FlashSecurityCrossdomain.zip.

The post Flash Security appeared first on Portcullis Labs.

]]>
This presentation given at RIATalks, it’s about fundamental flash security issues, attack surface of Flash and secure development.

During the presentation there was stealing data through vulnerable Crossdomain.xml files, you can download source code of this file – FlashSecurityCrossdomain.zip.

Flash-Security
Flash-Security.pps
April 26, 2013
543.0 KiB
MD5 hash: f16c66d291117326a1e879330e573ee1
Details
FlashSecurityCrossdomain
34.5 KiB
MD5 hash: 9cf7e4e2c40c2db545281acc80add5c2
Details

The post Flash Security appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/flash-security/feed/ 0
Deep Blind SQL Injection https://labs.portcullis.co.uk/whitepapers/deep-blind-sql-injection/ https://labs.portcullis.co.uk/whitepapers/deep-blind-sql-injection/#comments Fri, 26 Apr 2013 17:57:02 +0000 http://wordpress.65535.com/blogtest/?p=122 Deep Blind SQL Injection is a new way to exploit Blind SQL Injections with a 66% reduction in the number of requests. This document describes how it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six […]

The post Deep Blind SQL Injection appeared first on Portcullis Labs.

]]>
Deep Blind SQL Injection is a new way to exploit Blind SQL Injections with a 66% reduction in the number of requests.

This document describes how it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.

Deep Blind SQL Injection
362.5 KiB
MD5 hash: 139cca843ee5c8f014350a551133af6d
Details

The post Deep Blind SQL Injection appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/whitepapers/deep-blind-sql-injection/feed/ 0
DoS Attacks Using SQL Wildcards https://labs.portcullis.co.uk/whitepapers/dos-attacks-using-sql-wildcards/ https://labs.portcullis.co.uk/whitepapers/dos-attacks-using-sql-wildcards/#comments Fri, 26 Apr 2013 17:55:35 +0000 http://wordpress.65535.com/blogtest/?p=112 This document discusses abusing Microsoft SQL Query wildcards to consume CPU in database servers. This can be achieved using only the search field present in most common web applications. If an application has the following properties then it is highly possibly vulnerable to wildcard attacks: An SQL Server Backend More than 300 records in the […]

The post DoS Attacks Using SQL Wildcards appeared first on Portcullis Labs.

]]>
This document discusses abusing Microsoft SQL Query wildcards to consume CPU in database servers. This can be achieved using only the search field present in most common web applications. If an application has the following properties then it is highly possibly vulnerable to wildcard attacks:

  1. An SQL Server Backend
  2. More than 300 records in the database and around 500 bytes of data per row
  3. An application level search feature

As you might notice I have just described 90% of Microsoft SQL Server based CMSs, blogs, CRMs and e-commerce web applications. Other databases could be vulnerable depending on how the applications implement search functionalities although common implementation of the search functionality in SQL Server back-end applications is vulnerable.

DoS Attacks Using SQL Wildcards
567.2 KiB
MD5 hash: 51a158a1e160f74d3c8e54ce364c873b
Details

The post DoS Attacks Using SQL Wildcards appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/whitepapers/dos-attacks-using-sql-wildcards/feed/ 0
How to Detect and Exploit 99% of XSS Vulnerabilities https://labs.portcullis.co.uk/presentations/how-to-detect-and-exploit-99-of-xss-vulnerabilities/ https://labs.portcullis.co.uk/presentations/how-to-detect-and-exploit-99-of-xss-vulnerabilities/#comments Fri, 26 Apr 2013 18:04:03 +0000 http://wordpress.65535.com/blogtest/?p=150 This presentation has given in Intercon 2007 (Portcullis’s internal conference), Talks about exploiting and identifying most common XSS vulnerabilities in real world. Examples include following types, Classic XSS Vulnerabilities In HTML Attributes In Comments In Javascript Blocks DOM Based XSS Flash Based XSS Direct Linking Presentation was heavily based on demonstration, so you need to […]

The post How to Detect and Exploit 99% of XSS Vulnerabilities appeared first on Portcullis Labs.

]]>
This presentation has given in Intercon 2007 (Portcullis’s internal conference), Talks about exploiting and identifying most common XSS vulnerabilities in real world.

Examples include following types,

  • Classic XSS Vulnerabilities
  • In HTML Attributes
  • In Comments
  • In Javascript Blocks
  • DOM Based XSS
  • Flash Based XSS
  • Direct Linking

Presentation was heavily based on demonstration, so you need to fill in the blanks.

How-to-Detect-XSS
How-to-Detect-XSS.ppt
April 26, 2013
290.5 KiB
MD5 hash: 554710551ab8a74c7c2d480c795f4273
Details
How-to-Detect-XSS
How-to-Detect-XSS.pdf
April 26, 2013
244.2 KiB
MD5 hash: 9831f023911aa3c9ce7f860453aa2c9b
Details
How-to-Detect-XSS
How-to-Detect-XSS.odp
April 26, 2013
279.6 KiB
MD5 hash: de57eb2e787bb9bf1bf8439c8ab97d56
Details

The post How to Detect and Exploit 99% of XSS Vulnerabilities appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/how-to-detect-and-exploit-99-of-xss-vulnerabilities/feed/ 0
XSS Tunnel https://labs.portcullis.co.uk/tools/xss-tunnel/ https://labs.portcullis.co.uk/tools/xss-tunnel/#comments Fri, 26 Apr 2013 18:11:27 +0000 http://wordpress.65535.com/blogtest/?p=162 XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. What Is XSS Tunnelling? XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application […]

The post XSS Tunnel appeared first on Portcullis Labs.

]]>
XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server.

What Is XSS Tunnelling?

XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies.

What Is XSS Tunnel?

XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.

Refer to XSS Tunnelling paper to read details.

Demonstration Video

Video shows how to use XSS Tunnel to bypass NTLM by exploiting an example permanent XSS.

Download

Download package includes following files:

  • Binary Release of XSS Tunnel v1.0.8
  • .NET Solution + Source Code for XSS Tunnel v1.0.8
  • XSS Tunnelling White Paper
  • XSS Shell v0.6.2 Release (ASP files, database and documentation)
Xsstunnelling-video
xsstunnelling-video.zip
February 5, 2014
6.7 MiB
MD5 hash: 68906b3ec511b2308e2342812330131d
Details
XSS-Tunnelling
XSS-Tunnelling.pdf
April 26, 2013
257.4 KiB
MD5 hash: 6fc8c1b79fd57a8e351b1b1c8ecdbdb5
Details

The post XSS Tunnel appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/xss-tunnel/feed/ 0
XSS Shell https://labs.portcullis.co.uk/tools/xss-shell/ https://labs.portcullis.co.uk/tools/xss-shell/#comments Fri, 26 Apr 2013 18:13:08 +0000 http://wordpress.65535.com/blogtest/?p=164 NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version visit https://github.com/portcullislabs/xssshell-xsstunnell XSS Shell is a powerful XSS backdoor, in XSS Shell one can interactively send requests and get responses from victim and it allows you to keep the control of […]

The post XSS Shell appeared first on Portcullis Labs.

]]>
NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version visit https://github.com/portcullislabs/xssshell-xsstunnell

XSS Shell is a powerful XSS backdoor, in XSS Shell one can interactively send requests and get responses from victim and it allows you to keep the control of session.

NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version visit https://github.com/portcullislabs/xssshell-xsstunnell

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by “XSS-Proxy – http://xss-proxy.sourceforge.net/”. Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

Key features

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

  • Regenerating Pages
    • This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can’t do anything
    • Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
  • Keylogger
  • Mouse Logger (click points + current DOM)
  • Built-in Commands;
    • Get Keylogger Data
    • Get Current Page (Current rendered DOM / like screenshot)
    • Get Cookie
    • Execute supplied javaScript (eval)
    • Get Clipboard (IE only)
    • Get internal IP address (Firefox + JVM only)
    • Check victim’s visited URL history

Installation

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.

Install Admin Interface

  1. Copy “xssshell” folder into your web server
  2. Copy “db” to a secure place (below root)
  3. Configure “database path” from “xssshell/db.asp”
  4. Modify hard coded password in db.asp [default password is : w00t]
  5. Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication:

  1. Open xssshell.asp
  2. 2. Set “SERVER” variable to where your XSSShell folder is located. i.e: “http://[YOURHOST]/xssshell/”;
  3. 3. Be sure to check “ME”, “CONNECTOR”, “COMMANDS_URL” variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,

To test it, just modify “sample_victim/default.asp” source code and replace “http://attacker:81/release/xssshell.js” URL with your own XSS Shell URL. Open “sample_victim” folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into “parameters” textarea and click “alert()”. You should see an alert message in victim’s browser.

Security notes

  • As a hunter be careful about possible “Backfire” in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
  • Checkout “showdata.asp” and implement your own “filter()” function to make it safer for you.
  • Put “On error resume next” to db.asp, better modify your web server to not show any error.

How to extend

First implement new feature to xssshell.asp:

  1. Add new enum for your control
    • Set a name and unique number like “CMD_GETCOOKIE”
    • var CMD_SAMPLE = 78;
    • Set datatype for your response (generally TEXT),
    • dataTypes[CMD_SAMPLE] = TEXT;
  2. Write your function and add it to page
    • function cmdSample(){return “yeah working !”}
  3. Call it
    • Go inside to “function processGivenCommand(cmd)”
    • Add a new case like “case CMD_SAMPLE:”
  4. Report it back
    • Inside the case call log;
      “log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, “waitAndRun()”);”

Secondly implement it to admin interface:

  • In db.asp just add a new element to “Commands” array (command name, command unique number, description).i.e. “cmdSample()”,78,”Command sample ! Just returns a message”

There are parameters and lots of helper in the code. Check out other commands for reference.

Enable debug feature to debug your new commands easily.

External libraries

  • moo.ajax – moofx.mad4milk.net
  • script.aculo.us – (http://script.aculo.us, http://mir.aculo.us)

The post XSS Shell appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/xss-shell/feed/ 0
BSQL Hacker https://labs.portcullis.co.uk/tools/bsql-hacker/ https://labs.portcullis.co.uk/tools/bsql-hacker/#comments Wed, 16 Jan 2008 14:45:35 +0000 http://wordpress.65535.com/blogtest/?p=254 NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version please visit https://github.com/portcullislabs/bsql-hacker BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database. NOTE : This download is […]

The post BSQL Hacker appeared first on Portcullis Labs.

]]>
NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version please visit https://github.com/portcullislabs/bsql-hacker

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

NOTE : This download is no longer available on our web site. Portcullis no longer maintain the tool, if you would like the latest version please visit https://github.com/portcullislabs/bsql-hacker

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

Key features

  • Easy Mode
    • SQL Injection Wizard
    • Automated Attack Support (database dump)
      • ORACLE
      • MSSQL
      • MySQL (experimental)
  • General
    • Fast and Multithreaded
    • 4 Different SQL Injection Support
      • Blind SQL Injection
      • Time Based Blind SQL Injection
      • Deep Blind (based on advanced time delays) SQL Injection
      • Error Based SQL Injection
    • Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
    • RegEx Signature support
    • Console and GUI Support
    • Load / Save Support
    • Token / Nonce / ViewState etc. Support
    • Session Sharing Support
    • Advanced Configuration Support
    • Automated Attack mode, Automatically extract all database schema and data mode
  • Update / Exploit Repository Features
    • Metasploit alike but exploit repository support
    • Allows to save and share SQL Injection exploits
    • Supports auto-update
    • Custom GUI support for exploits (cookie input, URL input etc.)
  • GUI Features
    • Load and Save
    • Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
    • Visually view true and false responses as well as full HTML response, including time and stats
  • Connection Related
    • Proxy Support (Authenticated Proxy Support)
    • NTLM, Basic Auth Support, use default credentials of current user/application
    • SSL (also invalid certificates) Support
    • Custom Header Support
  • Injection Points (only one of them or combination)
    • Query String
    • Post
    • HTTP Headers
    • Cookies
  • Other
    • Post Injection data can be stored in a separated file
    • XML Output (not stable)
    • CSRF protection support

One time session tokens or asp.net viewstate or similar can be used for separated login sessions, bypassing proxy pages etc.

It’s still beta and there are known issues :

  • Automated Attack for MySQL is experimental, might not work properly

The post BSQL Hacker appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/bsql-hacker/feed/ 0