436_XSS_07.qxd
294
4/20/07
11:00 AM
Page 294
Chapter 7 • Exploit Frameworks
Introduction In a relatively short time, client-side security has become one of the most researched and discussed topics in the information security world. Being a low priority for a number of years, security and software vendors have just started to realize the real potential in this longforgotten hacking discipline. Web-based malicious software (malware), Asynchronous JavaScript and XML (AJAX) worms, history brute forcing, login detection, zombie control, network port scanning, and browser hijacking are just a few of the techniques that have recently appeared from the underground laboratories of security researchers, and with a great impact. Similar to other times when a type of security discipline emerges and becomes a mainstream exploitation mechanism, vendors and individuals have started to release frameworks and automatic tools to handle the attack and testing process. While vendors are primarily concentrated on providing tools for auditing AJAX applications, security researchers are more interested in stretching the boundaries of the system in the quest for the ultimate truth. There are many different techniques that have been discovered and all of them have their quirks, problems, and advantages. Browsers have always been a battlefield and the worst nightmare for every developer. Due to the wide range of possible attack vectors, it is no surprise that developers and researchers have created several JavaScript attack/testing frameworks to enhance the testing of the Web application. Just like Metasploit, CANVAS and CORE IMPACT have helped to isolate and enlighten users as to the threats and risks of the server-side world, and the Web application security community has created several frameworks that detect, exploit, and provide insight into the problems facing the Web development community. In this chapter we are going to learn about a number of client-side security exploitation frameworks and tools that we believe are worth looking at. We are going to learn how to use them; so be prepared to get your hands dirty with some agile coding.
AttackAPI AttackAPI is a Web-based attack construction library built with Hypertext Preprocessor (PHP), JavaScript, and other client-side and server-side technologies. It consists of many modules with dozens of different functionalities that can be used from the browser as well as from a JavaScript interpreter (e.g., Mozilla Rhino).The goal of the library is to provide an easy and concise interface for implementing exploits for testing and demonstration purposes. Before we start delving into AttackAPI subroutines, we need to do some preparation. First, download a copy of the library and prepare a testing environment where you can develop most of the examples. For the purpose of this exercise you need to install and run the applications as listed here: â–
HTTP Server with support for PHP 4.x or latter (Apache + PHP or WAMP)
www.syngress.com