malerisch.net

Microsoft released a security bulletin ( MS15-101 ) describing a .NET MVC Denial of Service vulnerability ( CVE-2015-2526 ) that I reported back in April. This blog post analyses the vulnerability in details, starting from the theory and then providing a PoC exploit against a MVC web application developed with Visual Studio 2013. For those of you who want to see the bug, you can directly skip to the last part of this post or watch the video directly... ;-) A bit of theory The .NET framework (4.5 tested version) uses backtracking regular expression matcher when performing a match against an expression. Backtracking is based on the NFA (non-deterministic finite automata) algorithm engine which is designed to validate all input states. By providing an “evil” regex expression – an expression for which the engine can be forced to calculate an exponential number of states - it is possible to force the engine to calculate an exponential number of states, leading to a condition defined su

I have received many questions on how to properly handle authentication when using BurpCSJ , so here is a short tutorial on how to properly manage authentication. If you are looking for how to use this Burp extension, here is a basic tutorial  as well. In this post, we are going to use BurpCSJ against the Altoro bank (vulnerable web application made on purpose), which is available online here: http://demo.testfire.net/ First, start clean (the reasons will be clear at the end of this tutorial): - Start Burp; - Start browser and configure proxy settings to work with Burp; - Browse to target site: http://demo.testfire.net/ - Perform login: user: jsmith - password: Demo1234 - Check Burp cookie jar (under options/sessions), this should be populated with some cookies: - Configure BurpCSJ (Crawljax tab) and make sure that "Use Manual Proxy" is ticked and it is pointing to Burp and that the "Use cookie jar" option is ticked as well: - Start/Launch Bur

As part of my research and talk titled " Augmented Reality in your web proxy " presented during the HackPra AllStars program / OWASP AppSec EU 2013   security conference in Hamburg, I decided to release a new Burp Pro extension which integrates  Crawljax , Selenium and JUnit . I decided to take this approach to increase application spidering coverage (especially for Ajax web apps), speed up complex test-cases and take advantage of the Burp Extender API . Downloads BurpCSJ extension JAR - download (all dependencies included) BurpCSJ source code - github "Augmented Reality in your web proxy" - presentation (slideshare) Getting started Download BurpCSJ ; Load BurpCSJ extension jar via the Extender tab; Choose the URL item from any Burp tab (e.g. target, proxy history, repeater);  Right click on the URL item; Choose menu item "Send URL to Crawljax"; Crawljax will automatically start crawling the URL that you choose. Tutorials

This is a simple tutorial to get you started with BurpCSJ and Crawljax. Installation is easy - just download the BurpCSJ and import it in Burp via the extender tab, as shown below: Extender -> Add -> Choose File Once the extension is loaded, two new tabs will appear on the right side: Start crawling To start crawling, grab an URL item from any Burp tab (e.g. proxy history), right-click on the item and choose "Send to URL to Crawljax", as shown below: After this, Crawljax session will start based on settings configured via the Crawljax tab. It is always recommended to choose a web root URL item for Crawljax e.g. http://yoursite.xxx/ instead of a specific page or folder. This is typically the URL that you have configured under Target/Scope in Burp. Crawling with a different browser Under the Crawljax tab, it possible to configure the path to the browser drivers, proxy settings and other options for Crawljax. If you need to use a d