Saturday, June 13, 2015

OWASP Testing Guide v4 - Report Generator

Updated our web security lab with OWASP Testing Guide v4 - Report Generator


Soon, we will release hybrid report generator, a collection of known test cases so far from  PortSwigger and OWASP. 


Thursday, December 25, 2014

SSL Breacher Update

2014-12-25
===========
- SSL LABs scan support; its PDF report will be saved [required WKHTMLTOPDF http://wkhtmltopdf.org/downloads.html]
- Updated Firefox root cert
- All dependencies (Java,Python,WKHTMLPDF) are bundled together in Windows platform and can be activated via breacher64.cmd
- Result outputs are now moved to /output/{host} folder
- Added bash scripts for scanning hosts in file (breacher_filelist.sh, breacher64_filelist.cmd)

2014-12-22
===========
Medium-strength ciphers check for high-security required sites


2014-11-30
===========
Improved check for FS cipher and GCM/CCM mode ciphers by reporting exception if not in server's preferred ciphers


2014-10-18
===========
Added POODLE vulnerability check
Fixed bug in HTTP elements embedded in SSL page
Introduced breacher.config to select all  (default) or desired SSL checks

2014-10-05
===========
Added warning for SHA1 hashing algorithm in certificate check - https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
Fixed bug in hostname validation
Fixed bug in scanning problems in certain hosts due to limited ciphers enabled

2014-10-01
===========
Fix bug in caching control header check

2014-09-29
=============
Fix in raising exception when scanning sites such as mlm.dnswl.org

2014-09-19
===============
Fix in HSTS incorrect parsing error
Added more error check in dependencies requirements

Wednesday, December 24, 2014

SSL Breacher - Yet Another SSL Test Tool

This is our version of SSL test tool mainly meant for your Internal assessment which you can't use famous online SSL labs scanner. We don't re-invent the wheel but combine all the best tools together with our own checks that we think other tools are missing. Running several tools each time has made us sick. With this Breacher tool, you will get all what you need.

Version: 20141019

Download:
http://yehg.net/lab/pr0js/tools/breacher-optimized.zip


Price:
Donationware

Supported Checks

Main SSL Checks
------------------------
1. HeartBleed
2. ChangeCipherSpecs Injection
3. POODLE (due to SSLv3 support)
4. BEAST
5. BREACH
6. Lucky13
7. CRIME & TIME (If CRIME is detected, TIME will also be reported)
8. RC4 support
9. Forward Secrecy support
10. SSLv2 support
11. Weak ciphers check (LOW,ANON,NULL,EXPORT)
12. Insecure Renegotiation


Certificate Validation Check
----------------------------------
1. Certificate expiration
2. Insufficient public key-length
3. Host-name mismatch
4. Null Prefix in certificate
5. Weak & Insecure Hashing Algorithm (MD2, MD4, MD5, SH1)
6. Report the need to use Extended Validation Certificate by checking "bank/pay" in host names


Application/Server-side Configuration Related Check
--------------------------------------------------------------
1. HSTS
       1.1 Check for implementation of HSTS header
       1.2 Reasonable duration of MAX-AGE
       1.3 Check for SubDomains support
2. Surf Jacking (due to Session Cookie missing secure flag)
3. Non-SSL elements/contents embedded in SSL page
4. Missing Cache-Control
5. HTTPS Stripping (HTTP support on port 80,443)
6. Medium-strength ciphers check for high-security required sites

Misc
------------
1. SSL Labs scan support if the host is externally accessible (report will be saved as PDF)


System Requirements

  • ORACLE JDK/JRE 1.8 and above  (NOTE: OPENJDK is not supported due to limited set of built-in cipher suites)
  • Python 2.7
  • WKHTMLPDF



Usage:

Windows:

c:\> breacher.cmd https://yoursite.com
c:\> breacher.cmd https://yoursite.com/login/
c:\> breacher.cmd yoursite.com
c:\> breacher.cmd yoursite.com 10000

Windows (Bundled dependencies)

c:\> breacher64.cmd https://yoursite.com
c:\> breacher64.cmd https://yoursite.com/login/
c:\> breacher64.cmd yoursite.com
c:\> breacher64.cmd yoursite.com 10000
c:\> breacher64_filelist.cmd hosts.txt

Kali-Linux:

$ chmod u+x breacher.sh
$ breacher.sh https://yoursite.com
$ breacher.sh https://yoursite.com/login/
$ breacher.sh yoursite.com
$ breacher.sh yoursite.com 443
$ breacher_filelist.sh hosts.txt

______________________________________________

Sample Log



 


Host Info:
==============
Host : localhost
Port : 443
Path : /login.php

Certificate Info:
==================
Type: Domain Validation Certificate (i.e. NON-Extended Validation Certificate)
Expiration Date: Sat Nov 09 07:48:47 SGT 2019
Signature Hash Algorithm: SHA1withRSA
Public key: Sun RSA public key, 1024 bits
  modulus: 135632964843555009910164098161004086259135236815846778903941582882908611097021488277565732851712895057227849656364886898196239901879569635659861770850920241178222686670162318147175328086853962427921575656093414000691131757099663322369656756090030190369923050306668778534926124693591013220754558036175189121517
  public exponent: 65537
Signed for: CN=localhost
Signed by: CN=localhost
Total certificate chain: 1
(Use -Djavax.net.debug=ssl:handshake:verbose for debugged output.)
=====================================
Certificate Validation:
===============================
[!] Signed using Insufficient public key length 1024 bits
    (Refer to http://www.keylength.com/ for details)
[!] Certificate Signer: Self-signed/Untrusted CA  - verified with Firefox & Java ROOT CAs.
=====================================
Loading module: Hut3 Cardiac Arrest ...
Checking localhost:443 for Heartbleed bug (CVE-2014-0160) ...
[-] Connecting to 127.0.0.1:443 using SSLv3
[-] Sending ClientHello
[-] ServerHello received
[-] Sending Heartbeat
[Vulnerable] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:443 is vulnerable over SSLv3
[-] Displaying response (lines consisting entirely of null bytes are removed):
  0000: 02 FF FF 08 03 00 53 48 73 F0 7C CA C1 D9 02 04  ......SHs.|.....
  0010: F2 1D 2D 49 F5 12 BF 40 1B 94 D9 93 E4 C4 F4 F0  ..-I...@........
  0020: D0 42 CD 44 A2 59 00 02 96 00 00 00 01 00 02 00  .B.D.Y..........
  0060: 1B 00 1C 00 1D 00 1E 00 1F 00 20 00 21 00 22 00  .......... .!.".
  0070: 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2A 00  #.$.%.&.'.(.).*.
  0080: 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 31 00 32 00  +.,.-.../.0.1.2.
  0090: 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00  3.4.5.6.7.8.9.:.
  00a0: 3B 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 42 00  ;.<.=.>.?.@.A.B.
  00b0: 43 00 44 00 45 00 46 00 60 00 61 00 62 00 63 00  C.D.E.F.`.a.b.c.
  00c0: 64 00 65 00 66 00 67 00 68 00 69 00 6A 00 6B 00  d.e.f.g.h.i.j.k.
  00d0: 6C 00 6D 00 80 00 81 00 82 00 83 00 84 00 85 00  l.m.............
  01a0: 20 C0 21 C0 22 C0 23 C0 24 C0 25 C0 26 C0 27 C0   .!.".#.$.%.&.'.
  01b0: 28 C0 29 C0 2A C0 2B C0 2C C0 2D C0 2E C0 2F C0  (.).*.+.,.-.../.
  01c0: 30 C0 31 C0 32 C0 33 C0 34 C0 35 C0 36 C0 37 C0  0.1.2.3.4.5.6.7.
  01d0: 38 C0 39 C0 3A C0 3B C0 3C C0 3D C0 3E C0 3F C0  8.9.:.;.<.=.>.?.
  01e0: 40 C0 41 C0 42 C0 43 C0 44 C0 45 C0 46 C0 47 C0  @.A.B.C.D.E.F.G.
  01f0: 48 C0 49 C0 4A C0 4B C0 4C C0 4D C0 4E C0 4F C0  H.I.J.K.L.M.N.O.
  0200: 50 C0 51 C0 52 C0 53 C0 54 C0 55 C0 56 C0 57 C0  P.Q.R.S.T.U.V.W.
  0210: 58 C0 59 C0 5A C0 5B C0 5C C0 5D C0 5E C0 5F C0  X.Y.Z.[.\.].^._.
  0220: 60 C0 61 C0 62 C0 63 C0 64 C0 65 C0 66 C0 67 C0  `.a.b.c.d.e.f.g.
  0230: 68 C0 69 C0 6A C0 6B C0 6C C0 6D C0 6E C0 6F C0  h.i.j.k.l.m.n.o.
  0240: 70 C0 71 C0 72 C0 73 C0 74 C0 75 C0 76 C0 77 C0  p.q.r.s.t.u.v.w.
  0250: 78 C0 79 C0 7A C0 7B C0 7C C0 7D C0 7E C0 7F C0  x.y.z.{.|.}.~...
  02c0: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  02d0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  0300: 10 00 11 00 23 00 00 00 0F 00 01 01 00 00 00 00  ....#...........
  0bd0: 00 00 00 00 00 00 00 00 00 12 7D 01 00 10 00 02  ..........}.....
[-] Closing connection
[-] Connecting to 127.0.0.1:443 using TLSv1.0
[-] Sending ClientHello
[-] ServerHello received
[-] Sending Heartbeat
[Vulnerable] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:443 is vulnerable over TLSv1.0
[-] Displaying response (lines consisting entirely of null bytes are removed):
  0000: 02 FF FF 08 03 01 53 48 73 F0 7C CA C1 D9 02 04  ......SHs.|.....
  0010: F2 1D 2D 49 F5 12 BF 40 1B 94 D9 93 E4 C4 F4 F0  ..-I...@........
  0020: D0 42 CD 44 A2 59 00 02 96 00 00 00 01 00 02 00  .B.D.Y..........
  0060: 1B 00 1C 00 1D 00 1E 00 1F 00 20 00 21 00 22 00  .......... .!.".
  0070: 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2A 00  #.$.%.&.'.(.).*.
  0080: 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 31 00 32 00  +.,.-.../.0.1.2.
  0090: 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00  3.4.5.6.7.8.9.:.
  00a0: 3B 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 42 00  ;.<.=.>.?.@.A.B.
  00b0: 43 00 44 00 45 00 46 00 60 00 61 00 62 00 63 00  C.D.E.F.`.a.b.c.
  00c0: 64 00 65 00 66 00 67 00 68 00 69 00 6A 00 6B 00  d.e.f.g.h.i.j.k.
  00d0: 6C 00 6D 00 80 00 81 00 82 00 83 00 84 00 85 00  l.m.............
  01a0: 20 C0 21 C0 22 C0 23 C0 24 C0 25 C0 26 C0 27 C0   .!.".#.$.%.&.'.
  01b0: 28 C0 29 C0 2A C0 2B C0 2C C0 2D C0 2E C0 2F C0  (.).*.+.,.-.../.
  01c0: 30 C0 31 C0 32 C0 33 C0 34 C0 35 C0 36 C0 37 C0  0.1.2.3.4.5.6.7.
  01d0: 38 C0 39 C0 3A C0 3B C0 3C C0 3D C0 3E C0 3F C0  8.9.:.;.<.=.>.?.
  01e0: 40 C0 41 C0 42 C0 43 C0 44 C0 45 C0 46 C0 47 C0  @.A.B.C.D.E.F.G.
  01f0: 48 C0 49 C0 4A C0 4B C0 4C C0 4D C0 4E C0 4F C0  H.I.J.K.L.M.N.O.
  0200: 50 C0 51 C0 52 C0 53 C0 54 C0 55 C0 56 C0 57 C0  P.Q.R.S.T.U.V.W.
  0210: 58 C0 59 C0 5A C0 5B C0 5C C0 5D C0 5E C0 5F C0  X.Y.Z.[.\.].^._.
  0220: 60 C0 61 C0 62 C0 63 C0 64 C0 65 C0 66 C0 67 C0  `.a.b.c.d.e.f.g.
  0230: 68 C0 69 C0 6A C0 6B C0 6C C0 6D C0 6E C0 6F C0  h.i.j.k.l.m.n.o.
  0240: 70 C0 71 C0 72 C0 73 C0 74 C0 75 C0 76 C0 77 C0  p.q.r.s.t.u.v.w.
  0250: 78 C0 79 C0 7A C0 7B C0 7C C0 7D C0 7E C0 7F C0  x.y.z.{.|.}.~...
  02c0: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  02d0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  0300: 10 00 11 00 23 00 00 00 0F 00 01 01 00 00 00 00  ....#...........
  0bd0: 00 00 00 00 00 00 00 00 00 12 7D 01 00 10 00 02  ..........}.....
[-] Closing connection
[-] Connecting to 127.0.0.1:443 using TLSv1.1
[-] Sending ClientHello
[-] ServerHello received
[-] Sending Heartbeat
[Vulnerable] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:443 is vulnerable over TLSv1.1
[-] Displaying response (lines consisting entirely of null bytes are removed):
  0000: 02 FF FF 08 03 02 53 48 73 F0 7C CA C1 D9 02 04  ......SHs.|.....
  0010: F2 1D 2D 49 F5 12 BF 40 1B 94 D9 93 E4 C4 F4 F0  ..-I...@........
  0020: D0 42 CD 44 A2 59 00 02 96 00 00 00 01 00 02 00  .B.D.Y..........
  0060: 1B 00 1C 00 1D 00 1E 00 1F 00 20 00 21 00 22 00  .......... .!.".
  0070: 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2A 00  #.$.%.&.'.(.).*.
  0080: 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 31 00 32 00  +.,.-.../.0.1.2.
  0090: 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00  3.4.5.6.7.8.9.:.
  00a0: 3B 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 42 00  ;.<.=.>.?.@.A.B.
  00b0: 43 00 44 00 45 00 46 00 60 00 61 00 62 00 63 00  C.D.E.F.`.a.b.c.
  00c0: 64 00 65 00 66 00 67 00 68 00 69 00 6A 00 6B 00  d.e.f.g.h.i.j.k.
  00d0: 6C 00 6D 00 80 00 81 00 82 00 83 00 84 00 85 00  l.m.............
  01a0: 20 C0 21 C0 22 C0 23 C0 24 C0 25 C0 26 C0 27 C0   .!.".#.$.%.&.'.
  01b0: 28 C0 29 C0 2A C0 2B C0 2C C0 2D C0 2E C0 2F C0  (.).*.+.,.-.../.
  01c0: 30 C0 31 C0 32 C0 33 C0 34 C0 35 C0 36 C0 37 C0  0.1.2.3.4.5.6.7.
  01d0: 38 C0 39 C0 3A C0 3B C0 3C C0 3D C0 3E C0 3F C0  8.9.:.;.<.=.>.?.
  01e0: 40 C0 41 C0 42 C0 43 C0 44 C0 45 C0 46 C0 47 C0  @.A.B.C.D.E.F.G.
  01f0: 48 C0 49 C0 4A C0 4B C0 4C C0 4D C0 4E C0 4F C0  H.I.J.K.L.M.N.O.
  0200: 50 C0 51 C0 52 C0 53 C0 54 C0 55 C0 56 C0 57 C0  P.Q.R.S.T.U.V.W.
  0210: 58 C0 59 C0 5A C0 5B C0 5C C0 5D C0 5E C0 5F C0  X.Y.Z.[.\.].^._.
  0220: 60 C0 61 C0 62 C0 63 C0 64 C0 65 C0 66 C0 67 C0  `.a.b.c.d.e.f.g.
  0230: 68 C0 69 C0 6A C0 6B C0 6C C0 6D C0 6E C0 6F C0  h.i.j.k.l.m.n.o.
  0240: 70 C0 71 C0 72 C0 73 C0 74 C0 75 C0 76 C0 77 C0  p.q.r.s.t.u.v.w.
  0250: 78 C0 79 C0 7A C0 7B C0 7C C0 7D C0 7E C0 7F C0  x.y.z.{.|.}.~...
  02c0: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  02d0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  0300: 10 00 11 00 23 00 00 00 0F 00 01 01 00 00 00 00  ....#...........
  0bd0: 00 00 00 00 00 00 00 00 00 12 7D 01 00 10 00 02  ..........}.....
[-] Closing connection
[-] Connecting to 127.0.0.1:443 using TLSv1.2
[-] Sending ClientHello
[-] ServerHello received
[-] Sending Heartbeat
[Vulnerable] Heartbeat response was 16384 bytes instead of 3! 127.0.0.1:443 is vulnerable over TLSv1.2
[-] Displaying response (lines consisting entirely of null bytes are removed):
  0000: 02 FF FF 08 03 03 53 48 73 F0 7C CA C1 D9 02 04  ......SHs.|.....
  0010: F2 1D 2D 49 F5 12 BF 40 1B 94 D9 93 E4 C4 F4 F0  ..-I...@........
  0020: D0 42 CD 44 A2 59 00 02 96 00 00 00 01 00 02 00  .B.D.Y..........
  0060: 1B 00 1C 00 1D 00 1E 00 1F 00 20 00 21 00 22 00  .......... .!.".
  0070: 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2A 00  #.$.%.&.'.(.).*.
  0080: 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 31 00 32 00  +.,.-.../.0.1.2.
  0090: 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3A 00  3.4.5.6.7.8.9.:.
  00a0: 3B 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 42 00  ;.<.=.>.?.@.A.B.
  00b0: 43 00 44 00 45 00 46 00 60 00 61 00 62 00 63 00  C.D.E.F.`.a.b.c.
  00c0: 64 00 65 00 66 00 67 00 68 00 69 00 6A 00 6B 00  d.e.f.g.h.i.j.k.
  00d0: 6C 00 6D 00 80 00 81 00 82 00 83 00 84 00 85 00  l.m.............
  01a0: 20 C0 21 C0 22 C0 23 C0 24 C0 25 C0 26 C0 27 C0   .!.".#.$.%.&.'.
  01b0: 28 C0 29 C0 2A C0 2B C0 2C C0 2D C0 2E C0 2F C0  (.).*.+.,.-.../.
  01c0: 30 C0 31 C0 32 C0 33 C0 34 C0 35 C0 36 C0 37 C0  0.1.2.3.4.5.6.7.
  01d0: 38 C0 39 C0 3A C0 3B C0 3C C0 3D C0 3E C0 3F C0  8.9.:.;.<.=.>.?.
  01e0: 40 C0 41 C0 42 C0 43 C0 44 C0 45 C0 46 C0 47 C0  @.A.B.C.D.E.F.G.
  01f0: 48 C0 49 C0 4A C0 4B C0 4C C0 4D C0 4E C0 4F C0  H.I.J.K.L.M.N.O.
  0200: 50 C0 51 C0 52 C0 53 C0 54 C0 55 C0 56 C0 57 C0  P.Q.R.S.T.U.V.W.
  0210: 58 C0 59 C0 5A C0 5B C0 5C C0 5D C0 5E C0 5F C0  X.Y.Z.[.\.].^._.
  0220: 60 C0 61 C0 62 C0 63 C0 64 C0 65 C0 66 C0 67 C0  `.a.b.c.d.e.f.g.
  0230: 68 C0 69 C0 6A C0 6B C0 6C C0 6D C0 6E C0 6F C0  h.i.j.k.l.m.n.o.
  0240: 70 C0 71 C0 72 C0 73 C0 74 C0 75 C0 76 C0 77 C0  p.q.r.s.t.u.v.w.
  0250: 78 C0 79 C0 7A C0 7B C0 7C C0 7D C0 7E C0 7F C0  x.y.z.{.|.}.~...
  02c0: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  02d0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  0300: 10 00 11 00 23 00 00 00 0F 00 01 01 00 00 00 00  ....#...........
  0bd0: 00 00 00 00 00 00 00 00 00 12 7D 01 00 10 00 02  ..........}.....
[-] Closing connection

[!] Vulnerable to Heartbleed bug (CVE-2014-0160) mentioned in http://heartbleed.com/
[!] Vulnerability Status: VULNERABLE

=====================================
Loading module: CCS Injection script by TripWire VERT ...
Checking localhost:443 for OpenSSL ChangeCipherSpec (CCS) Injection bug (CVE-2014-0224) ...
[!] The target may allow early CCS on TLSv1.2
[!] The target may allow early CCS on TLSv1.1
[!] The target may allow early CCS on TLSv1
[!] The target may allow early CCS on SSLv3

[-] This is an experimental detection script and does not definitively determine vulnerable server status.
[!] Potentially vulnerable to OpenSSL ChangeCipherSpec (CCS) Injection vulnerability (CVE-2014-0224) mentioned in http://ccsinjection.lepidum.co.jp/
[!] Vulnerability Status: Possible

=====================================
Checking localhost:443 for HTTP Compression support against BREACH vulnerability (CVE-2013-3587) ...
[*] HTTP Compression: DISABLED
[*] Immune from BREACH attack mentioned in https://media.blackhat.com/us-13/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-WP.pdf
[*] Vulnerability Status: No

--------------- RAW HTTP RESPONSE ---------------
HTTP/1.1 200 OK
Date: Wed, 23 Jul 2014 13:48:07 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Set-Cookie: SessionID=xxx; expires=Wed, 23-Jul-2014 12:48:07 GMT; path=/; secure
Set-Cookie: SessionChallenge=yyy; expires=Wed, 23-Jul-2014 12:48:07 GMT; path=/
Content-Length: 193
Connection: close
Content-Type: text/html
<html>
<head>
<title>Login page </title>
</head>
<body>
<script src="http://othersite/test.js"></script>
<link rel="stylesheet" type="text/css" href="http://somesite/test.css">

=====================================
Checking localhost:443 for correct use of Strict Transport Security (STS) response header (RFC6797) ...
[!] STS response header: NOT PRESENT
[!] Vulnerable to MITM threats mentioned in https://www.owasp.org/index.php/HTTP_Strict_Transport_Security#Threats
[!] Vulnerability Status: VULNERABLE

--------------- RAW HTTP RESPONSE ---------------
HTTP/1.1 200 OK
Date: Wed, 23 Jul 2014 13:48:07 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Set-Cookie: SessionID=xxx; expires=Wed, 23-Jul-2014 12:48:07 GMT; path=/; secure
Set-Cookie: SessionChallenge=yyy; expires=Wed, 23-Jul-2014 12:48:07 GMT; path=/
Content-Length: 193
Connection: close
Content-Type: text/html
<html>
<head>
<title>Login page </title>
</head>
<body>
<script src="http://othersite/test.js"></script>
<link rel="stylesheet" type="text/css" href="http://somesite/test.css">

=====================================
Checking localhost for HTTP support against HTTPS Stripping attack ...
[!] HTTP Support on port [80] : SUPPORTED
[!] Vulnerable to HTTPS Stripping attack mentioned in https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
[!] Vulnerability Status: VULNERABLE

=====================================
Checking localhost:443 for HTTP elements embedded in SSL page ...
[!] HTTP elements embedded in SSL page: PRESENT
[!] Vulnerable to MITM malicious content injection attack
[!] Vulnerability Status: VULNERABLE

--------------- HTTP RESOURCES EMBEDDED ---------------
 - http://othersite/test.js
 - http://somesite/test.css
=====================================
Checking localhost:443 for ROBUST use of anti-caching mechanism ...
[!] Cache Control Directives: NOT PRESENT
[!] Browsers, Proxies and other Intermediaries will cache SSL page and sensitive information will be leaked.
[!] Vulnerability Status: VULNERABLE

-------------------------------------------------
Robust Solution:
    - Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0
    - Ref: https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OWASP-AT-007)
           http://msdn.microsoft.com/en-us/library/ms533020(v=vs.85).aspx
=====================================
Checking localhost:443 for Surf Jacking vulnerability (due to Session Cookie missing secure flag) ...
[!] Secure Flag in Set-Cookie:  PRESENT BUT NOT IN ALL COOKIES
[!] Vulnerable to Surf Jacking attack mentioned in https://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
[!] Vulnerability Status: VULNERABLE
--------------- RAW HTTP RESPONSE ---------------
HTTP/1.1 200 OK
Date: Wed, 23 Jul 2014 13:48:07 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Set-Cookie: SessionID=xxx; expires=Wed, 23-Jul-2014 12:48:07 GMT; path=/; secure
Set-Cookie: SessionChallenge=yyy; expires=Wed, 23-Jul-2014 12:48:07 GMT; path=/
Content-Length: 193
Connection: close
Content-Type: text/html
=====================================
Checking localhost:443 for ECDHE/DHE ciphers against FORWARD SECRECY support ...
[*] Forward Secrecy: SUPPORTED
[*] Connected using cipher - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on protocol - TLSv1
[*] Attackers will NOT be able to decrypt sniffed SSL packets even if they have compromised private keys.
[*] Vulnerability Status: No
=====================================
Checking localhost:443 for RC4 support (CVE-2013-2566) ...
[!] RC4: SUPPORTED
[!] Vulnerable to MITM attack described in http://www.isg.rhul.ac.uk/tls/
[!] Vulnerability Status: VULNERABLE

=====================================
Checking localhost:443 for TLS 1.1 support ...
Checking localhost:443 for TLS 1.2 support ...
[*] TLS 1.1, TLS 1.2: SUPPORTED
[*] Immune from BEAST attack mentioned in http://www.infoworld.com/t/security/red-alert-https-has-been-hacked-174025
[*] Vulnerability Status: No

=====================================
Loading module: sslyze by iSecPartners ...
Checking localhost:443 for Session Renegotiation support (CVE-2009-3555,CVE-2011-1473,CVE-2011-5094) ...
[*] Secure Client-Initiated Renegotiation : NOT SUPPORTED
[*] Mitigated from DOS attack (CVE-2011-1473,CVE-2011-5094) mentioned in https://www.thc.org/thc-ssl-dos/
[*] Vulnerability Status: No

[*] INSECURE Client-Initiated Renegotiation : NOT SUPPORTED
[*] Immune from TLS Plain-text Injection attack (CVE-2009-3555) - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555  
[*] Vulnerability Status: No

=====================================
Loading module: TestSSLServer by Thomas Pornin ...
Checking localhost:443 for SSL version 2 support ...
[*] SSL version 2 : NOT SUPPORTED
[*] Immune from SSLv2-based MITM attack  
[*] Vulnerability Status: No

=====================================
Checking localhost:443 for LANE (LOW,ANON,NULL,EXPORT) weak ciphers support ...
Supported LANE cipher suites:
  SSLv3
     RSA_EXPORT_WITH_RC4_40_MD5
     RSA_EXPORT_WITH_RC2_CBC_40_MD5
     RSA_EXPORT_WITH_DES40_CBC_SHA
     RSA_WITH_DES_CBC_SHA
     DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
     DHE_RSA_WITH_DES_CBC_SHA
     TLS_ECDH_anon_WITH_RC4_128_SHA
     TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
     TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  (TLSv1.0: same as above)
  (TLSv1.1: same as above)
  (TLSv1.2: same as above)

[!] LANE ciphers : SUPPORTED
[!] Attackers may be ABLE to recover encrypted packets.
[!] Vulnerability Status: VULNERABLE

=====================================
Checking localhost:443 for GCM/CCM ciphers support against Lucky13 attack (CVE-2013-0169) ...
Supported GCM cipher suites against Lucky13 attack:
  TLSv1.2
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_RSA_WITH_AES_256_GCM_SHA384
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

[*] GCM/CCM ciphers : SUPPORTED
[*] Immune from Lucky13 attack mentioned in http://www.isg.rhul.ac.uk/tls/Lucky13.html
[*] Vulnerability Status: No

=====================================
Checking localhost:443 for TLS Compression support against CRIME (CVE-2012-4929) & TIME attack  ...
[*] TLS Compression : DISABLED
[*] Immune from CRIME & TIME attack mentioned in https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf
[*] Vulnerability Status: No

=====================================
[+] Breacher finished scanning in 12 seconds.
[+] Get your latest copy at http://yehg.net/

Sunday, December 8, 2013

[Tool] DLL Hijack Helper Updated with killcmd support

DLL Hijack Helper - Update
++++++++++++++++++++++++++++++

1. Run ProcMon
2. Set filter rule with result "NAME NOT FOUND"
3. Run your target application
4. Save ProcMon output as Logfile.CSV
5. Exit ProcMon
6. Edit dll-hijack-helper.py
7. Search and Replace "target.exe" with your test application name.
5. Run dll-hijack-helper.py

Typical output looks like this:
------------------------------------------


Running DLL Hijack Helper - by Myo Soe , http://yehg.net


hijacker_dll_m5: e6744ebb969ce6373d3702d1e7f70487
hijacker_exe_m5: a56a094461f79a3be7c672d10fc413c3

----------------------------------


Created DLL -> D:\tmp\TestApp 32bit\msi.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_y

Created DLL -> D:\tmp\TestApp 32bit\sfc_os.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_y

Created DLL -> D:\tmp\TestApp 32bit\WINTRUST.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_y

Created DLL -> D:\tmp\TestApp 32bit\CRYPT32.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_y

Created DLL -> D:\tmp\TestApp 32bit\MSASN1.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\MsiMsg.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\rsaenh.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\MSISIP.DLL


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\xpsp2res.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\netapi32.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\cryptnet.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\PSAPI.DLL


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\SensApi.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\WINHTTP.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\CLBCATQ.DLL


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\COMRes.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\UxTheme.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created DLL -> D:\tmp\TestApp 32bit\SHFolder.dll


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue.
_n

Created EXE -> D:\tmp\TestApp 32bit\MSIEXEC.EXE


[!] Launch the application to test it.
[!] Enter 'y' key if it works, other key to continue
_y

------------------------------
Vulnerable DLL/EXEs:

 - D:\tmp\TestApp 32bit\msi.dll
 - D:\tmp\TestApp 32bit\sfc_os.dll
 - D:\tmp\TestApp 32bit\WINTRUST.dll
 - D:\tmp\TestApp 32bit\CRYPT32.dll
 - D:\tmp\TestApp 32bit\MSIEXEC.EXE

Saturday, September 21, 2013

Testing CAPTCHA strength with GSA CAPTCHA Breaker

With sophisticated OCR technologies, today's CAPTCHA defense in web applications has become weaker and weaker partially due to a requirement to maintain usability. In this demo, we used GSA Breaker tool to test the effectiveness of sample CAPTCHA images. 
 [View Online | Download ]