Tag Archives: web penetration testing

An Introduction to Javascript for XSS Payloads

I recently got the opportunity to speak at B-Sides Charleston on cross-site scripting (XSS) payload development. For me, this was a really enjoyable opportunity because of my background. I was a software developer specializing in web apps for about 10 years. I did web development as a hobby for more than 10 years before that. I’ve had full stack responsibilities for most of my career. I switched between server-side platforms, and have had some exposure to most of them, but the javascript was a constant. I don’t like classifying developers by their language: a java developer, python developer, etc. I feel that it leads to a lot of incorrect assertions about how to judge the quality of a developer. That said, if I was going to label myself by a language, that language would be javascript. It’s the language that I find does the best job staying out of my way so that I can focus on the problem at hand. Its lack of constraints, compared to many other languages, serves me well.

The original VMs I used during my talk are available at https://github.com/mgillam/weaponizejs, and these demonstrate a lot of the same techniques shown here. There may be some rough edges, reach out if you have any issues making them work.

So from that perspective, a XSS opportunity is one of my favorite findings on a pen test. If you allow me to run my javascript in your web application, it’s really my web application. I determine what it looks like and I determine how it behaves, and any user input also belongs to me.

In this post, I would like to share some of the techniques I presented in my talk. These shouldn’t be thought of as standalone exploits, but rather a set of tricks you can use to achieve common goals. I’m going to skip over getting script execution in the first place. Getting script execution, and the challenges that go with it such as filter evasion, is specific to each individual site, if not the individual vulnerability. There’s no concrete set of answers, so that would just be a distraction. Let’s instead move on to what we can do once we have it.

Continue Reading

Introducing Burp Correlator!

This one is for you web penetration testers!  This new Burp extension is designed to help with efficiency when you are testing a complex application full of parameters or a series of applications and just do not have enough time to thoroughly analyze each one.  It analyzes all the parameters in your in-scope traffic and… Continue Reading

SamuraiWTF 3.2 RELEASED!

We are really excited to announce that SamuraiWTF 3.2 is now available publicly.  This release is available at http://sourceforge.net/projects/samurai/ immediately and we hope you enjoy it. In this release we have updated a number of tools, addressed bug issues, and improved the target environments to better suit a training environment. We have also updated the… Continue Reading

And Now… Introducing: Burp BS!

Burp BS… where the “BS” stands for BeanShell.  “What on earth is BeanShell?” you may ask?  BeanShell is a very old Java library that was designed to build scripts in Java (full details on www.beanshell.org).  It never really caught on for general use because the Java language is designed from the ground up to be… Continue Reading

Web Penetration Testing with Burp and CO2

Start 2015 right with a free web session to learn all about the Burp CO2 plugin!  This training is scheduled for Thursday, January 8th, 2015 at 2pm EST. Portswigger’s Burp Suite is a very popular and flexible intercepting proxy tool among web application penetration testers. During this training session I will provide an overview of… Continue Reading

SamuraiWTF 3.0 and into the future!

We are really excited to announce that SamuraiWTF 3.0 is now available publicly.  (We did a previous release but found some issues and so that was pulled back.)  This release is available at http://sourceforge.net/projects/samurai/ immediately and we hope you enjoy it. In this release we have updated the base operating system to Ubuntu 14.04 (hence the… Continue Reading

CORS Global Policy

I recently noticed an uptake on Cross-Origin Resource Sharing (CORS) findings showing up in automated scanning tools, which would not have been a significant concern except for the fact that the tools were rating this as a relatively “high” severity and very few people I asked about it seemed to have any idea what it… Continue Reading

Professionally Evil Web Penetration Testing Class

Ever thought about being able to test the security of your web applications? Wanted to know how the Professionally Evil hack web services and applications?  Interested in upgrading your skills around attacking modern web applications? Well now you have your chance! Secure Ideas is excited to announce the latest in our course offerings.  We will be… Continue Reading

Professionally Evil Training: Advanced Tactical Burp Webinar

Secure Ideas is excited to announce its latest upcoming online training.  We will be offering a two-hour session exploring advanced topics related to Burp Suite and its use in a web application penetration test.  Kevin Johnson and James Jardine will explore the various features of Burp Suite, focusing on how we use the system during our penetration… Continue Reading