Exploit-Me Firefox XSS and SQL scanning addon

posted Jun 14th 2008 2:40am by Eliot Phillips
filed under: cons, firefox hacks

One of the best tools we saw at LayerOne was the Exploit-Me series presented by [Dan Sinclair]. Security Compass created these tools to help developers easily identify cross site scripting (XSS) and SQL injection vulnerabilities.

XSS-Me is a Firefox add-on that loads in the sidebar. It identifies all the input fields on a page and iterates through a user provided list of XSS strings: opening new tabs and checking the results. When this process completes you get a report of what attacks got through, what didn’t, and what might have. The upcoming 0.3 version will use heuristics to determine what characters can be used and automatically skip attack strings that won’t get through.

The SQL Inject-Me works almost exactly the same way. It does require a little planning though: you need to tell it what you expect the results page to look like when an attack gets through.

The newest tool, Access-Me, surfs along with you while you’re authenticated to a website and checks whether you can see the same page unauthenticated.

Read

Comments [5]

tagged: addon, crosssitescripting, dansinclair, extension, firefox, layerone, layerone2008, security, securitycompass, sql, sqlinjection, xss

Reader Comments

are these safe,
i mean no malicious activity in the background…

Posted at 6:54 am on Jun 14th, 2008 by ~SB

I saw Dan present this at CarolinaCOn this past year along with a friend of his named Sahba (I hope I spelled that right). It was a really interesting concept and led to some great questions from the audience.

Posted at 8:45 am on Jun 14th, 2008 by Nick Fury

@SB: Well you can download the source

Posted at 10:09 am on Jun 14th, 2008 by John Berube

Beware, when I clicked the link to download this firefox plug-in, it dumped a file called “xm86zte5.exe” on my desktop. I purged the file immediately. Not sure what it does but that was unexpected behaviour. This may be a malicious site.

Posted at 6:59 pm on Jun 14th, 2008 by Hali

@sb: All of the tools are open sourced so if you’re concerned with malicious activity you’re free to audit the tools as you want. We’ve been careful to remove anything that might be thought to track people. That’s why we don’t have any of the XSS attacks that reference external .js files included by default.

@hali: Out of curiosity, where did you download the .xpi file from? Are you trying to say that running the xpi added a file to your desktop or it somehow downloaded a secondary file?

The Exploit-Me files are .xpi files. They aren’t exe’s. They only run within Firefox.

Posted at 9:49 am on Jun 16th, 2008 by dan sinclair

Exploit-Me Firefox XSS and SQL scanning addon

Recent Posts

Reader Comments

Leave a Reply

hacks

resources

rss newsfeeds

Most Commented On (30 days)

Recent Comments