ExploitMe: Free Firefox Plug-Ins Test Web Apps

Tools run directly on the browser and target pervasive XSS, SQL injection vulnerabilities in Web apps

Canadian researchers have built a set of free exploit tools for Web applications that run as Firefox browser plug-ins; the so-called ExploitMe suite includes tools for cross-site scripting (XSS) and SQL injection, two of the most common vulnerabilities found on Websites.

Nishchal Bhalla, founder of Security Compass, and his fellow researchers at the firm will demonstrate and release the new exploit tools -- aimed at facilitating penetration testing of Web applications -- at next month's SecTor security conference in Toronto. The tools let researchers, Web app developers, and quality assurance staffers "fuzz" their Web apps for vulnerabilities to XSS and SQL injection attacks.

"We actually plugged it [the tools] right into the browser logic so it sees things the way the browser does," says Oliver Lavery, principal consultant with Security Compass and one of the developers of the ExploitMe tools.

And having the exploit, or penetration testing, tool inside the browser is especially helpful when it comes to detecting bugs, such as XSS, which actually gets exploited via the browser. "Because cross-site scripting exists within the browser, it's harder to detect" with other tools that run outside the browser, Lavery says.

There are other handy Web app hacking tools available for free today, such as Paros Proxy, Burp Suite, and WebScarab, but unlike ExploitMe, they are basically proxy tools that emulate the browser. "They intercept requests, and tend to do XSS on the basis of the data they collect," SecurityCompass' Bhalla says. "They emulate a browser, which is where problems happen with detection. Ours is tied into the browser." (See Weaponizing All Browsers.)

Renowned researcher HD Moore, creator of the popular Metasploit pen-testing tool, says the browser-based exploit approach indeed makes it easier for security researchers to detect bugs in sites that are "heavy on client-side scripting," such as XSS.

The tool also reaps the home-field advantage benefits of being on the browser: "The browser already does the hard work of processing JavaScript, negotiating SSL, loading Flash, and handling authentication. All the plug-in needs to do is leverage the existing data," says Moore, director of security research for BreakingPoint Systems. "Stand-alone Web assessment tools have to re-invent the wheel when it comes to processing Web pages and acting like a 'real' user. This is a hard job, and because of it, many of the stand-alone tools do a poor job when the site in question is heavy on client-side scripting."

But there are risks, too, in embedding an exploit tool into the browser, Moore says. "It becomes really easy for a malicious operator to subvert your tool for their own use. Any hacking-specific extensions should be kept disabled, it's just too easy to make a mistake," he says.

Moore says other tradeoffs include limitations with how it interacts with other services, such as a central database. "Additionally, automation is difficult when the entire toolkit lives within a browser. A single, unhandled JavaScript alert could stall the tool indefinitely," he says.

The ExploitMe tools -- which are in currently in beta form -- include SQL Inject-Me, which lets you right-click on an HTML field in your Firefox browser and inject it with SQL injection payloads, and XSS-Me, which works the same way, but with XSS. The tools developers also plan to release Web services exploit tools as well. They chose Firefox mainly due to its interface for writing plug-ins, Bhalla says. "It lets you write plug-ins to it more easily."

Security Compass' Lavery says unlike full-blown commercial penetration testing tools, ExploitMe is Web application-specific. And ExploitMe is all about making life easier for the security testers and developers, he says. "We were scratching our own itch when we developed this."

"This looks to me to be more of a convenience tool... That's what these types of tools should be designed for -- saving pen-testers time," says Jeremiah Grossman, CTO and founder of WhiteHat Security.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • BreakingPoint Systems
  • WhiteHat Security

  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5