Canadian researchers have built a set of free exploit tools for Web applications that run as Firefox browser plug-ins; the so-called ExploitMe suite includes tools for cross-site scripting (XSS) and SQL injection, two of the most common vulnerabilities found on Websites.
Nishchal Bhalla, founder of Security Compass, and his fellow researchers at the firm will demonstrate and release the new exploit tools -- aimed at facilitating penetration testing of Web applications -- at next month's SecTor security conference in Toronto. The tools let researchers, Web app developers, and quality assurance staffers "fuzz" their Web apps for vulnerabilities to XSS and SQL injection attacks.
"We actually plugged it [the tools] right into the browser logic so it sees things the way the browser does," says Oliver Lavery, principal consultant with Security Compass and one of the developers of the ExploitMe tools.
And having the exploit, or penetration testing, tool inside the browser is especially helpful when it comes to detecting bugs, such as XSS, which actually gets exploited via the browser. "Because cross-site scripting exists within the browser, it's harder to detect" with other tools that run outside the browser, Lavery says.
There are other handy Web app hacking tools available for free today, such as Paros Proxy, Burp Suite, and WebScarab, but unlike ExploitMe, they are basically proxy tools that emulate the browser. "They intercept requests, and tend to do XSS on the basis of the data they collect," SecurityCompass' Bhalla says. "They emulate a browser, which is where problems happen with detection. Ours is tied into the browser." (See Weaponizing All Browsers.)
Renowned researcher HD Moore, creator of the popular Metasploit pen-testing tool, says the browser-based exploit approach indeed makes it easier for security researchers to detect bugs in sites that are "heavy on client-side scripting," such as XSS.
But there are risks, too, in embedding an exploit tool into the browser, Moore says. "It becomes really easy for a malicious operator to subvert your tool for their own use. Any hacking-specific extensions should be kept disabled, it's just too easy to make a mistake," he says.
The ExploitMe tools -- which are in currently in beta form -- include SQL Inject-Me, which lets you right-click on an HTML field in your Firefox browser and inject it with SQL injection payloads, and XSS-Me, which works the same way, but with XSS. The tools developers also plan to release Web services exploit tools as well. They chose Firefox mainly due to its interface for writing plug-ins, Bhalla says. "It lets you write plug-ins to it more easily."
Security Compass' Lavery says unlike full-blown commercial penetration testing tools, ExploitMe is Web application-specific. And ExploitMe is all about making life easier for the security testers and developers, he says. "We were scratching our own itch when we developed this."
"This looks to me to be more of a convenience tool... That's what these types of tools should be designed for -- saving pen-testers time," says Jeremiah Grossman, CTO and founder of WhiteHat Security.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.