Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: December 29, 2006 12:39PM

Hi!

After another day of development instead of free time - where was my head ;) - I have managed to create a version of the before mentioned security bookmarklet that i am quite happy with.

It now looks pretty crispy under firefox, has an info panel, explanative baloon help etc. and is still pretty slim. If you combine it with the almighty xss assistant you have a pretty powerful toolkit i guess.

You might wanna try it out under:
http://mario.heideri.ch/downloads/lfhighlighter.html

Here you can see a preview image of the actual release state - dev state is being put online in weekly intervals or so - i will announce that here if you like.
http://mario.heideri.ch/downloads/lfhighlighter.png

Please give me feedback if you like / could need it and what should be optimized, featured or left away.

Greetings, and thx in advance
.mario

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: rsnake
Date: December 29, 2006 01:19PM

Yah, I have one peice of feedback... can you make it so that instead of just alerting cookies you can actually edit them? Mmmm... I'm loving this.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: December 29, 2006 03:43PM

Nice idea - thanks! I just implemented the feature... you can give it a try if you want.

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: WhiteAcid
Date: December 29, 2006 04:08PM

Wow. I love it.
If you could close the window (as opposed to minmising it) and reset all the colours, that'd be nice.
Also... If you could move the cookie editor around, that'd be neat too.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: December 29, 2006 05:28PM

Thanks for the feedback, WhiteAcid. I implemented both features.

It's really time to sleep now - good n8...



Edited 1 time(s). Last edit at 12/29/2006 05:32PM by .mario.

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: WhiteAcid
Date: December 29, 2006 05:39PM

Good night :)

For when you wake up, could you give the cookie editor page a higher z-index value than the main panel? Or even better, onfocus() you could swap the z-indexes so the one you're using would always be on top. Other than that, top notch!

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: kuza55
Date: December 29, 2006 06:38PM

Thats awesome .mario, I think I'll definately start using that. Just another request though, would you be able to make the cookie editor dragable only if you click on the border, because otherwise I can't easily scroll the textbox horizontally (I have to use the little arrows) or highlight things easily (I have to get a cursor in the textbox, then use the shift and arrow keys), or even edit them easily (to edit them I have to right click on the textbox, then leftclick on it).

But all in all, thats pretty cool, :D

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Kyran
Date: December 29, 2006 08:45PM

Sweet. I love this thing.
But, since the last version it no longer works in Opera. ;_;

- Kyran

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: December 30, 2006 09:59AM

Hi!

Thanks for your feedback! I guess i have implemented all requests - please give it a try. The only problem still existing is the compatibility with opera. I figured out that the problem is related to the compressor - the uncompressed source works fine.

I so tried out a bunch of compressors like the mentioned dojo shrink safe, dean edward's packer and some other tools but none of them created a valid source. Otherwise it could be that i forgot one semicolon or sth like that on some line i haven't noticed yet. But i will keep on searching...

To reduce confusion - the drag&drop feature is now being activated and deactivated onclick - this was the only solution for kuza55's problem without using IFRAMES... ;)

Thx again - greetings,
.mario

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: December 30, 2006 11:10AM

Addon:

I have changed the url of the bookmarklet and its resources. You can now find the stuff under the following URL:

http://lfh.heideri.ch/

I also implemented an update checker - so anytime you use the bookmarklet ( > version .62 ) it will check if a new version is available and popup a choice box where you can choose if you want to use the old version or go to the install page. next step will be the beautifying of the lfh-homepage and the creation of a logo.

Greetings,
.mario

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: rsnake
Date: December 31, 2006 08:17PM

Very very cool, Mario! Nice job!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: January 07, 2007 04:17PM

First of all thanks for all the feedback!

I have spend some more hours with LFHighlighter and now it has a basic XSS scanner to scan forms, generated images and links on the currently loaded page. Though i am (not yet) using a not very sophisticated vector for scanning i got great results on my testsite.

When a security issue is found the link/form/image is tagged with a new alt-text/title and surrounded with a big red border.

I also did many improvements to the sources and LFHighlighter runs on Opera again. Please give it a try and I am always thirsty for feedback ;)

There are still tons of bugs i guess and i hope i will find more time to improve the tool next weekend. Especialy the performance issues on very large sites have to be fixed.

URL is still the same: http://lfh.heideri.ch/

Greetings and good n8!
.mario

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: _sniff
Date: January 12, 2007 08:39AM

when i try to use this on an aspx page.. it alwayz shows Viewstate err...
could someone pls tell me.. is it a bug or i did something wrong.

- sn|ff

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: January 15, 2007 03:42PM

Hmmm, please send me the URL you tried it with.

btw: I completely reporgrammed the little thing and yesterday i released version 0.0.90 - sounds pretty early but the optics were enhanced and the XSS scanner works pretty stable - just did a scan with about 80 links and it went good.

unfortunately i changed the wrapper script so the new version must be installed - the update checker doesn't work anymore.

please give it a try - feedack still always welcome ;)

URL still the same (see above)

greetings!
.mario

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: rsnake
Date: January 15, 2007 04:48PM

Hmmm... I installed it and ran it, but it was unable to find any vulnerabilities on a site that I know there are vulnerabilities on (on the very same page I was on as a Query string for instance).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: _sniff
Date: January 15, 2007 10:42PM

@.mario
itz an intranet site, so u cant access it from outside...
but one thing is for sure, it is giving me err on aspx page, same Invalid Viewstate,
I m checking it out, wat the hek is causing this err..
but really appreciate if you could give me some hints.

these are the steps i performed:
1) open Login page (aspx) (viewstate is generated)
2) run LFHighlighter
3) when LFhighlighter is running, submit that request
4) Result : Viewstate Err

.....
if close LFHighlighter and then submit
No err.!!

so final result.. i m confused!

- sn|ff

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: January 16, 2007 01:45AM

@_sniff

Ah now i got it - it's because the hidden form fields are filled with "name : value" and made visible - will change that in a later version.

@rsnake:

Yep - the scanner is still pretty beta but i will work on this issue the next days.

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: rsnake
Date: January 16, 2007 04:31PM

The vuln was "><script>alert("XSS")</script> in case your scanner doesn't have that built into it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: LFHighlighter - Security Bookmarklet
Posted by: Anonymous User
Date: January 17, 2007 03:40AM

At the moment the scanner has 5 vectors in its payload array - those are:

arrPayload = [ '<script>alert(\'xss\');</script>',
'\';alert(\'xss\');//\\\';alert(\'xss\');//";alert(\'xss\');//\";alert(\'xss\');//--></SCRIPT>">\'><SCRIPT>alert(\'xss\');</SCRIPT>',
'\'\';!--"<script>alert(\'xss\');</script>=&{()}',
'");alert(\'xss\');//',
'c%00""<script>alert(\'xss\');</script>'
]

The alert is replaced by some other logic to track the vulnerable element. See sources for details.

Yesterday evening i fixed some issues and the scanner now really finds vulnerabilities - but has still problems highlighting the vulnerable elements after the scan. I am working on that.

There are still dozens of other small bugs and i want to enhance the logic for the formscans but i think i won't be able to do that before next weekend.

I also want to implement a way to use own vectors - on the other hand if you guys have any other sophisticated attack strings you are missing in the payload array don't hesitate to send them in - the more good vectors the scanner uses the better the scanner will work in future versions ;)

Greetings and thanx for the fb,
.mario

Options: ReplyQuote


Sorry, only registered users may post in this forum.