Web Cache Vulnerability Scanner (WCVS)
Web caches are widely used to reduce latency and decrease the load on web servers. However, incorrect configurations or insufficient customization for the specific website can lead to major security risks. Web caches can open new attack vectors or amplify the impact of existing vulnerabilities. One of these new attack vectors — Web Cache Poisoning — is explained in this blog post.
To easily and efficiently test web applications for their vulnerability to Web Cache Poisoning, the Web Cache Vulnerability Scanner (WCVS) was developed. The scanner can be used out-of-the-box in its default configuration and additionally offers a wide range of customization options. Both testing a large number of web pages and recursively testing them, e.g. by using the integrated crawler, is possible. The results can be saved as a report in JSON format. A detailed introduction of WCVS can be found in this blog post.
XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, eGovernment, or millitary services. The wide adoption of this technology has resulted in an emergence of numerous - mostly complex - extension specifications. Naturally, this has been followed by a rise in large number of Web Services attacks. By implementing common web applications, the developers evaluate the security of their systems by applying different penetration testing tools. However, in comparison to the well-known attacks as SQL injection or Cross Site Scripting, there exist no penetration testing tools for Web Services specific attacks. With WS-Attacker we intend to close this gap and provide developers and penetration testers automatic methods for detecting Web Services specific attacks. The tool currently supports the following attacks:
- SOAPAction Spoofing
- WS-Addressing Spoofing
- Various XML Denial of Service variants
- XML Signature Wrapping
TLS-Attacker is a Java-based framework for analyzing TLS libraries. It is able to send arbitrary protocol messages in an arbitrary order to the TLS peer, and define their modifications using a provided interface. This gives the developer an opportunity to easily define a custom TLS protocol flow and test it against his TLS library.
In addition, TLS-Attacker supports various known cryptographic attacks and their evaluations. This means you can simple check whether your server is vulnerable to padding oracle, invalid curve, or Bleichenbacher attacks. It has already allowed us to find vulnerabilities in major TLS libraries, including OpenSSL, Botan, or MatrixSSL.
EsPReSSO (Single Sign-On Extension for Burp Suite)
The Burp Suite Extension EsPReSSO helps in the detection of various Single Sign-On protocols. It supports SAML, OpenID, OAuth, BrowserId, OpenID Connect, Facebook Connect and Microsoft Account. EsPReSSO passively analyzes the HTTP traffic and automatically highlights Single Sign-On messages in the Burp Suite proxy.
In addition, EsPReSSO provides editors for SAML and JSON Web tokens allowing to edit them easily. In addition, XML Signature Wrapping attack vectors can be created for SAML using the built-in WS-Attacker library.
This tools covers Cross-Site Scripting (XSS) security issues with media-files containing metadata. Such data is usually created by trusted devices like cameras. Therefore, there is the chance that providers handling this metadata, also trust them and that they thus use insuffcient or no filter mechanisms.
We have developed an open source pentetration testing tool called Metadata-Attacker. It consists of a suite of self-developed tools that allow to create malicious proof-of-concept image (.jpg), audio (.mp3), and video (.mp4) files.