October 19, 2009

Samurai Web Testing Framework (WTF) Firefox Add-ons Collection

On June 2009 Mozilla released the add-ons collections feature on their add-ons web site. As a member and contributor to the SamuraiWTF project, I would like to announce the release of the SamuraiWTF Firefox add-ons collection!

The Samurai Web Testing Framework (WTF) is a LiveCD focused on web application testing. It contains a pre-installed collection of the top web application penetration testing tools, becoming the perfect environment for testing applications.

The goal of this Firefox collection is to include the best add-ons for web application penetration testing and offensive security analysis, to convert your browser in the ultimate pen-testing tool. It is aligned with the Samurai Web Testing Framework (WTK) LiveCD distribution. I plan to keep the collection updated with new web-app pen-testing add-ons, but I would like to carefully evaluate new additions (or replacements) so that the list doesn't grow to limits where it becomes unmanageable. It includes 19 add-ons at this time.

As of today, it seems it is not possible to install all add-ons from a collection with a single click. The current SamuraiWTF add-ons collection can be installed on the latest Firefox version, v3.5, with the exception of the "Add N Edit Cookies" add-on. Although this add-on works in Firefox 3.5.*, it cannot be directly installed. There is a quick hack you can apply to install it on Firefox 3.5 until the official version is updated by its developer:
  • Go to the "Add N Edit Cookies" add-on webpage with a compatible old Firefox version, or with a different browser like Internet Explorer, and download the add-on (XPI file).
  • Change the XPI extension on the file to ZIP.
  • Extract the "install.rdf" file from the ZIP archive.
  • Edit the "install.rdf" file and replace the following line (maximum version):
  •         <em:maxversion>3.0.*</em:maxversion>
  • by:
  •         <em:maxversion>3.5.*</em:maxversion>
  • Put (drag & drop) the new "install.rdf" file back into the ZIP archive, and it will automatically replace the old version of the file.
  • Change back the ZIP extension on the file to XPI.
  • At this point, you can install the recently modified XPI add-on in Firefox 3.5.
Once you install all the add-ons within the SamuraiWTF collection, one by one, the look and feel of your Firefox browser will notably change. I recommend you to hide the add-ons toolbars visible by default. You can individually enable them at any time, such as when you are going to use each specific add-on:
  • Go to the "View" menu and select "Toolbars".
  • Deselect "Access Me Toolbar", "Web Developer Toolbar", and (specially) "HackBar".
Finally, the "DOM Inspector" add-on has been added to the collection as it is a requirement to enable all the capabilities of the "Web Developer" add-on.

Please, take a look at the collection, feel free to share your thoughts/comments (send me an e-mail), vote for this collection if you find it useful, and enjoy it!


October 12, 2009

Prison Break - Breaking, Entering & Decoding - Challenge Answers & Winners

The answers and winners for the EH-net "Prison Break (Breaking, Entering & Decoding)" challenge (August 2009) have been published today.

The answers for this challenge were released in scoop to The Informer subscribers a few days ago. In Johnny Long words, "The Informer is a fund raising effort run by Hackers For Charity. It is designed to give subscribers a "backstage pass" to the world of Information Security. For $54 per year, subscribers get early, exclusive access to all sorts of goodies donated by the top names in the INFOSEC world. The industry's most recognized names will post blog entries here before they even post them to their own sites." The EH-Net contribution will be the answers to the Skillz H@ck1ng Challenges a few days before they are revealed on EH-Net.

It is an honor for me to drive this initiative, with the support of Don Donzal (EH-Net) and Ed Skoudis (Challenge Master), and start posting the official answers of this challenge on The Informer.

The “Prison Break – Breaking, Entering & Decoding” challenge winners have been announced on EH-net, and the answers are contained in a single PDF file (27 pages) plus three associated screencasts:
Thanks to everybody for participating on the challenge, and to Ed and Don for the opportunity. I hope you enjoyed working on it as much as I enjoyed designing and writing it!

Labels: ,

October 09, 2009

Sqlninja & Metasploit Demo

Last week I run the "Web App Pen-Testing" SANS webcast to provide a sneak preview of the SEC542 "Web Penetration Testing and Ethical Hacking" course I will be teaching in London later this year. At the end of the webcast I run a Sqlninja & Metasploit demo over the Hacme Bank vulnerable site using the recently released sqlninja patch.

This post includes a screencast of that demo (15:40 minutes):

You can access the archived version of the full SEC542 webcast from the SANS portal. Hope to see some of you, RaDaJo readers, in London!