Tuesday, February 23, 2010

Web "Hacking" Gets (even) Easier

Just when you thought "hacking" web apps could not get any easier ...

First, there was RSnake's "XSS Cheat Sheet" which set the bar at giving you endless possibilities of XSS attack right there so you didn't have to think about it, and now a new tool has been released that makes the whole process even more brainless.  This tool even saves you the time and clicks of copy/paste!

I'm talking about "NoMore AND 1=1".  This tool comes in 2 flavors, stand-alone and attached to the OWASP WebScarab web proxy tool... and it sets the bar even lower for those wishing to poke and prod at web sites without actually being good at hacking.

The stand-alone version can be found here, while the WebScarab attached version is here.  I highly recommend you install the Java JRE 1.6+ ...

OK, so what's so cool about NoMore AND 1=1?

Aside from the fact that it's a cheat-sheet which auto-copies to your clipboard, it has a cornucopia of attack vectors for everything from  databases [ MS SQL, Oracle, MySQL, DB2, to Sybase, to Postgre-SQL] to LDAP, to XSS, to X-Path, CSRF, and on and on and on... all you have to do is select an attack vector, click it and it's copied to your clipboard.  Then just paste it into an input field and voila! You're a hacker!  (not really...)

Adding to the cool factor is the way that Dani does updates to this tool.  Rather than including the signatures inside the code somewhere, they're maintained in a separate .csv file which can be regularly (or when genius strikes) downloaded and updated.

The WebScarab version is even more awesome.  Once you've got the intercept proxy working OK, you just wait for a request, and then highlight the parameter you want to tamper with, right-click, select "NO MORE AND 1=1" and pick an attack vector and BANG! You're haX0ring... (again, sort of).

Now, being the ever-curious person I am, I tested this out (just to see how simple it was!) against a site that I spend a lot of time on, Digitally Imported.  I really love my Trance music so I'm on that site a lot, and needed to make sure for myself, since I already had a tool fired up and handy that they were taking my web security at least semi-seriously.  I was, pleasantly surprised when the response to a rather complicated XSS attack was this:
"incorrect fields, stop messing around. you've been logged (IP_ADDR)"
Nice job, DI.FM coders :)

Anyway, NoMore AND 1=1 is a really neat little toy you can add to your arsenal of simple web application hacking tools, and I highly recommend it if you're ever in need of a "quick and simple way" to test the basic web app security of where-ever your browser takes you.

Good hacking!


Information Amplifier said...

Very fun looking. Based on the EvilRegex article I ran across on OWASP's site, I added a new "DoS" menu item, sub-items "EvilRex-Username" and "EvilRex-Password". This was done simply by entering these at the tail-end of the CSV file. I am using the standalone version of NoMore_AND_1=1.

eslimasec said...

Hi, thanks for your review of the tool i think it is the largest I've seen! hehehe I am also fun of di.fm so don't hack it please! ;)

gotcha in my feeds