[SecTor Review] Exploit-Me Series
Sector Day #1
Speakers: Rohit Sethi and Nish Bhalla
Presentation (pdf)
Audio (wmv)
Tool Website
Full Title: Exploit-Me Series -- Free Firefox Application Penetration Testing Suite Launch
I was really curious to see this one, although I heard the other talks were interesting. My main reason was that I wanted to see how this plugin was different from others, such as my favourite tool: Tamper Data. In the end, the tool is much more like WhiteAcid's XSS Assistant.
The tool, which be available on Nov 26 from SecurityCompass.com, allows you to assign static variables to certain form fields and then XSS the rest of them... testing for a variety of types of XSS, and allowing you to insert your own. They provided video demonstrations of the tool, which will be released under GPL, which I can't wait to get my hands on to play with.
The first half of the talk, leading up to the tool release took a look at problems with current testing tools, which are primarily proxy based (such as Tamper Data). It also explained CSRF, XSS and SQL Injection. The second half was demos of both tools, XSS-Me and SQL Inject Me... as well as a brief discussion of limitations/future improvements and other planned tools.
I'm very excited to see what happens to these tools, especially once they hit the hands of web app geeks everywhere. I was also genuinely impressed by the mention that SecurityCompass (the company at which both Nish and Rohit work) would be staffing someone to develop the Exploit-Me series of plugins.