explo - Human And Machine Readable Web Vulnerability Testing Format

explo is a simple tool to describe web security issues in a human and machine readable format. By defining a request/condition workflow, explo is able to exploit security issues without the need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.

Example for extracting a csrf token and using this in a form:

name: get_csrf
description: extract csrf token
module: http
parameter:
    url: http://example.com/contact
    method: GET
    header:
        user-agent: Mozilla/5.0
    extract:
        csrf: [CSS, "#csrf"]
---
name: exploit
description: exploits sql injection vulnerability with valid csrf token
module: http
parameter:
    url: http://example.com/contact
    method: POST
    body:
        csrf: "{{get_csrf.extracted.csrf}}"
        username: "' SQL INJECTION"
    find: You have an error in your SQL syntax

In this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string 'You have an error in your SQL syntax' to be found.

Installation

Install via PyPI

pip install explo

Install via source

git clone https://github.com/dtag-dev-sec/explo
cd explo
python setup.py install

Usage

explo [--verbose|-v] testcase.yaml
explo [--verbose|-v] examples/*.yaml

There are a few example testcases in the examples/ folder.

$ explo examples/SQLI_simple_testphp.vulnweb.com.yaml

You can also include explo as a python lib:

from explo.core import from_content as explo_from_content
from explo.core import ExploException, ProxyException

def save_log(msg):
    print(msg)

try:
    result = explo_from_content(explo_yaml_file, save_log)
except ExploException as err:
    print(err)

Modules
Modules can be added to improve functionality and classes of security issues.

http (basic)
The http modules allows to make a http request, extract content and search/verify content.
The following data is made available for following steps:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies
• extracted content: response.extracted.variable_name

If a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).
When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).
For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).
Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    cookies: stepname.response.cookies
    body:
        key: value
    find: search for string
    find_regex: search for (reg|ular)expression
    find_in_headers: searchstring in headers
    extract:
        variable1: [CSS, '#csrf']
        variable2: [REGEX, '<input(.*?)value="(?P<extract>.*?)"']

http_header
The http header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.
The following data is made available for other modules:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    body:
        key: value
    headers_required:
        X-XSS-Protection: 1
        Server: .               # all values are valid

sqli_blind
The sqli_blind module is able to identify time based blind sql injections.
The following data is made available for other modules:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com/vulnerable.php?id=1' waitfor delay '00:00:5'--
    method: GET
    delay_seconds: 5

If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).

Download explo

Read More

Evilginx - MITM Attack Framework [Advanced Phishing With Two-factor Authentication Bypass]

Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

You can learn how it works and how to install everything yourself on:

Evilginx - Advanced Phishing With Two-factor Authentication Bypass

Usage

usage: evilginx_parser.py [-h] -i INPUT -o OUTDIR -c CREDS [-x]

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        Input log file to parse.
  -o OUTDIR, --outdir OUTDIR
                        Directory where output files will be saved.
  -c CREDS, --creds CREDS
                        Credentials configuration file.
  -x, --truncate        Truncate log file after parsing.

Example:

python evilginx_parser.py -i /var/log/evilginx-google.log -o ./logs -c google.creds

Video

Download evilginx

Read More

morty - Privacy aware web content sanitizer proxy as a service

Web content sanitizer proxy as a service.

Morty rewrites web pages to exclude malicious HTML tags and attributes. It also replaces external resource references to prevent third party information leaks.
The main goal of morty is to provide a result proxy for searx , but it can be used as a standalone sanitizer service too.

Features:

• HTML sanitization
• Rewrites HTML/CSS external references to locals
• JavaScript blocking
• No Cookies forwarded
• No Referrers
• No Caching/Etag
• Supports GET/POST forms and IFrames
• Optional HMAC URL verifier key to prevent service abuse

Installation and setup

$ go get github.com/asciimoo/morty
$ "$GOPATH/bin/morty" --help

Test

$ cd "$GOPATH/src/github.com/asciimoo/morty"
$ go test

Benchmark

$ cd "$GOPATH/src/github.com/asciimoo/morty"
$ go test -benchmem -bench .

Download morty

Read More

wafpass - WAF Security Benchmark

                        ██╗    ██╗ █████╗ ███████╗██████╗  █████╗ ███████╗███████╗
                        ██║    ██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝
                        ██║ █╗ ██║███████║█████╗  ██████╔╝███████║███████╗███████╗
                        ██║███╗██║██╔══██║██╔══╝  ██╔═══╝ ██╔══██║╚════██║╚════██║
                        ╚███╔███╔╝██║  ██║██║     ██║     ██║  ██║███████║███████║
                         ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝     ╚═╝  ╚═╝╚══════╝╚══════╝

                            WAFPASS - Copyright (c) 2017 Hamed Izadi (@hezd). 

WAFPASS Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
Today a great number of website owners around the globe use “Web Application Firewalls” to improve their security. However, these security applications suffer from many deficits such as poor performance, lack of updates, and so forth. Thus, they are hindered from working effectively against everyday attacks that are equipped with cutting edge technological innovations. This vulnerability can cause various issues and even lead to security failures.
WAFPASS’s ultimate goal is to present a solution for promoting security systems like WAF in addition to providing a general overview of the security solutions.
WAFPASS supports HTTP,HTTPS connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up.

Requirements:
Python version 3.4.x is required for running this program.

Disclaimer:
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!

Installation:
Download WAFPASS by cloning the Git repository:

  $ git clone https://github.com/wafpassproject/wafpass.git

Supported Platforms:

• Linux
• Mac OS X
• Windows

Usage:
To get a list of all options and switches use:

  $ python3 wapfass.py -h

You can add your payloads in /payloads/payloads.csv like this:

  payload@description

Support:
WAFPASS is the project of many hours of work and total personal dedication.
Please help us to improve this project.

Download wafpass

Read More

WebCookiesSniffer - Capture Web site cookies

WebCookiesSniffer is a packet sniffer tool that captures all Web site cookies sent between the Web browser and the Web server and displays them in a simple cookies table. The upper pane of WebCookiesSniffer displays the cookie string and the Web site/host name that sent or received this cookie. When selecting a cookie string in the upper pane, WebCookiesSniffer parses the cookie string and displays the cookies as name-value format in the lower pane.

Download WebCookiesSniffer

Read More