I have been using a few new tools recently to help automate my XSS and SQL injection testing and I thought I would share them with you.
My normal approach involved manual work along with the Burp Suite (using the intruder function) with a list of inputs loaded in. I came across the Exploit-me tools from Security Compass and I thought I would tell you guys about them.
I won't talk to much about how to use the tools, I think installing them and having a play will tell you all you need to know. The link above to the Security Compass website does have some FAQ's/usage guides along with a presentation given at the SecTor conference. XSS-Me comes pre-loaded with RSnake's XSS cheat sheet inputs, these can be expanded with strings from your own brain or from many web sources. SQL inject ME is similar in that it comes pre-loaded with some strings, again this list can be extended. Lastly the Access-Me tool aims to exploit access control flaws within an application.
Have a play with the tools and let me know what you think.
Dave
Posts
An idea to help secure U.S. cybersecurity…
9 years ago
2 comments:
Do you this this prorat will escape the AV ?
Hi there,
First of all I would advise against using this in a malicious manner if that is your aim.
I used the free version of prorat, I believe you have to purchase the professional version to disable AV etc
I purposely chose to use a trojan which wouldn't be really malicious to use (in the free version). The aim of this blog is to educate people on the potential security threats we all face and not to educate people how to hack other people.
Dave
Post a Comment