Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Jan 15, 2011
Speakers: Kevin Johnson Senior Security Analyst, InGuardians Justin Searle Senior Security Analyst, InGuardians Frank DiMaggio Security Researcher
Injectable exploits focus on the exploitation of major web flaws during penetration tests. Two new tools will be released that expand the foothold penetration testers can obtain through SQL injection and XSS flaws. These tools provide greater insight into the network hosting the web application and the networks in which the users are located. We will also discuss the live CD environment that includes both tools.
Yokoso! is an infrastructure fingerprinting system delivered via XSS attack. This project contains two different parts; the fingerprints and modules for the various browser exploit frameworks. The fingerprints identify web applications deployed in the user's network, applications such as web administration interfaces to different IT manage systems. The modules portion contains code to perform two basic attacks. The first is history browsing which determines if the user has visited the sites of interest. This reveals if the user is an administrator or power user. The second attack module within Yokoso! Initiates requests to map the infrastructure of the user's network.
Laudanum is a collection of injectable files that are prebuilt to perform various attacks within a network. These files are injected via SQL injection attacks. The individual files are placed into scheduled jobs or the web root of database servers.
This is accomplished by exploiting SQL injection flaws within the web application. Laudanum includes various attacks such as shells, proxy capabilities and data collection tools.