Proficient in the JavaScript attack framework: AttackAPI (I)

Over the years, the Client Security has not attracted enough attention, but now the situation has changed dramatically. Client Security has become one of the focuses of the information security field. Web malware, AJAX worms, browsing history cracking, logon detection, puppet control technology, network port scanning, browser hijacking, and other technologies are just security SyntaxHighlighter. all ();

Yuwen

Over the years, Client Security has not attracted enough attention, but now the situation has changed dramatically. Client Security has become one of the focuses of the information security field. Web malware, AJAX worms, browser history cracking, logon detection, puppet control technology, network port scanning, browser hijacking, and other technologies are only part of the underground laboratory technology of security researchers, but it has already brought a huge impact.

When a type of security professional emerges and becomes a mainstream exploitation mechanism, suppliers and individuals begin to issue frameworks and automated tools to process tools and testing processes. Although vendors initially focused primarily on AJAX auditing tools, security researchers are more concerned with continuous system boundaries to explore the truth.

Due to various possible attack vectors, the Web Application Security Community has also established multiple frameworks to detect and exploit security vulnerabilities, so as to reveal various problems faced by the Web development community. This article introduces how to use AttackAPI in detail.

1. AttackAPI Overview

AttackAPI is a Web-based attack construction library that can be used in combination with PHP, JavaScript, and other client and server technologies. AttackAPI consists of dozens of modules with different functions. These modules can be used either in a browser or in a JavaScript interpreter, such as Mozilla Rhino. It aims to provide a simple and easy-to-use interface for exploits of vulnerabilities and is mainly used for testing and verification.

Before studying the AttackAPI subroutine, let's make some preparations. First, download the library and set up a test environment. We will develop most sample programs in this environment. To do this, we need to install and run the following applications:
HTTP servers supporting PHP 4.x or newer versions (Apache + PHP or AppServ)

Www.apache.org/
Www.php.net/
Www.appservnetwork.com/
Download the latest AttackAPI from GNUCITIZEN
Www.gnucitizen.org/projects/attackapi
Mozilla's Web browser Firefox
Www.getfirefox.com
Firefox extension Firebug, address: www.getfirebug.com/

Start the Apache HTTP Server and make sure it is running properly. There are many documents about this type of task on the Internet, so I will not repeat them here. Download the AttackAPI package from GNUCITIZEN and extract it to the root folder of the Web server. For example, if you are using AppServ, you can put these files in C: AppServwwwattackapi.

Make sure that the running Firefox has installed Firebug. The reason for us to prepare these things without any effort is that they can leave us a lot of effort in the future. When we do this in the Firebug dynamic console, it is much easier than saving and opening random temporary files. Although we use Firefox here, the example here can still be used in other browsers, just make a slight modification.

After completing these initial settings, open Firefox and navigate from localhost to the AttackAPI folder, that is, http: // localhost/attackapi. The content shown in 1 is displayed.

498) this. style. width = 498; "border = 0>

From the file structure of AttackAPI to Build | Tests | firetest-interactive.htm, this file contains some of the elements we will use below. Because we do not make any changes to the HTML content of the opened page, open Firebug and adjust the console to extend it to the entire screen.
Make sure you are on the Console tab and enter the command: dir (AttackAPI ). If everything works properly, you will see the AttackAPI Document Object Model (DOM) structure shown in 2.

498) this. style. width = 498; "border = 0>

In the rest of this article, we will use the $ A object instead of the AttackAPI to access and call library objects and methods. $ A object is A standalone instance of AttackAPI and contains shortcuts for more accessible AttackAPI methods. AttackAPI is a highly structured library. It can be seen that it is further divided into AttackAPI. core and AttackAPI. dom (cross-browser method) and AttackAPI. utils (cross-interpreter method ). Using the above conventions, the complete path of the base64 encoding function of AttackAPI is $ A. encodeBase64. Is it very concise ?! This saves effort when you enter the code. So Laziness is one of the main motivations for promoting human progress.

Because we need to enter more code, we recommend that you use a larger command line. First, select the "larger command line" option from the "options" drop-down menu, as shown in.

498) this. style. width = 498; "border = 0>

The command line appears on the right of the window, as shown in:

498) this. style. width = 498; "border = 0>

Because we need to type a lot of code, it is inevitable that an input error occurs. Therefore, after opening a larger command line, the change will be faster and better.
Note that we can use the Load AttackAPI bookmarks to Load the AttackAPI to the selected page, especially when we need to develop exploitation programs for a site, but I don't want to use Firebug to modify the source code of the page or insert script labels. The bookmarklet can be fromWww.gnucitizen.org/projects/load-attackapi-bookmarkletDownload. Now we start to study the client tracking function of AttackAPI.

2. Client step-by-step

Once attackers control the victim's browser, the first thing they need to do is to figure out What client and platform they captured. To achieve this, they only need to enter the following command in the Firebug command line:
Console. log ($ A. getAgent ());
Console. log ($ A. getPlatform ());
The "run" button under the command line window shows the execution results of the two functions, as shown in:

498) this. style. width = 498; "border = 0>

As you can see, the browser type and operating system version are already in front of us-it's so easy!
However, attackers can do more than that. Enter the following two lines in the Firebug command line:
Console. dir ($ A. getCookies ());
Console. dir ($ A. getPlugins ());
The "run" button under the command line window shows the execution results of the two functions, as shown in:

498) this. style. width = 498; "border = 0>

The GetCookies function retrieves all available cookies. Note that the getCookies function is an easy-to-use JavaScript Object, so we do not need to manually parse the DOM object document. Cookie. Similar to the getCookies function, the getPlugins function lists all installed browser plug-ins. This function can run on most browsers, except Internet Explorer (IE.

Note that if the client uses IE, AttackAPI can access the data stored in the clipboard: We can use AttackAPI. dom. getClipboard to read the clipboard, and can use AttackAPI. dom. setClipboard function to set the clipboard. In general, the clipboard stores content that may interest attackers. For example, users sometimes copy and paste their passwords. By using this function, attackers can easily steal data from the clipboard and use the data to control user accounts.

We know that attackers can attack devices in the LAN. Therefore, they must have a good understanding of the internal structure of the LAN, and have a more detailed understanding of the scope of the internal network diagram. They can make the following assumptions: the home user's address range is 192.168.0.0? 192.168.1.0, the VBR address is 192.168.0.1 or 192.168.1.1, and the enterprise user is within the range of 10.0.0.0, because this address range can accommodate more users. On the other hand, with the help of the following three AttackAPI functions, attackers can easily obtain internal network information:

Console. log ($ A. getInternalIP ());
Console. log ($ A. getInternalHostname ());
Console. dir ($ A. getInternalNetworkInfo ());

The "run" button under the command line window shows the execution results of the two functions, as shown in:

498) this. style. width = 498; "border = 0>

Attackers can easily use the following command to deduce the VBR:

Console. log (new String ($ A. getInternalIP (). replace (/. d + $/, '. 1 '));
With this knowledge, attackers can launch a large number of different attacks against it to determine its type and version, and finally launch cross-site scripting (XSS) attacks) or some other weakness to use this VBR. Although sophisticated attackers can easily make a reasonable guess, the guess is only a guess, and it may not always be effective. In the following content, we will use AttackAPI for more network operations, but now we only focus on client investigation.

For AttackAPI, the exciting feature is not to obtain proxy, platform, cookies, plug-ins, and internal network information, but more exciting features are coming soon. As long