Darknet 2018-03-03 11:49:31

XSStrike – Advanced XSS Fuzzer & Exploitation Suite

XSStrike is an advanced XSS detection suite, which contains a powerful XSS fuzzer and provides zero false positive results using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads.

It is also built in an intelligent enough manner to detect and break out of various contexts.

Features of XSStrike XSS Fuzzer & Hacking Tool

XSStrike has:

  • Powerful fuzzing engine
  • Context breaking technology
  • Intelligent payload generation
  • GET & POST method support
  • Cookie Support
  • WAF Fingerprinting
  • Handcrafted payloads for filter and WAF evasion
  • Hidden parameter discovery
  • Accurate results via levenshtein distance algorithm

There are various other XSS security related tools you can check out like:

– XSSYA v2.0 Released – XSS Vulnerability Confirmation Tool
– xssless – An Automated XSS Payload Generator Written In Python
– XSSer v1.0 – Cross Site Scripter Framework

You can download XSStrike here:

XSStrike-master.zip

Or read more here.

Read the rest of XSStrike – Advanced XSS Fuzzer & Exploitation Suite now! Only available at Darknet.

PunkSPIDER – A Web Vulnerability Search Engine

PunkSPIDER is a global-reaching web vulnerability search engine aimed at web applications. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly. In simple terms, that means the authors have created a security scanner and the required...

Read the full post at darknet.org.uk

Bug in Magento puts millions of e-commerce sites at risk of takeover

Millions of online merchants are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform.

The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.

"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend," a Sucuri advisory explained. "Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."

Read 1 remaining paragraphs | Comments

Serious Imgur bug exploited to execute worm-like attack on 8chan users

(credit: John Lodder)

A recently discovered attack on visitors of the 8chan image website went well beyond the venue's usual script-kiddie fare by combining two weaknesses on that property with a potentially catastrophic vulnerability on the wildly popular photo-sharing site Imgur.com.

The result: the browsers of people who viewed certain Imgur-hosted images linked on one or more Reddit sections automatically executed code of the attacker's choice. That malicious JavaScript code in turn reached out to 8chan and exploited two additional but completely separate vulnerabilities on that site. From then on, every time one of these people visited an 8chan page, their browser would report to an attacker-controlled server and await instructions. In the process, the infected browser would bombard 8chan servers with hundreds of additional requests, although some researchers aren't convinced a denial-of-service on 8chan was the objective of the hack.

Worm-like properties

The hack had the potential to take on worm-like properties, in which a handful of viral images could generate an endless stream of traffic, and millions and millions of new infections. It never got to that point, because Imgur fixed the Web-application bug on its site Tuesday morning, while 8chan temporarily blocked the execution of files based on Adobe's Flash media player. With the immediate threat averted, the question security researchers' asked was why a vulnerability so potentially powerful as the one exploited against Imgur squandered on such a limited number of people?

Read 5 remaining paragraphs | Comments