How To (Link): Hacking Web 2.0 Applications with Firefox (Downloads)

23 10 2006

Hacking Web 2.0 Applications with Firefox [via] securityfocus.com

Here it is in a nutshell:

This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this article are to understand the:

* web 2.0 application architecture and its security concerns.
* hacking challenges such as discovering hidden calls, crawling issues, and Ajax side logic discovery.
* discovery of XHR calls with the Firebug tool.
* simulation of browser event automation with the Chickenfoot plugin.
* debugging of applications from a security standpoint, using the Firebug debugger.
* methodical approach to vulnerability detection.

Basically you need are these tools (all download links):

  1. FireFox – Its a browser.
  2. FireBug – FireBug lets you explore the far corners of the DOM by keyboard or mouse. All of the tools you need to poke, prod, and monitor your JavaScript, CSS, HTML and Ajax are brought together into one seamless experience, including a debugger, an error console, command line, and a variety of fun inspectors.
  3. Chickenfoot – Chickenfoot is a Firefox extension that puts a programming environment in the browser’s sidebar so you can write scripts to manipulate web pages and automate web browsing. In Chickenfoot, scripts are written in a superset of Javascript that includes special functions specific to web tasks.

Here’s the hack/hacks in their most basic form. I am just trying to make it simple for use dumb people that want hacks fast and easy.

To start you will need to go to a site that is “web 2.0”, aka run on ajax (Hint: the most exploitable sites will be the ones that anounce themselves as “web 2.0:).

1. Find Exploitable URL’s – Use the FireBug plugin to show all the XMLHttpRequest’s that the site makes when it loads.  This will show you all the AJAX XHR calls that the site makes and enable you to see the specific code (JavaScript).  In the calls you might (remember hacking is patience) find vulnerable URL’s.  URL’s that are known to have weakpoints for SQL injection etc etc.  Just keep at it.  It shouldn’t take long to find a poorly crafted site.

2. Webcrawling with Chickenfoot – Many websites have links that really just run a javascript function.  So a normal webcrawler would miss the actual link that is hidden within that javascript.  Use Chickenfoot to simulate “onclick” events so you can catch the XHR calls to the .js files that contain the URL’s you wanna hack.

3. Find Form Passwords With Firebug – securityfocus.com has the best explanation on this one. CLICKY CLICKY

Mad props to Shreeraj Shah and securityfocus.com for the kickass tutorial.  All credit goes to them.  Please pardon my attempt to dumb this down a little for myself and … well myself. Again Thanks Mucho Mucho.

I HIGHLY encourage everyone to read the original article in its entirety.  These peeps is way l33t.

Hack on fellow bored people!!


Actions

Information

One response

15 06 2012
Ronaldinho

Hello, Neat post. There is an issue together with your website in internet explorer, might test thisˇK IE nonetheless is the market leader and a large component to folks will pass over your great writing due to this problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: