Saturday, September 6, 2014

Web Server Cookie Disclouser Vulnerability Scanner

Hello Guys,
           I have write a Python code for checking Web Application Vulnerability

HTTP Only cookie is only accessed from the server side, no client script can access that cookie, when a webserver get a big cookie like same 10000 of characters for example A is char, it cannot process so it get us back error 400 [bad request], in that error has a vulnerability, its disclose cookies on a webserver.
Most of all dont know about the how to check a HTTPOnly vulnerability and web server Cookie Disclouser Vulnerability, some People runs a Tools like Acunetix and burp scan or netsparker there are most of time you will see a HTTPOnly flag is not set or cookies not protected, they just saw it and patched it through .htaccess file or including scripts in php headers file to protect a web server. But Most of dnt know how to check it, So i made it a script for checking specially for cookie disclouser vulnerability on web server
[+] I Have Made a Python Script for Checking HTTPOnly and Web server Cookie Disclouser Vulnerability.
[+] Test it Manually for checking vulnerability of HttpOnly on Web Applications, this is very common vulnerabilty on nowadays [+] Impact of this Vulnerability is Low as well as Medium depending upon the Attacker :D
[+] Using of this python file on windows is very Simple
[+] Download a python for windows from here:
[+] Run a python File [+] C:\python27>python.exe and file path
Here is some Screenshots:
[+] If Target is Vulnerable

[+] If Target is Not Vulnerable

[+] Proof of Exploiting Vulnerability using Browser, Need an Cookie Manager

Download the Python Code from here:

Direct Link: 

Friday, April 18, 2014

Heartbleed Testing Tools [OpenSSL |CVE-2014-0160]

HeartBleed Response with Vulnerable System:-

 Here's a nice collection of heart bleed tools to help you along with this exploit:-
'ONLINE' OpenSSL Heartbleed Vulnerability Scanner: 
This is for those of you in this thread that are having trouble with the Python scripts below

A Checker:  (site and tool) for CVE-2014-0160:
-- Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford
-- (modified version) Added URL crawler and auto-detection function, reducing the trouble to manually enter the URL. You can also use a proxy server, so you can choose your own search engine in the code, and change their keywords. Feel free to edit/modify to suit your needs.
-- (modified version #2) This version is updated for handling different version of SSL/TLS
-- Pacemaker Attempts to abuse OpenSSL clients that are vulnerable to Heartbleed (CVE-2014-0160). Compatible with Python 2 and 3.

SSL Server Test:

Metasploit Module:

Nmap NSE script: Detects whether a server is vulnerable to the OpenSSL Heartbleed:

Nmap NSE script: Quick'n'Dirty OpenVAS nasl wrapper for ssl_heartbleed based on ssl_cert_expiry.nas

Heartbleeder: Tests your servers for OpenSSL:

Heartbleed Attack POC and Mass Scanner:

Heartbleed Honeypot Script:

Bleed Out Heartbleed Command Line Tool v.
Bleed Out is a command line tool written in C# for targeting instances of OpenSSL made vulnerable by the prolific "Heartbleed" bug. The tool aggressively exploits the OpenSSL vulnerability, dumping both ASCII and binary data to files. It also checks the uniqueness of each chunk before persisting it, to ensure that duplicate chunks are not saved.

Windows CMD example:
C:\Users\frank3nstien\Desktop\BleedOut1.0.0.10-1\Bin>BleedOut -h

Enjoy and Thanks for viewing my Blog

*Greetz to m0bi13_xT and My PC