Viewstate Hidden Event Enumerator!
VEHICLE (formerly known as ria-scip) is a pentest platform with advanced testing features for modern web application frameworks (MWAF) and rich internet applications (RIA).
It enables testers to affect various server control properties and enumerate & execute dormant events of invisible, visible, disabled and commented server web controls
(currently supported for ASP.net and Mono).
These features are implemeted by abusing application mis-configurations and framework-specific programming flaws, and by manipulating proprietary input formats.
The project is implemented as an extension to the OWASP Zed Attack Proxy (ZAP) project.
Developed by Hacktics ASC
- VEHICLE requires Java 1.7.x, and was tested with ZAP v.2.x.
- Verify that ZAP proxy is executed using Java 1.7.x, prior to running the installer.
VEHICLE also provides a manual interface for performing additional RIA/ASP.net targeted attacks such as reusing hijacked viewstate/eventvalidation fields, reconstructing viewstate fields after content alteration/parameter tampering, etc.
VEHICLE in action - Image
VEHICLE (a.k.a ria-scip) in action - Demo Video
VEHICLE can currently be used by right-clicking on any ASP.net page in ZAP's treeview.
Currently supports ASP.net, while the next release will support mono and additional technologies.
VEHICLE is developed and maintained by Alex Mor, Shay Chen and Niv Sela.
The development team also includes Michal Goldstein and Alon Friedman.
Event Execution Features |
|
Additional Features |
|
Technology Support |
|
Integration Support |
|
VEHICLE - An advanced toolset for testing modern web application frameworks and rich internet applications.
Copyright (C) 2013, Hacktics ASC, Ernst & Young.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses.