web-scip

Web Server Control Invisibility Purge!

An advanced toolset for testing modern web application frameworks and rich internet applications.

web-scip is a pentest platform with advanced testing features for modern web application frameworks (MWAF) and rich internet applications (RIA).

It enables testers to affect various server control properties and enumerate & execute dormant events of invisible, visible, disabled and commented server web controls (currently supported for ASP.net and Mono).

These features are implemeted by abusing application mis-configurations and framework-specific programming flaws, and by manipulating proprietary input formats.

The project is implemented as an extension to the OWASP Zed Attack Proxy (ZAP) project.

---

Developed by Hacktics ASC

Requirements:

• SCIP requires Java 1.7.x, and was tested with ZAP v.2.x.
• Verify that ZAP proxy is executed using Java 1.7.x, prior to running the installer.

How Does it Work?

SCIP can locate insecure ASP.net configuration, as well as locate traces of invisible, disabled and commented controls and events. It can then be used to enumerate invisible controls, and execute dormant events of server controls by forging a valid postback call (invisible controls without event validation or disabled & commented controls in any scenario), or by reconstructing the viewstate and eventvalidation fields of invisible controls (in case the eventvalidation is on but the MAC is off).

SCIP also provides a manual interface for performing additional RIA/ASP.net targeted attacks such as reusing hijacked viewstate/eventvalidation fields, reconstructing viewstate fields after content alteration/parameter tampering, etc.

---

Quickstart

SCIP can currently be used by right-clicking on any ASP.net page in ZAP's treeview.
Currently supports ASP.net, while the next release will support mono and additional technologies.

Developers

web-scip is developed and maintained by Alex Mor, Shay Chen and Niv Sela.

Features

Event Execution Features

Event Execution of Disabled / Commented Controls Event Execution of Invisible Controls (When the Event Validation is OFF) Event Execution of Invisible Controls (When the Viewstate MAC is OFF) Manual Event Execution of Optional Events (MAC/Validation is OFF)

Additional Features

Error-Based Control Name Enumeration Viewstate/EventValidation Reconstruction (Assist in Control Value Manipulation)

Technology Support

ASP.net postbacks / Viewstate 2 Upcoming: Support for Mono / Callbacks / Viewstate 1

Integration Support

Integration With ZAP's 'Resend Request' Feature Upcoming: Integration With Diviner's Diff Method to support Blind Event Enumeration

Copyright

WEB-SCIP - An advanced toolset for testing modern web application frameworks and rich internet applications.

Copyright (C) 2013, Hacktics ASC, Ernst & Young.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses.