Comments on: AttackAPI

By: 2007 Security Testing tools in review | tssci security

2007 Security Testing tools in review | tssci security — Sat, 24 Nov 2007 17:43:43 +0000

[...] (and these could be open-sourced like the SQL Hooker tool). For now, the Metasploit, GNUCITIZEN AttackAPI, and the BeEF framework appear to be the dominant exploit tools for web applications. The W3AF [...]

By: pdp

pdp — Wed, 27 Jun 2007 13:31:36 +0000

rootkid, I’ve created AttackAPI Google group. Feel free to post your stuff there. I would like to build community around the library too since V3 looks very promising in terms of new features. I am not sure whether I discussed this thing somewhere else, but AttackAPIv3 has features to export the most basic set of requirements for each attack payload.

By: rootkid

rootkid — Wed, 27 Jun 2007 13:16:51 +0000

pdp, I really like your library so far, helped me a _LOT_ developing my own stuff. At the moment I am pretty much stuck here with a problem regarding execution of an AttackApi script in an IE 6 environment. Is there anything like a chat or forum which can be used for problems like this (I’d rather do it this way than posting it to code.google.com, as I am not sure if this really is an issue or simply stupidity of me). I’d really like to see a AttackAPI community out there..:)

By: Web App Security: Comparing and contrasting Black Box, White Box, Fault Injection, and SCA - QuietMove

Thu, 14 Jun 2007 00:57:55 +0000

[...] At the same time, the population of attackers has vastly increased. The maxim goes that a security system is only as strong as its weakest link, so that’s what attackers look for. Attacks have moved both up and down the stack. By this I mean, up to the application and even client level, and down to the system internals and driver level. Blue Pill, a virtual machine malware platform, is one such example that takes advantage of hardware features at the bottom level, while at the top level you have the world of web application attacks, where web applications are used as proxies to attack the integrity of the application as well as its architectural dependencies, and Javascript attacks, which are used to attack the softest target of all – the end user. At the Javascript / client attack level, state of the art is represented by PDP’s AttackAPI. [...]

By: The Security Catalyst » Blog Archive » Web App Security: Comparing and contrasting Black Box, White Box, Fault Injection, and SCA

Mon, 04 Jun 2007 11:38:56 +0000

By: f0rg3

f0rg3 — Tue, 22 May 2007 02:09:21 +0000

I’m really banking alot of the future of web application security on XSS, As in i’m staking my career on it. Sure BUffer overflows are still gonna exist and teh skillz are requisite but xss is the future and any hacker worth his salt should know about this. thanks Mr pdp, you are an invaluable resource/person. Big Up.

By: pdp

pdp — Sat, 17 Mar 2007 16:57:55 +0000

sure, give it a go. If you find any problems with it please post them here. Thanks.

By: Jan Novak

Jan Novak — Sat, 17 Mar 2007 16:11:03 +0000

i’d like to test this api

By: AttackAPI 2.0 Alpha - JavaScript Hacking Suite »

AttackAPI 2.0 Alpha - JavaScript Hacking Suite » — Wed, 10 Jan 2007 05:04:26 +0000

[...] http://www.gnucitizen.org/projects/attackapi/ [...]

By: Operation n » Hacking with Images 1

Operation n » Hacking with Images 1 — Sat, 30 Dec 2006 01:08:59 +0000

[...] Note: This is the port scanning technique jssWebImage uses, which was originally taken from AttackAPI [...]

By: Depressive Developer » Backframe und AttackAPI installieren und nutzen

Depressive Developer » Backframe und AttackAPI installieren und nutzen — Sun, 26 Nov 2006 12:25:40 +0000

[...] Dieser Beitrag liefert ein Step-By-Setp-Tutorial, wie man die Kombination aus Backframe und der AttackAPI auf einem lokalen Server installieren und nutzen kann. Backframe ist ein Hacking-Framework aus der Feder von Petko Petkov - ebenfalls Autor der AttackAPI. Backframe bietet eine GUI, mit der sich Channels verwalten lassen, über die beliebiger JavaScript-Code in Webseiten eingeschlust werden kann. Die AttackAPI hingegen ist eine JavaScript-Library, das die gebräuchlichsten Methoden bereithält, mit denen Angreifer Webseiten testen und Informationen vom Client, der die Webseite besucht, ermiteln können. [...]

By: AttackAPI 0.8 JavaScript Hacking Suite Available »

AttackAPI 0.8 JavaScript Hacking Suite Available » — Tue, 21 Nov 2006 16:09:18 +0000

[...] http://www.gnucitizen.org/proj.....tackAPI.js [...]

By: Operation n » Blog Archive » JSScanner

Operation n » Blog Archive » JSScanner — Mon, 23 Oct 2006 22:53:39 +0000

[...] Credits: pdp (http://gnucitizen.org) I hope to incorporate this project into pdp’s AttackAPI at some point. It currently uses AttackAPI’s IP Calculator script. [...]

By: Talk at 0sec at Disenchant’s Blog

Talk at 0sec at Disenchant’s Blog — Tue, 17 Oct 2006 19:57:39 +0000

[...] I’ll also release my XSS-Toolkit in a few days (I hope ) which I used to show some demos during the talk but first I’ll have a look on the newest version of pdp’s Attack API because the I can include also some stuff he did or replace some stuff of mine. [...]

By: GNUCITIZEN » AttackAPI 0.8 is OUT

GNUCITIZEN » AttackAPI 0.8 is OUT — Mon, 16 Oct 2006 04:39:21 +0000

[...] I would recommend AttackAPI 0.8 to everyone who is interested in high-end hacking not because I wrote it but because it provides a good demonstration of what is possible today. That, I hope will take our awareness even further. [...]

By: Johannes Gumbel [Pentestare] : XSS blir ett allvarligt hot

Johannes Gumbel [Pentestare] : XSS blir ett allvarligt hot — Tue, 03 Oct 2006 14:54:02 +0000

[...] XSS blir ett allvarligt hot Cross Site Scripting (XSS), SQL-injektion, Kommando-injektion, etc. Alla popul�ra brister i webbapplikationer. Till f�r inte s� l�nge sedan har XSS ofta ansetts som ganska harml�st, inte alls lika allvarligt som SQL/LDAP/Kommando-injektion. Inte ens efter att de f�rsta XSS maskarna/virus blev alla �vertygade om att det verkligen var ett problem.F�r er som redan �r �vertygade och bara vill f� ta del av den magiska v�rlden av browser-hacking, och f�r er som inte alls �r �vertygade och beh�ver f� mera information, f�resl�r jag att ni kollar in http://www.gnucitizen.org/projects/attackapi/. Denna site inkluderar �ven l�nkar/artiklar om hur ni kan trojanisera b�de mp3 och pdf (har inte hunnit l�sa sj�lv �n, tyv�rr) osv.Gnucitizen (l�nken ovan) har �ven en intressant artikel om hur man kan bygga en slave/master relation mellan en browser som k�rt v�rat javascript och en av oss kontrollerad webbserver. Ganska sweet och skr�mmande (p� samma g�ng) i mina �ron.Jag t�nkte jag skulle ge er en till l�nk, en presentation fr�n blackhat d�r det demonstreras hur javascript kan anv�ndas f�r att angripa interna resurser, mycket inressant. http://www.blackhat.com/presen.....outside%22 Published den 3 oktober 2006 16:41 by Johannes Gumbel [...]

By: Depressive Developer » F?hr! Mich! Aus!

Depressive Developer » F?hr! Mich! Aus! — Sun, 24 Sep 2006 16:06:19 +0000

[...] Nein, nun muss auch Argwohn walten, wenn man einen Link auf ein Video, auf ein MP3 oder ein PDF bekommt - was sich alles in den Files verbergen kann, verdeutlicht ein Blick auf Gnucitizen’s Attack API und die Annahme, dass der Virenscanner bei XSS-Attacken anschlagen w?rde muss ich hier leider als naive Illusion brandmarken. Trotzdem kein grund, in Panik auszubrechen - von echten Angriffen ?ber versechte Videos oder ?hnliches habe ich bislang noch nichts geh?rt und es geh?rt schon einiges an krimineller Eneregie dazu, Quicktime Videos entsprechend zu pr?parieren. [...]