Bring Back the Attack to the API

Mon, 24 Nov 2008 11:56:23 GMT
by pdp

A couple of years ago I started a project called AttackAPI. It kind of became a hit at the time because there was no other project that was doing the same thing. Btw, the situation remains the same.

Today the project is kind of dead because I am not actively developing it anymore. Most of my development time go to projects of greater importance such as Netsecurify, Websecurify, Blogsecurify and several others. However, this situation let me have a much clearer view of the main concept/idea/goal of AttackAPI.

Initially, AttackAPI was nothing more but a collection of JavaScript functions to simplify the development of XSS payloads. Than, I thought that it might be a good idea to expand and add more functionalities such as the ability to run within Flash and also the ability to construct XPCOM payloads for hacking via Firefox privilege escalation exploits. After the release of the Renaissance framework, I barely had the time to work on AttackAPI.

So what is the idea of AttackAPI now?

The way I see AttackAPI is the following. AttackAPI should become a framework which exclusively runs within host environments. Let me explain. The browser SOP is a host for AttackAPI as well as Adobe Reader, XPCOM, Flex, Air, WScript (JScript), HTA, Java (Rhino), and pretty much everything else that can run JavaScript. Unlike Metasploit, AttackAPI does not have a common executable environment, i.e. ruby and all of its external libraries for example. Instead, AttackAPI takes advantage of the host's functionalities.

This model has several advantages and disadvantages. A key disadvantage is that AttackAPI can never use other features but the ones that the host provides unless it hacks and patches the host while running, which btw is the main purpose of the projects. A key advantage is that AttackAPI is compact and also cross-platformed. This means that payloads can execute without any external dependencies, which is pretty cool.

The project files are still hosted as a Google Code project. If you are interested, you are welcome to join and add your spin to the project. Just let me know.

Archived Comments

I started a project named "Anehta" on Google Code. Which is a xss attack platform.It contains a javascript file called "anehta.js" which had implemented most of the attackAPI's feature. I call my project a "platform" but not "framework" because I use PHP to implement some server-side features.So it's more than what attackAPI is. You can visit my project here: The version under developing is 0.6.0 and have a better UI. I wrote some documents on my blog: and some demo videos here: but I didn't have enough time to translate docs into English , so all the docs are in Chinese at the moment. This work may be done later. In my plan, I will write some flash AS, java applet or something else to implement more powerful features. If you have some advise, feel free to write to me.
10x for sharing. I will check it out when I have time.
why did you remove a lot of the "classic" functions. like scanHistory and scanStates from version 3?
And what about Technika API. Is there any chance, that it would be associable with Firefox 3.x platform?
I want to work further in attackapi can you just send me the link or a mail on the same. I am seeing anetha platform too right now. I want to develop management tools for my LAN in our school. I require your help in this regards.
Hi Axis, How do i run anetha after I unzip there is only a .dat file. Let me know. Thanks.