Introducing Technika Security Framework

Thu, 02 Aug 2007 09:10:58 GMT

Technika is a Firefox plugin that myself and pdp was toying with some months back. The original idea behind this project was to provide independent self-contained security tools based on JavaScript which can be loaded and executed from the browser. TS Framework v1.0 is almost ready for release.

The advantages here over traditional security tools is that we utilize the existing browser functionality instead of re-inventing the wheel. In other words, Technika doesn't have to worry about network sockets, SSL libraries, whether its OS independent and so on. Basically, anything the browser can do, we can.

The TS Framework is designed to aid security analysts when testing web applications by providing a degree of automation.

Core Features:

  • tech.dspider - DOM link spider; because we utilize the DOM, the results are instant.
  • tech.forms - GET/POST form parser.
  • tech.mutate - By specifying a payload and regex, we can mutate our target arrays and build tests.
  • tech.scan - tech.scan is our actual engine that will handle our GET and POST requests.
  • tech.mNikto - Mini-Nikto was named after the popular web application tool Nikto if you haven't already guessed. We called it mini-nikto as it currently only contains a very small database.
  • tech.g - This is one of my favorite tools in the TS framework. It uses the Google AJAX API (JSON) to fetch links and perform other Google hacking queries outside of our current DOM. This is really useful even when it is not security related.
  • tech.store - Utilizes the Firefox sessionStorage to allow us to persistently store arrays.

There are a lot more features which we'll keep as a surprise for the first release. Bellow you can find some screenshots of TSF in action. We will drastically improve the core functionalities in the following weeks.

FYI, there have been some awesome projects going on at GC. .mario and pdp have done a lot of work around XSSDB and PHPIDS integration. If you haven't already checked it out, I strongly recommend that you do. You wont be disappointed. We launched BlogSecurity a few months back to provide security exclusively for blogs, and we have had some great feedback there as well. SecURLS was also launched as a security portal to keep up to date with whats going on.

This is from me for now. Stay tuned.

.mario.mario
Hi David! Looking awesome - are you planning on releasing basic documentation or a hands-on tutorial? Greetings, .mario
pdppdp
I am currently working on the sandbox for Technika which was removed in version 0.1 due to the overhead in the code structure. The new sandbox will allow us to write cross-browser bookmarklets which do no interfere with the underlaying DOM. We can use this feature to include additional functionalities for the scripts such as support for command line options :). It will be cool to have something like unix shell that works straight from the browser, something that Technika is aiming to achieve.
David KierznowskiDavid Kierznowski
mario, the delay in releasing this post was my attempts at being a movie director. I would still like to have a movie demonstrating the features, but yes when we launch v1.0 we'll have some basic documentation. pdp, this option would definately rock! we also may want to put t_httprequest for cross-domain requests back in, I think we took it out.
Gareth HeyesGareth Heyes
Cool work! I can't until it's finished
pdppdp
yep, I took it out because I don't want people to abuse it too much. I think that we don't really need it. I cannot think of a situation where we really need this feature. After all, if we need data from external site we can simply call via JSON.
David KierznowskiDavid Kierznowski
pdp, yes JSON is cool, we do this with Google queries, but I can think of a few ideas where it may be useful to allow cross-domain: we can chat offline about it and weigh up if we really want to put it back in. Gareth, me too, its becoming expensive keeping my miss happy while developing it the last 2 weeks :-)
incinc
Well well, what can I say can't wait to give this a spin. Looks to be very promising and useful.
David KierznowskiDavid Kierznowski
inc, well we hope so. I have tried developing the toolkit while doing actual web application security testing, so it supports alot of funky little features like, tech.keepalive, which allows you to keep your session alive while checking e-mail, or if you pop off somewhere.
Gareth HeyesGareth Heyes
David I know what you mean :) My LAN scanner caused a bit of problems with my missus
reznrezn
Is there any hope for something that will work in IE? Many web applications will not work at all in firefox. I understand that FireBug is an excellent tool, but a bookmarklet-injectable cross browser version of TSF would be very useful. For some ideas, check this out: http://extjs.com/deploy/ext/examples/debug/debug-console.html Also, vaporware is so Web 1.0. Release something already.
pdppdp
rezn, I don't see why it should be possible. We are working on the framework building system at the moment. So we can features to export the bookmarklets for whatever browser version we want to. Give us some time and we will come up with good enough solution. Cheers.
David KierznowskiDavid Kierznowski
Thats the awesome idea of TSF, not only is it possible to port alot of tools for IE, but it also has potential for testing other applications outside the browser, as JavaScript is supported by a number of other frameworks.
mr.r.birtlesmr.r.birtles
When can we expect to see a working version where exploits can be ported/implamented in Technika. As well as haveing the functions such as techStore, techDspider, techMutate etc? Thanks