Hackmanit develops a number of unique open source tools for security analysis in various areas. The Hackmanit team emphasizes a high level of integration: The tools can be integrated directly into your company test scenarios and thereby (semi-)automatically detect new threats. For example, WS-Attacker can be used to continuously scan your web services for vulnerabilities. More tools for the analysis of TLS, Single Sign-On, and Web applications are currently under development.
Cheat Sheets
Cheat sheets serve as a collection on a specific topic, such as a vulnerability or category of vulnerabilities. In addition, they can provide a collection of information on attack techniques, countermeasures, or how to use tools.
When conducting penetration tests, cheat sheets serve as a useful reference containing frequently used commands and payloads. They are often used by penetration testers to work efficiently and thoroughly at the same time.
Hackmanit currently provides cheatsheets on the following topics:
Overview of cheat sheets: cheatsheet.hackmanit.de
Template Injection Analyzer (TInjA)
Template engines are used in web applications to dynamically generate an output format, such as HTML, from static templates at runtime. There are countless template engines for different programming languages. If used insecurely, there is a risk of template injection vulnerabilities. You can find an introduction to template injection in this blog post.
The Template Injection Analyzer (TInjA) allows automated detection of template injection possibilities and subsequent identification of the template engine used by the application under investigation. TInjA uses so-called polyglots in order to work as efficiently as possible. The tool offers the option of scanning individual URLs as well as using the output of a crawler to scan an entire web application. In addition to server-side template injection (SSTI), scanning for client-side template injection (CSTI) is also supported. TInjA also allows you to define headers, cookies, or body parameters that are added to the requests and to use a proxy during the test.
One way to familiarize yourself with template injection vulnerabilities and automated testing with TInjA is the Template Injection Playground. Here, 46 template engines can be examined for vulnerabilities.
Web Cache Vulnerability Scanner (WCVS)
Web caches are widely used to reduce latency and decrease the load on web servers. However, incorrect configurations or insufficient customization for the specific website can lead to major security risks. Web caches can open new attack vectors or amplify the impact of existing vulnerabilities. One of these new attack vectors — Web Cache Poisoning — is explained in this blog post.
To easily and efficiently test web applications for their vulnerability to Web Cache Poisoning, the Web Cache Vulnerability Scanner (WCVS) was developed. The scanner can be used out-of-the-box in its default configuration and additionally offers a wide range of customization options. Both testing a large number of web pages and recursively testing them, e.g. by using the integrated crawler, is possible. The results can be saved as a report in JSON format. A detailed introduction of WCVS can be found in this blog post.
WS-Attacker
XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, eGovernment, or millitary services. The wide adoption of this technology has resulted in an emergence of numerous - mostly complex - extension specifications. Naturally, this has been followed by a rise in large number of Web Services attacks. By implementing common web applications, the developers evaluate the security of their systems by applying different penetration testing tools. However, in comparison to the well-known attacks as SQL injection or Cross Site Scripting, there exist no penetration testing tools for Web Services specific attacks. With WS-Attacker we intend to close this gap and provide developers and penetration testers automatic methods for detecting Web Services specific attacks. The tool currently supports the following attacks:
- SOAPAction Spoofing
- WS-Addressing Spoofing
- Various XML Denial of Service variants
- XML Signature Wrapping
TLS-Attacker
TLS-Attacker is a Java-based framework for analyzing TLS libraries. It is able to send arbitrary protocol messages in an arbitrary order to the TLS peer, and define their modifications using a provided interface. This gives the developer an opportunity to easily define a custom TLS protocol flow and test it against his TLS library.
In addition, TLS-Attacker supports various known cryptographic attacks and their evaluations. This means you can simple check whether your server is vulnerable to padding oracle, invalid curve, or Bleichenbacher attacks. It has already allowed us to find vulnerabilities in major TLS libraries, including OpenSSL, Botan, or MatrixSSL.
EsPReSSO (Single Sign-On Extension for Burp Suite)
The Burp Suite Extension EsPReSSO helps in the detection of various Single Sign-On protocols. It supports SAML, OpenID, OAuth, BrowserId, OpenID Connect, Facebook Connect and Microsoft Account. EsPReSSO passively analyzes the HTTP traffic and automatically highlights Single Sign-On messages in the Burp Suite proxy.
In addition, EsPReSSO provides editors for SAML and JSON Web tokens allowing to edit them easily. In addition, XML Signature Wrapping attack vectors can be created for SAML using the built-in WS-Attacker library.
Metadata-Attacker
This tools covers Cross-Site Scripting (XSS) security issues with media-files containing metadata. Such data is usually created by trusted devices like cameras. Therefore, there is the chance that providers handling this metadata, also trust them and that they thus use insuffcient or no filter mechanisms.
We have developed an open source pentetration testing tool called Metadata-Attacker. It consists of a suite of self-developed tools that allow to create malicious proof-of-concept image (.jpg), audio (.mp3), and video (.mp4) files.