EC2 Security Group Notes
ABOUT HACKTAB: -------------- HackTab is a web vulnerability testing application in your browser. When enabled for a targeted domain It watches all communication between your browser and the site you are testing and it identifies each parameter and data type for each parameter. This allows HackTab to re-create any communication between your browser and the target domain and test all HTTP parameter inputs to the application. Hacktab only tracks requests to domains you target and includes watermarks on pages it is tracking. HackTab currently tests for Reflected Cross Site Scripting, Persistent XSS, SQL Injection, Local File Includes and Cross Site Request Forgery. It is blazingly fast and can handle most web forms including forms with CSRF protection. KNOWN BUGS: ------------ * please report! INTRODUCTION VIDEO: ------------------- https://www.youtube.com/watch?v=gnHfXWGg4Aw CURRENT TESTS: -------------- Cross Site Request Forgery Reflected XSS MySQL Injection - sleep() MS SQL Injection - wait for() Generic SQL Injection - and 1=2 Local File Inclusion COMMON QUESTIONS: ----------------- Q: Does HackTab monitor all of my web traffic? A: No. HackTab ONLY monitors traffic to domains you target in it's configuration and ONLY when enabled Q: Does HackTab scan the site when I target it? A: No. HackTab only sends tests for the parameters you target and only sends the tests that you have selected when you scan that single parameter. All tests are manually triggered. Q: Where are the tests run from? A: The tests are run directly from your web browser. Q: What permissions does HackTab require? A: HackTab requires permission to send HTTP requests to targeted domains and also read the responses from those targeted domains. Q: Does HackTab store any information about vulnerabilities? A: No. All site data is stored in your local Chrome extension. HackTab uses Google Analytics to store usage data. This includes number of tests run and which features users are using. No site information or identifying information is used or stored anywhere outside of your web browser. Change Log: ---------- 2.1.1: added support for Persistent XSS ! fixed a bug when counting vulnerabilities on parameters fixed a bug displaying different urls with same parameter names improved error handling and logging various other bug fixes 2.1.0: added testing for CSRF vulnerability added flag for server state added success and failure strings bug fix when testing single parameter bug fix when deleting a url replaced watermark logo for tracked pages removed verbose logging removed dead code decreased footprint of content scripts 2.0.4: Fully redesigned UI Ability to save scans Ability to load scans Test entire hosts Test entire URLS Improvements in testing CORS headers Prerequisites for CSRF plugin Various bug fixes Added watchdog timer to handle stuck plugins Improved support for filtered requests, firewalled hosts and timeouts 1.10.2: Fixes for CORS requests. Now updates Origin HTTP header and sets the Origin to the HTTP Host header value. Added several new fields including number of requests set per test, test time and a sample test URL Several bug fixes around analytics logging. Included new feedback form in popup so users can leave feedback about new features 1.0.9: reduced analytics overhead test probes are now sent from web workers greatly improving performance and responsiveness! reduced debug logging several small bug fixes 1.0.7: fix for auto detecting CSRF token regular expressions 1.0.6: fixed edge case that could cause probe requests to be logged when scanning many parameters at once 1.0.5: fixed crash logging updated API DNS 1.0.3: Fully redesigned interface. Single threaded to prevent requests from interfering with each other New "current domain" target button allows for easily selecting the current domain Improved internal storage lowers memory footprint Many bug fixes More consistent output 0.9.17: * support for sending cookies with test data. * Fix spinner when testing MySQL and MSSQL. * Rename MS and My SQL vulnerability types for better clarity.