Friday, March 15, 2013

SCIP – Indentify, Enumerate and Execute Invisible Controls

SCIP is an OWASP ZAP extension designed to assess the security of and Mono applications, while abusing platform specific behaviors and misconfigurations. 

The extension currently supports the following features: 

Identify the existence of invisible, commented and disabled server side web controls in – passively (!). Identify which security configuration is active in each page (EventValidation, MAC), and in which cases the invisible controls are exploitable – passively (!) 

Enumerate the names of invisible controls using built-in customizable dictionaries with naming conventions.
Rebuild the event validation whenever possible (MAC=off)

Execute invisible controls when either one of the security features is turned OFF, or when there is a server-side callback implementation flaw.
Execute disabled controls and commented out controls regardless of security
Support additional manual techniques for executing controls despite the security features.

The extension can be obtained from the project's website or from ZAP's built-in marketplace feature:

No comments: