Bug Magnet - The best tool a tester can have
What if I told you there's a super-simple tool that is easy to use and requires little to no effort to learn!
And what if I told you, no special downloads, CLI commands, or Kali Linux extensions were necessary!
Look no further .. BUG MAGNET .. is the answer!!
So What Is Bug Magnet?
Bug Magnet is a chrome extension you can use to test form submission and input sanitization. Easily the first step in any manual security testing effort. It features an expansive array of positive and negative test cases for a wide variety of options. Being that this is a security-minded blog post, with a sprinkling of QA, we'll consider a few exploits.
For the purposes of this demo, we are using the practice form here.
Exploit #1 - Buffer Overflow | Goal: Test that form inputs limit character entries to prevent data corruption, crashing the program, or cause the execution of malicious code
What is a buffer overflow? The short-version, a buffer overflow happens when copious amounts of form data is submitted that is more than the allocated memory space (buffer) can handle. For more details, visit OWASP | Buffer_Overflow Vulnerability. How to test:
- Visit the form and pick one of any inputs shown
- Right-Click into the input to open the context menu - look for bug magnet
- Select Text Size and either with spaces or without
- Once the text has been entered into the input submit the form
- Repeat with another input, or all of them
Exploit #2 - SQL Injection | Goal: Form submissions block excution of queries
What is a SQL Injection? As the name implies, this exploit causes the site to execute a query on submission of the form. For more details, visit OWASP | SQL Injection. How to test:
- Visit the form and pick one of any inputs shown
- Right-Click into the input to open the context menu - look for bug magnet
- Select Format Exploits this opens a tertiary context menu
- Select SQL Injection - the first entry in this new context menu
- Notice there is a script populating the form - Robert'); DROP TABLE Students;-- this can be modded to reflect a known table in your project codebase
- Submit the form, note the outcome - in a perfect situation, nothing should be observed (ie, no harm done!)
- Repeat with another input
Exploit #3 - Javascript Injection | Goal: Form submissions block excution of code by escaping special characters as text
What is a Javascript Injection? A javascript injection allows malicious code to execute within a form post-submission. It can be anything from an annoying pop-up alert to a remote-code executable. For more details, visit Portswigger | Javascript Injection. How to test:
- Visit the form and pick one of any inputs shown
- Right-Click into the input to open the context menu - look for bug magnet
- Select Format Exploits this opens a tertiary context menu
- Select Javascript Injection - the second entry in this new context menu
- Notice there is a script populating the form - alert('Executing JS') --
- Submit the form, note the outcome - in a perfect situation, nothing should be observed (ie, no harm done!)
- Repeat with another input
Exploit #4 - XSS Injection | Goal: Form submissions block excution of code
What is a Cross-site Script Injection? Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. For more details, visit OWASP | XSS Injection. How to test:
- Visit the form and pick one of any inputs shown
- Right-Click into the input to open the context menu - look for bug magnet
- Select Format Exploits this opens a tertiary context menu
- Select JS String (XSS) Injection - Single Quote - the third entry in this new context menu
- Notice there is a script populating the form
- Submit the form, note the outcome -- nothing should be observed (ie, no harm done!)
- Repeat with another input
- Repeat this above test scenario with JS String (XSS) Injection - Double Quote
Exploit #5 - Broken HTML | Goal: Form escapes any special characters on submission
Broken html and HTML parsing are the lesser of the format exploits provided by Bug Magnet. What these options do is essentially inject simple html characters into an input that is not expected to allow such characters (ex: phone number or email input).
- Visit the form and pick one of any inputs shown
- Right-Click into the input to open the context menu - look for bug magnet
- Select Format Exploits this opens a tertiary context menu
- Select HTML Parsing - the fourth entry in this new context menu
- Notice there some mild html entered into the form
- Submit the form
- Repeat with another input
- Repeat this above test scenario with Broken HTML option
No comments:
Post a Comment