Security Compass - Application Security

Access-Me FAQ

General

What is Exploit-Me?
What is Access-Me?
I'm trying to use Firefox 3 and the install fails
How does Access-Me work?

How much does Access-Me cost / Is it open source / What license is it under?
Does Access-Me perform source code or network analysis?
What is the target audience of Access-Me?
Will Access-Me detect all access vulnerabilities?
I have some ideas for improvements, how do I let you know?
Who makes Access-Me?
Will Security Compass or any other third party have access to my results?

Installation and Configuration

What are the system requirements?
How do I run Access-Me?
What are the options for Access-Me?
Are the options case sensitive?
What is a good range for the String Similarity setting?
Wait time in between requests, is it in milliseconds, seconds or minutes?

Results

How do I interpret the Access-Me results?
What are the various options after the URL being tested?
What does the SECCOM method mean? Can I change it to something else?
What other methods does the tool test?
What is the difference between a failure, warning and pass?

Troubleshooting

I'm getting an error, what should I do?

What is Exploit-Me?

A suite of Firefox web application security testing tools. Exploit-Me tools are designed to be lightweight and easy to use. Instead of using proxy tools like many web application testing tools, Exploit-Me integrates directly with Firefox.

What is Access-Me?

The current version of Access-Me is an Exploit-Me tool used to test some access vulnerabilities related to web applications.

I'm trying to use Firefox 3 and the install fails

The current version of the Exploit-Me tools do not work under Firefox 3 due to installation, API and security changes. We are working to rectify this issue and should hopefully have Firefox 3 capable versions soon.

How does Access-Me work?

The tool works by sending several versions of the last page request. A request with the session removed will be sent. A request using the HTTP HEAD verb and a request using a made up SECCOM verb will be sent. A combination of session and HEAD/SECCOM will also be sent.

These tests are designed to exploit a vulnerability discussed by Aspect security in their paper at http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf and http://www.aspectsecurity.com/documents/Aspect_VBAAC_Bypass.swf.

You can think of the work done by the tool as the same as the QA testers for the site manually attempting to access each page without a valid session, and with manipulated HTTP requests.

How much does Access-Me cost/ Is it open source/ What license is it under?

Exploit-Me tools are free of charge. They are all open source, under GNU Public License (GPL) v.3.

Does Access-Me perform source code or network analysis?

No, it is only used for run-time application security testing.

What is the target audience of Access-Me?

Access-Me is aimed at developers, testers/ QA staff, and security auditors.

Will Access-Me detect all access vulnerabilities?

No. While Access-me attempts to detect if there are pages which can be accessed un-authenticated it does not check for privilege escalation or other types of access vulnerability.

I have some ideas for improvements, how do I let you know?

Please submit any feature requests or improvement ideas to tools at securitycompass.com.

Who makes Access-Me?

Exploit-Me is a set of open source tools. The first release was created by Security Compass. A full list of contributors will be maintained.

Will Security Compass or any other third party have access to my results?

Absolutely not. Neither Security Compass, nor any third party, maintains data on testing results.

What are the system requirements?

Firefox 2.0.0.9+

Note, the Exploit-Me extensions do not currently work with Firefox 3. This will be corrected in a future release.

How do I run Access-Me?

Download the XPI package and install it through Firefox. Once the tool is installed, restart Firefox. Access-Me will appear as a toolbar in your browser.

The current page can be tested by pressing the Test This Page button on the toolbar. This will cause a results page to appear with the relevant information for the current pages tests.

What are the options for Access-Me?

There are currently four options in Access-Me that you can access through the top-level menu Tools->Access-Me->Options.

1. Number of simultaneous requests: This specifies the number of attacks that should be tested at the same time.
2. Wait time between requests: The amount of time to wait before sending new requests.
3. String Similarity (%): The percent of similarity between two pages for them to be considered the same page.
4. Params to Test: The regular expressions to use when identifying the session tokens.

Are the options case sensitive?

The regular expressions used to match session tokens are case-insensitive.

What is a good range for the String Similarity setting?

The actual setting for this will depend on the characteristics of your site. In our testing we've found that a setting between 80 and 95% works well. The results page lists the similarity between pages which can then be used to tune the string similarity setting.

Wait time in between requests, is it in milliseconds, seconds or minutes?

The wait time is given in milliseconds.

How do I interpret the Access-Me results?

The results page will give information similar too:

Attack Details:

    * Input Parameter: ASP.NET_SessionId
    * HTTP Method: SECCOMP

Got access to a resource that should be protected. Server response code:200 OK.
The attacked page is not very similar to the original page. It is 41.5%
similar.

The Input Parameter is telling you the name of the parameter that was dropped for the session while the HTTP Method is the name of the HTTP method that was sent with the request.

From the paragraph on the end we can see that we were able to access the protected page, with the server returning a 200 OK status code. We can also see that the returned page had low (41.5%) similarity to the page we requested from.

What are the various options after the URL being tested?

There are three variations of options presented after the URL in the results page:

URL :: COOKIE/GET/POST
URL :: FORCED HTTP METHOD
URL :: COOKIE + FORCED HTTP METHOD

COOKIE/GET/POST means the session ID that was in the cookie, GET or POST was dropped before the request was submitted.

FORCED HTTP METHOD means the HTTP verb was changed to the given value.

The third result is the combination of the above two attacks. A changed HTTP verb sent with a dropped session ID.

What does the SECCOM method mean? Can I change it to something else?

SECCOM is a made up HTTP verb. It does not exist in the HTTP RFC and shouldn't be valid in terms of webservers. Often these types of verbs are treated as HTTP GET requests but can slip through mis-configured application authentication configurations.

You can not change the fake HTTP verb from SECCOM in this release.

What other methods does the tool test?

The tool will currently test the extra HTTP verbs of HEAD and SECCOM.

What is the difference between a failure, warning and pass?

A simple algorithm is used to calculate the request results. For each of the following situations a +1 is given to the results.

Request returns 200 OK
Page similarity is greater then the configured String Similarity

Then, using these numbers we determine the request results as:

0 - page is set to pass
1 - page is set to warning
2 - page is set to failure

I'm getting an error, what should I do?

Check this FAQ. If there is no suitable answer then submit a bug request with as much detail as possible to bugs at securitycompass.com.