An OWASP ZAP extension for security assessments of rich internet applications (RIA platforms) and modern web application frameworks (MWAF), including ASP.net and Mono.
SCIP - Server Control Invisibility Purge!
SCIP is a RIA / MWAF assessment platform, built as an extension for OWASP Zed Attack Proxy (ZAP).
Developed by Hacktics ASC
SCIP is a unique platform that enables penetration testers to abuse configuration and programming flaws in modern web application frameworks (specifically in ASP.net and Mono), and execute dormant events of invisible, disabled and commented server web conrols.
Requirements:
How Does it Work?
SCIP can locate insecure ASP.net configuration, as well as locate traces of invisible, disabled and commented controls and events.
It can then be used to enumerate invisible controls, and execute dormant events of server controls by forging a valid postback call (invisible controls without event validation or disabled & commented controls in any scenario), or by reconstructing the viewstate and eventvalidation fields of invisible controls (in case the eventvalidation is on but the MAC is off).
SCIP also provides a manual interface for performing additional RIA/ASP.net targeted attacks such as reusing hijacked viewstate/eventvalidation fields, reconstructing viewstate fields after content alteration/parameter tampering, etc.
SCIP Demo - Event Execution of Invisible Controls
Quickstart
SCIP can currently be used by right-clicking on any ASP.net page in ZAP's treeview.
Currently supports ASP.net, while the next release will support mono and additional* technologies.
Developers
RIA-SCIP is developed and maintained by Alex Mor, Shay Chen and Niv Sela .
Features
Event Execution Features |
|
Additional Features |
|
Technology Support |
|
Integration Support |
|