Monday, November 22, 2010

wXf Videos from AppSec DC 2010

Here are some of the videos from AppSec DC 2010 and our presentation (Seth Law, Chris Gates and I) on wXf (Web Exploitation Framework).

Background: Back in March of this year, Seth approached me with the idea of creating a framework that would allow us to put all of our discontiguous scripts together. Then we decided "our" could mean the AppSec community as a whole. Why not take everyone's one-off scripts, proof-of-concept tools and ideas and centralize them? So........we've worked off and on since March to build it.

The only frameworks available to us at the time (and even now) which were "WEB-centric" had user interfaces that weren't what we were looking for, broke after updates and/or randomly OR just didn't have the HTTP libs we needed (SOAP, JSON, Flex, etc).

So the first thing we focused on was the console interface. We figure this will probably be the interface with the most mileage. At the moment, we are still working on the console interface as well as improving the core. The framework won't be perfect from day one but we'd like to make it as easy to use as possible.

We decided Metasploit is possibly the best designed piece of open source software/framework that we've seen and it works incredibly well. People are familiar with it and it looks nice. So we decided to make wXfconsole look like msfconsole. Same *general* type of commands  and interface layout.

Release will occur in the next couple of months. We have a list of people to "beta-test" the software and want to ensure we limit the amount of bugs to a minimum upon release.

Now, for the videos.

User Agent Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.

wXf Directory Traversal Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.

wXf Web Server Stack by Seth Law from cktricky on Vimeo.

No comments: