.

Ethical Hacking steps against a Web Browswer

<<

kitchensync

Newbie
Newbie

Posts: 6

Joined: Wed Sep 02, 2009 5:09 pm

Post Fri Dec 18, 2009 3:14 pm

Ethical Hacking steps against a Web Browswer

I have a client who is using an opensource platform to create their own web browser. I am having a hard time figuring out the steps I need to take to hack this thing.

1. Go to sites that perform some security testing on the browswer. I found one out of Belgim http://bcheck.scanit.be/bcheck/ . They perform some high level testing over the net which is cool, but I would like something even more intense. Any suggestions?
2. In a sandbox environment, go to sites with known malware and see how hard it is to get some applets or activex bits installed. Anyone know if there is an up-to-date list of sites with known Malware?
3. General standards based testing sites such as acid3? Any ideas?

Thanks guys for any pointers.

S
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Dec 19, 2009 1:30 am

Re: Ethical Hacking steps against a Web Browswer

Well, if you have access to the source code, you could audit for the typical stuff, buffer overflows, format strings, etc.  If the browser handles plugins, like Acrobat and Shockwave, the same principles apply to testing those.  There is also cross-domain code handling, javascript, etc. 
~~~~~~~~~~~~~~
Ketchup
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Dec 19, 2009 12:46 pm

Re: Ethical Hacking steps against a Web Browswer

As Ketchup mentioned, you really need to get your hands on the browser and preferably the source code, though having the source code isn't always critical. Depending on the size of the program, we can sometimes produce some exploits just by fuzzing.  Going to an exploit site and just blindly blasting them at a program that was privately written is more than likely going to fail. In theory you could get lucky depending on how much code might have been "borrowed", but the odds are very much against it. 
<<

kitchensync

Newbie
Newbie

Posts: 6

Joined: Wed Sep 02, 2009 5:09 pm

Post Tue Dec 22, 2009 2:13 pm

Re: Ethical Hacking steps against a Web Browswer

Thanks for the responses. We will have access to the source code for sure... and I totally agree it is a great place to start, which we will.

I do think it is important to show the client how it reacts to some known browser vulnerabilities (webkit based). Any feedback on where a list like that exists? (been searching around and have found very little). Or if not the site, perhaps a location where some common js malware is found..

Thanks again for your responses.

Ks

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software