Swiss information security company High-Tech Bridge has launched ImmuniWeb Self-Fuzzer, a free Firefox extension that allows users to detect Cross-Site Scripting and SQL-injection vulnerabilities in their web applications in real time. The add-on does not require any specific skills to use, and demonstrates how rapidly and easily these two most common types of web vulnerabilities can be found even by a person who is not familiar with web security.
ImmuniWeb Self-Fuzzer is not a web application security scanner or crawler, but a real-time web fuzzer. Once activated by a user in his browser, it carefully follows the user’s HTTP requests and fuzzes them in real time, carefully checking all HTTP parameters passed within the requests. Results of fuzzing are also displayed in real-time, notifying user immediately upon vulnerability detection.
According to the Web Application Security Forum (WASC), 83% of all websites have at least one serious vulnerability, and Gartner states that successful exploitation of either of these can lead to "the total compromise of the entire local network of an organisation."
XSS and SQL-injection exploits take advantage of very common coding errors in web applications. In both cases user input is allowed via web forms, and that input is passed into the system for processing. Good programming requires that the input is 'sanitised' or filtered before acceptance; that is, any unexpected or unacceptable characters are removed or not allowed.
All too often, however, the filtering process is omitted or inadequate. As a result, hackers are able to use the forms, through careful coding, to input their own commands to the internal database. Typically, for example, they can trick the system into providing an administrator password.
Businesses need to find the flaws before the hackers – something that is frequently beyond that capabilities of SMBs.
But now High-Tech Bridge has launched a new free tool that will do this easily and effectively. It uses real-time fuzzing technology to test any specified web page for XSS and SQL-injection vulnerabilities.
The ImmuniWeb Self-Fuzzer Firefox extension checks the current web page for relevant vulnerabilities. The result is a free, safe, easy-to-use tool that can radically improve the efficiency of independent pentesters and, more particularly, allow SMBs to undertake their own audit for the internet's most common vulnerabilities.