Skip to content

hacktics/vehicle

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

build

build

 
 

demo-app

demo-app

 
 

releases

releases

 
 

src

src

 
 

windows-installer

windows-installer

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

VERSION.md

VERSION.md

 
 

Repository files navigation

VEHICLE

Viewstate Hidden Event Enumerator!

An advanced toolset for testing modern web application frameworks and rich internet applications.

VEHICLE (formerly known as ria-scip) is a pentest platform with advanced testing features for modern web application frameworks (MWAF) and rich internet applications (RIA).

It enables testers to affect various server control properties and enumerate & execute dormant events of invisible, visible, disabled and commented server web controls (currently supported for ASP.net and Mono).

These features are implemeted by abusing application mis-configurations and framework-specific programming flaws, and by manipulating proprietary input formats.

The project is implemented as an extension to the OWASP Zed Attack Proxy (ZAP) project.

Developed by Hacktics ASC

Requirements:

  • VEHICLE requires Java 1.7.x, and was tested with ZAP v.2.x.
  • Verify that ZAP proxy is executed using Java 1.7.x, prior to running the installer.

How Does it Work?

VEHICLE can locate insecure ASP.net configuration, as well as locate traces of invisible, disabled and commented controls and events. It can then be used to enumerate invisible controls, and execute dormant events of server controls by forging a valid postback call (invisible controls without event validation or disabled & commented controls in any scenario), or by reconstructing the viewstate and eventvalidation fields of invisible controls (in case the eventvalidation is on but the MAC is off).

VEHICLE also provides a manual interface for performing additional RIA/ASP.net targeted attacks such as reusing hijacked viewstate/eventvalidation fields, reconstructing viewstate fields after content alteration/parameter tampering, etc.
VEHICLE in action - Image
VEHICLE (a.k.a ria-scip) in action - Demo Video

Quickstart

VEHICLE can currently be used by right-clicking on any ASP.net page in ZAP's treeview.
Currently supports ASP.net, while the next release will support mono and additional technologies.

Developers

VEHICLE is developed and maintained by Alex Mor, Shay Chen and Niv Sela.
The development team also includes Michal Goldstein and Alon Friedman.

Features

Event Execution Features
  • Event Execution of Disabled / Commented Controls
  • Event Execution of Invisible Controls (When the Event Validation is OFF)
  • Event Execution of Invisible Controls (When the Viewstate MAC is OFF)
  • Manual Event Execution of Optional Events (MAC/Validation is OFF)
  • Event Execution of Invisible Controls using Cached EventValidation from Wayback Machine (Even when the MAC and Validation are ON)
  • Server Control Property Injection / Override (When the Viewstate MAC is OFF)
  • Edit the Viewstate Field (When the Viewstate MAC is OFF)
  • Property Override using Cached Viewstate from Wayback Machine (Even when the MAC and Validation are ON)
Additional Features
  • Error-Based Control Name Enumeration
  • Blind Control Name Enumeration
  • Viewstate/EventValidation Reconstruction (Assist in Control Value Manipulation)
  • Obtain, Compare and Reuse Snapshots of Previous Viewstate/EventValidation fields from Wayback Machine
Technology Support
  • ASP.net postbacks / Viewstate 2
  • Upcoming: Support for Mono / Callbacks / Viewstate 1
Integration Support
  • Integration With ZAP's 'Resend Request' Feature
  • Integration With the Page Resurrection features of the DejaVu ZAP extension

Copyright

VEHICLE - An advanced toolset for testing modern web application frameworks and rich internet applications.

Copyright (C) 2013, Hacktics ASC, Ernst & Young.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses.

About

Viewstate Hidden Control Enumerator

Resources

Readme

License

View license
Activity

Stars

17 stars

Watchers

6 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published