Customizing attack modules in Rapid7’s AppSpider

How AppSpider perform attacks

AppSpider uses “Attack Modules” to perform attacks on targets to search for vulnerabilities. It comes preloaded with a bunch of these (over fifty attack module) for different types of attacks [See Below]

AppSpider Attack Modules
Attack modules directory
Module configuration file

Module configuration file (module.cfg)

AppSpider engine uses this file to load the module configuration before starting the attack.

Module attack configuration file (attacks.cfg) :

This file will contain the configuration for each attack. That includes the payloads and the expected regular expressions of the results. The engine will use these attack configurations to perform its checks on the selected endpoints.

Customizing an attack module

To keep things simple, we will be looking at the “XSS_Simple” attack module and we will not be modifying any configuration we’ll only take a look at the attacks.cfg file and how we can add payloads to it.

XSS_Simple Module
  1. Description: A short description of the attack.
  2. AttackString: The payload to inject during the attack.
  3. VulnRegex: A regular expression used to check if the attack was a success.
<AttackConfig>
<Id>XSSS_Custom_01</Id>
<Description><![CDATA[Unfiltered <noscript> tag]]></Description>
<CAPEC>18</CAPEC>
<CustomParameterList>
<CustomParameter>
<Name>AttackString</Name>
<Value><![CDATA["><noscript><p title="</noscript><img src=x onerror=alert(%RANDNUM%)>">]]></Value>
</CustomParameter>
<CustomParameter>
<Name>VulnRegex</Name>
<Value><![CDATA[]]></Value>
</CustomParameter>
</CustomParameterList>
</AttackConfig>
Traffic log of the scan

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.