At Enable Security we regularly test VoIP and RTC systems for security issues. Each time, we improve on our public and increasingly, internal tools. What we noticed was that many real-time communications systems exhibit similar vulnerabilities. We have often been asked to provide our internal tools so that they can be integrated with quality assurance procedures.
With SIPVicious Pro, we are making available a professional-grade security testing suite built from our experience and suited to be integrated in your testing methodology. Our aim is to help vendors and implementers of VoIP and WebRTC infrastructures to build products that withstand attack.
|SIP REGISTER Flood||✔||✔|
|SIP online password cracking||✔||✔|
|SIP UDP support||✔||✔|
|SIP TCP support||✖||✔|
|SIP TLS support||✖||✔|
|SIP over Websockets support (common in WebRTC)||✖||✔|
|SIP INVITE Flood||✖||✔|
|SIP Digest Leak||✖||✔|
|SIP INVITE enumeration||✖||✔|
|RTP Bleed and Injection attack||✖||✔|
|XSS using SIP as injection vector||✖||✔|
|XML External Entity (XXE) vulnerability testing for SIP||✖||✔|
|SIP SQL and LDAP injection tests||✖||✔|
|Offline password cracking of SIP credentials||✖||✔|
|Slowloris denial of service testing adapted to SIP||✖||✔|
|SIP enumeration of anonymous methods||✖||✔|
Feel free to email us to discuss our security tools, attacks and vulnerabilties, or to just say hello!