GrabberOne who shamelessly pursues any overtime available as long as its for payment - a Mercenary - urbandictionary.com
Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website.
Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.
Why this kind of application ?This is a very small application (currently 2.5kLOC in Python) and the first reason of this scanner is to have a "minimum bar" scanner for the Samate Tool Evaluation Program at NIST.
Grabber is also for me a nice way to do some automatics verification on websites/scripts I do. Users should know some things about web vulnerabilities before using this soft because it only tell you what vulnerability it is... not how to solve it.
Current featuresBecause it's a small tool, the set of vulnerabilities is small...
- Cross-Site Scripting
- SQL Injection (there is also a special Blind SQL Injection module)
- File Inclusion
- Backup files check
- Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
- Generation of a file [session_id, time(t)] for next stats analysis.
What's nice with Grabber ?Because every patterns are in a "quite standard" XML file, you can add, or test what ever you want.
You can also focus of a kind of vulnerability then do a massive test. You can also do all the test on a single page...
What are you using ?This application is based on:
- Researchs from famous websites/guys:
Grabber aim to be simple. It's a small tool, does not provide any GUI or PDF report! There is XML reports (you can easily create a XSLT to render the XML for you manager).
What needs to be done on Grabber ?There are couple of things I want to fix/do:
Cookies/Http Auth/Login Page authentification systems Multi site support (which is not too hard to do due to the XML structure)
Fix the parsers
Make a real/better detection system
Make a real output
Provide solution for the given vulnerabilities? (not quite sure about this)
Definitely, playing with the differents encodings types.
How do I use Grabber ?You have a main script grabber.py which execute the modules (xss.py, sql.py, etc.).
Download GrabberDownload Grabber
The executable version produced by py2exe
InstallationFor using Grabber you only need Python 2.4, BeautifulSoup and PyXML. You can download the packages on the websites given above.
ConfigurationYou can configure the run with a configuration file like this:
<grabber version="0.1"> <site> <url>http://127.0.0.1/bank</url> <spider>1</spider> <!-- Depth of the spider --> <scan> <xss /> <sql /> </scan> </site> </grabber>Then launch the grabber.py script.
Or you can use the command line parameters:
$ python grabber.py --spider 1 --sql --xss --url http://127.0.0.1/bankThe two configuration are equivalents.
What you need to know ?The script create two directories (local and results) and will put some data in there. The local spider results will be save in the local directory and will be use at the next run of Grabber (until you erase it).
Crystal: the hybrid moduleThe hybrid module Crystal provide the combinaison of two types of tests:
- White box: source code scanning
- Black box: application scanning
How it works is quite simple:
- Load the configuration file with the patterns you define and the association of the tests you want to do with. For instance, you can associate the pattern "echo $_GET" with the Cross-Site Scripting module (xss) with the start/end tags as the PHP <?php and ?>: this can be a simple php source code scanner :).
- Run the Source Code Scanner against your application
- Try to find the patterns
- Perform the tests you associated with the patterns
The real advantage of this technique should be the reduction of the number of false-positive.
Crystal configuration fileThe configuration file is quite simple, you define the website, the files directory, the extension of scripts (php, asp etc.) and the information about your source code scanner.
<?xml version="1.0"?> <!-- Crystal Module for Grabber configuration file --> <crystal version="0.1"> <!-- Give some information, distant/local files --> <url>http://127.0.0.1/bank</url> <files>C:\server\xampp\htdocs\bank</files> <!-- Analyzer information, here PHP-Sat --> <analyzer> <path input="--complex-inclusion -i" output="-o">C:\msys\1.0\bin\php-sat.exe</path> <extension>php</extension> <!-- Typical pattern block 11: not flagged php line 12: /** 13: pattern content... 14: */ 15: php line with the flaw +- FLAGGED! --> <patterns start="/**" end="*/"> <!-- Analyze with the pattern --> <pattern module="xss"> PHP-SAT check (Malicious Code CodeVulnerability) __OR__ Pattern ID: MCV000 </pattern> <pattern module="sql,bsql"> PHP-SAT check (Malicious Code CodeVulnerability) __AND__ Pattern ID: MCV001 </pattern> </patterns> </analyzer> </crystal>
What needs to be done on Crystal ?There are couple of things I want to implement in Crystal:
- Make the binary operators working in the patterns definition (__OR__, __AND__, __NOT__)
- Allow regular expression in the patterns definition (ex: $_POST[(.*)])
- A better variable extraction process when a pattern is find... But it may be too close to the language...
- Make a real understandable output...
Romain Gaucher - firstname.lastname@example.org