Subscribe to the RSS feed

Tools

Entries feed - Comments feed

Friday, July 18 2008

Scalp: apache log based attack analyzer

By Romain on Friday, July 18 2008, 16:11 UTC

I started a project some time ago in order to parse some apache log file, to detect some attacks etc. The attack recognition is based on the PHP-IDS filters.

The first release version is written in Python http://code.google.com/p/apache-scalp/downloads/list but I started (well, almost finished) a faster multi-threaded/C++ version in order to be able to handle bigger log files.

The main project page is reachable here: http://code.google.com/p/apache-scalp

Scalp the apache log! - http://code.google.com/p/apache-scalp
usage:  ./scalp.py [--log|-l log_file] [--filters|-f filter_file]
                   [--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
   --log       |-l:  the apache log file './access_log' by default
   --filters   |-f:  the filter file     './default_filter.xml' by default
   --exhaustive|-e:  will report all type of attacks detected and not stop
                     at the first found
   --period    |-p:  the period must be specified in the same format as in
                     the Apache logs using * as wild-card
                     ex: 04/Apr/2008:15:45;*/Mai/2008
                     if not specified at the end, the max or min are taken
   --html      |-h:  generate an HTML output
   --xml       |-x:  generate an XML output
   --text      |-t:  generate a simple text output (default)
   --except    |-c:  generate a file that contains the non examined logs due 
                     to the main regular expression; ill-formed Apache log etc.
   --attack    |-a:  specify the list of attacks to look for
                     list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
                     the list of attacks should not contains spaces and be comma
                     separated
                     ex: xss,sqli,lfi,ref

2 comments

Tuesday, June 10 2008

My talk at SAW: Automated Evaluation of source code analyzer output

By Romain on Tuesday, June 10 2008, 15:38 UTC

It has been some time since I haven't post on my blog... well, I've been busy especially with the end of SATE, and oh well! had vacation :)

Anyway, at the next Static Analysis Workshop this Thursday, we're gonna talk about the SATE experiment and the observations/results we could get from this. I am then gonna talk about a tool I wrote in order to probe if a reported weakness is a false-positive: this is the Automated Evaluation.

The main idea of the Automated Evaluation, is to get some information on the source code and, under some assumptions, try to make a conclusion on the correctness of the piece of code. Behind all the reasoning from that particular tool, my approach had to be radically different than a classical SCA otherwise this would have been like creating a new SCA and this would have been obviously useless. The context of this automated evaluation is limited to the buffer overflows and this can only work for proving false-positive only!

So basically, I am reading the source code from the reported sink to the possibles sources and grabbing the actions that possibly affect the variable which have a role in the code.

These actions are like:

  • Allocation of a destination buffer
  • Computing the size of the source buffer(s)
  • Test for NULL
  • Test that involves the size of the buffers...
  • ... and some others

Then, once these actions are detected, the tool increments a global score of false-positiveness to this reported weakness. We then only have to set a threshold in order to know what correctness we want to have; this is really tied to the source code and how the program is developed.

Even though this evaluation method is not perfect, this was adapted to the C test cases we had in SATE 2008 since the global code quality was good. We can even say that the software were well written; it was then okay to make some assumption on the code such as:

  • If the size of the destination buffer is computed with the size of the source buffer, the size is good (basically: no off-by-one)

Also, the tool itself needs some information on the source code such since it uses regular expression to match the "actions"...



Here we are for a quick explanation and here are the slides: SAW: Automated Evaluation of SCA output

no comment

Tuesday, January 22 2008

PHP Source Code Analyzer

By Romain on Tuesday, January 22 2008, 20:46 UTC

Months ago, I was talking about and doing some small tests with the php source code security analyzer that I was able to find on the web.

I was able to quickly test the new Fortify SCA 5.0 which is handling PHP application now. I can tell you that I am really exciting about this tool. First of all, it beats from far all the tools I've tested previously (for PHP), which is fair since it's a commercial tool.

But what I'm really excited about now is that I will be able to make more tests on my test suites, compare with my security metrics & basic security analyzer, looking at the behavior of SCA tools when the source code is obfuscated, and so on. You're on the good track Fortify, now, open an API and I will be able to make an hybrid tool...

Since I also have some plan of testing real PHP applications with both testing approaches (static/dynamic), I'd like to see the difference of application coverage, vulnerability finding and false-positive rates (yeah, the last one is obvious, but still interesting).

I'm also glad to see that vendors are taking PHP as a serious language and not only for script kiddies.

4 comments

Wednesday, December 5 2007

Static Analysis Framework: PHP-Ast/Oracle

By Romain on Wednesday, December 5 2007, 17:28 UTC

In my previous blog post, I talked briefly about PHP-Ast/Oracle a PHP source code static analysis framework. I am developing it in order to play with source code and security. The goal of that framework is to be able to perform different type of operations on a PHP source code. I am releasing this tool as it is because I think people may be interested with this... Anyway, I learned a lot doing this.

PHP-Ast/Oracle is developed in C++ and the tool has been developed mainly for:

How it works

The source code repository is divided in 2 parts:

  • php-ast is the converter from PHP to XML
  • php-oracle is the actual engine

php-oracle get a XML file as input which is the output of php-ast. In the SVN there are some python scripts I used in order to combine the 2 tools (they may be outdated i.e. doesn't work with the current php-oracle).

How I think you could use php-oracle

I do not attend to make a clean build with an executable etc. I just provide source code. I decided to give only the source code because I don't want to spend too much time on creating a clean software, it's only research oriented stuff. Furthermore, there is not much documentation in the source code (advantages of being alone to develop such a tool) and then, only really interested people will download this! I can then help them if they have some question about how it works etc.

Getting the source code

You can download the source here: php-ast-oracle.zip

And the trac repository has more documentation about what the framework actually does: http://trac2.assembla.com/php-ast

Development

The tool is in perpetual development, I don't want to create a real software from that, but I think people can use it to perform security analysis, compute stuff, make code transformation and so on.

no comment

Sunday, December 2 2007

Yet another study oriented release

By Romain on Sunday, December 2 2007, 20:57 UTC

I've been working a couple of months on a project named php-ast/oracle. I am opening the source of the project today because I think that people may be interested in such a code. Roughly, php-ast/oracle is able to get/transform information on a php source code, I used it for: creating real obfuscations (control-flow, data-flow), implementing security metrics, writing a converter from php to c++ for static analysis purpose and some other stuff such as variables flow etc.. You can have more information here: http://trac2.assembla.com/php-ast. I may post about this project later don't have much time now...

But this news is only for releasing a script I used a lot this last weeks; a PHP preprocessor. I've been using this preprocessor in order to clean the crappy PHP code we can found in the wild... in order to use php-ast/oracle correctly for calculating security metrics and so on.

The preprocessor is actually doing 3 things:

  • Simplifying the strings (keeping only the php variables in the strings -- really important for keeping the AST small with SQL queries and so on, because the strings could be evaluated in PHP, the AST would need to tokenize the strings)
  • Removing comments and HTML
  • Resolving the file inclusions (not for dynamic variable inclusion of course, but it's working with define names and static names)

The preprocessor is available here: preproc.zip

no comment

Friday, September 7 2007

Acunetix is releasing a free XSS scanner

By Romain on Friday, September 7 2007, 09:01 UTC

I really think it's a good thing do open the XSS scanning like this, definitely a good point Acunetix. What I don't really like though is the commercial points here. They are actually releasing the demo version with XSS scanning free for all websites (all other scanning are then limited to their test websites - which you shouldn't care about for any vendors).

Anyway, good point Acunetix! I wish lots of commercial will release some free tools or even their own little tools (SPI has a lot of good ones!)

one comment

Wednesday, August 29 2007

I now understand why it's difficult!

By Romain on Wednesday, August 29 2007, 09:49 UTC

Okay, I know for the halting problem etc. Some theoretical stuff... But now that I'm working on one, I have to say:

Damn! That so complicated to do a source code scanner!

The dataflow is a real pain in the ass, and we know that it's impossible to have a real and full dataflow. But well, we need to do some. The dataflow is more complicated theoretically but what about the control flow? No really easier! I mean... that's easier but there are so many things to understand, so many patterns to recognize in order to build the model of the source code... And I'm not even talking about inter procedural stuff, multi-file source code etc.

So, I'd like to apologize to "I don't remember who are these people" but some source code scanners are good :) Well... for the moment! I'm really waiting for to see more high-tech stuff and AI in these kind of programs...

Anyway, I'm currently building a core engine working on a AST tree generated by yaxx (XML version). I have two short terms targets:

  • Real Obfuscation (from one source code to an equivalent with a different control flow... yes, not only rename the variables, functions, classes etc.)
  • A variable tracer (tool for pen-tester: $_GET['foo'] -> ($foo <- htmlentities()) -> echo or this kind of stack...)

no comment

Tuesday, July 10 2007

Website functionalities coverage

By Romain on Tuesday, July 10 2007, 17:24 UTC

Coverage is a tool written in Python which allows you to track what functionalities/web pages are reached on your website. I use this tool for in my Web Apps Scanner evaluation methodology in order to know if the web apps scanner was able to scan every pages, every functionalities of my test apps.

Anyway, this tool is pretty easy to use even if it requires a MySQL database to store the EntryPoints of the application. Basically, you setup the database, you insert the entry points into your code and you run the python script which will generate an HTML report with SVG graphs, reporting the coverage of your application.

Here is a report example

Installation

1/ Database

The database design I used for storing the needed information is the following:

CREATE TABLE `coverage` (
`CoverageID` int(32) NOT NULL auto_increment,
`Apps` varchar(128) character set utf8 collate utf8_unicode_ci NOT NULL,
`Date` date NOT NULL,
`EntryPoint` varchar(255) character set utf8 collate utf8_unicode_ci NOT NULL,
`Origin` varchar(255) character set utf8 collate utf8_unicode_ci NOT NULL,
PRIMARY KEY  (`CoverageID`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;
  • Apps: name of the covered application
  • Date: time when the entry point is reached
  • EntryPoint: Name of the entry point with a special format:


** File Reached:
Touch_ + Name of the file with extension, example, Touch_Index.Php, Touch_Search.Php etc.

** Functionality Reached:
Name of the functionality + _ + Name of the file with extension, example, this sequence of entry points of the page Login.php of a given application:

  1. Touch_Login.Php : Enter the page Login.Php
  2. Username_Password_Login.Php : The username and the password are feed
  3. Call_Function_Login.Php : Call the function login()
  4. Call_Function_Succeed_Login.Php : The function login succeed
  5. Call_Function_Error_Login.Php : The function login reported an error
  • Origin: the origin string is the concatenation of the md5 of the HTTP_USER_AGENT a pipe and the date; this ID + date is used to be sure to study the same user.
<?php
// ...
$origin = md5($_SERVER['HTTP_USER_AGENT']). '|' . date("j-m-y H:i");
?>

2/ In the code

So, you will need to add, in your apps code, lots of entry points. I made a PHP source code to do that more easily:

<?php
class Coverage{
 private $coverage_id = false;
 private $coverage = null;
 function __construct() {
  $this->coverage_id = true;
  $this->coverage = mysql_connect('192.168.1.3:3306', 'test', 'test');
  mysql_select_db("test_collect");
 }
 function send($entryPoint){
  if ($this->coverage) {
   $origin = "";
   $origin .= md5($_SERVER['HTTP_USER_AGENT']);
   $origin .= ('|' . date("j-m-y H:i"));
   $entryPoint = mysql_real_escape_string($entryPoint);
   mysql_query("INSERT INTO coverage VALUES(NULL,'BankApp',NOW(),'$entryPoint','$origin')");
  }
 }
};
	
$coverage = new Coverage();
function register_EntryPoint($entryPoint) {
 global $coverage, $supportCodeCoverage;
 if ($supportCodeCoverage) {
  $coverage->send($entryPoint);
 }
}
?>

Insert this code in a header or something and call:

register_EntryPoint('Touch_MyFile.Php');

etc. in your code where you have functional difference.

Run the tool

To run the tool, you need to have:

  • Python + MySQLdb (the python MySQL API)
  • The date (in SQL format) you want to cover; for now, it's only one day
  • The Origin ID of the user (the MD5(HTTP_USER_AGENT)), basically, you will look at this in the database, or get it by your code etc.


example:

$ python coverage.py 2007-06-28 41942da0293d0b8afcfab4c2d10c2401
$ python coverage.py 2007-04-12

The script must be in the same directory of your files for now... you can download the archive here: coverage.zip

no comment

Wednesday, June 20 2007

PHP Source Code Security Scanners: Pixy

By Romain on Wednesday, June 20 2007, 16:24 UTC

I already talked about source code scanners for PHP, and even run a simple test between SWAAT and PHP-SAT. Today, a new toy has been released: Pixy, so I decided to make it pass the test. The first test is really basic, having a quite small php source code with a bunch of possible faults: tests.php

So, you find the output of the tool here: out.pixy.result.txt

I first have to say that it's normal that the tool doesn't catch the header injection stuff, os command injection etc. it doesn't claim to do that. Pixy claims to find the Cross-Site Scripting and the SQL Injection. On that point, I would say pretty good job guy!
The tool catch all the possible Cross-Site Scripting in the echo functions, doesn't warn for the persistent XSS (line 34, the bad html injection would be inserted into the SQL database, if there is no output validation, there are Persistent XSS).

Even better on the SQL Injection where it found every thing I tagged as true-positive.

To conclude, I will definitely keep an eye on this tool which looks promising to me, I will also continue working on the PHP-SAT security configuration in order to make a solid vulnerability disclosure system.

no comment

Wednesday, May 30 2007

Such a noisy thing with SWAAT

By Romain on Wednesday, May 30 2007, 11:25 UTC

In one of the last post, I made a comparison between two PHP Source Code Security Analyzers: SWAAT and PHP-SAT. The results was close to say that SWAAT was really better than PHP-SAT.
I started working on the configuration of PHP-SAT and it looks to be quite powerful (well, after talking with Eric Bouwers, I'm waiting for the next release) and I think I will be able to have good results with combining a security oriented configuration and some additional bugpatterns.
On the other hand, SWAAT is really limited for now as example, I've made a simple php script with only SQL queries inside: every lines are highlighted as flawed (and with a MEDIUM level)!! This is simply stupid and they would better don't report anything than doing that... just tell that you don't support SQL Injection for now... Anyway, SWAAT is for me the tool to keep an eye on, I will try to develop some features on it, especially for XSS detection and SQL Injection findings...

no comment

Saturday, May 26 2007

RegFuzzer: Test your regular expression filter

By Romain on Saturday, May 26 2007, 08:58 UTC

Here we go, I release the first shot of a tool I start writing months ago... The goal of that tool is to find some strings that are valids and which pass your regular expressions filters. Basically, it was designed for testing IDS regexp.
The tool is not finish yet, I have lots of work to do on this, especially the attack strings dictionary; currently there is only some client-side string patterns.
You can download the tool here: RegFuzzer

For using the tool, you need to enter the regular expression to test into the XML input file, and launch the tool like:

python regFuzzer.py -f input.xml

This will produce an HTML file as output. As I said before, this is the first release the goal is much more to show that tool and see if the idea is interesting for you; if so, I may work more on this. Don't hesitate to drop me a line about the tool if you have some comments.

no comment

Thursday, May 24 2007

PHP Source Code Security Scanners basic test

By Romain on Thursday, May 24 2007, 06:04 UTC

For quite a long time now, I've been playing with lots of different black-box tools: commercial or not, mine or not. Months ago, I developed Crystal, a plugin for Grabber which does the link between the black-box engine in Grabber and a PHP Source Code Security Analyzer: PHP-SAT . At the time, it was the only advanced PHP SCSA I could find on the web, so I used it without really testings I admit.
That's for the story, few days ago, on #webappsec (irc.freenode.org), Larholm told me about SWAAT a new (at least, for me) PHP SCSA (and not only PHP actually). At the time, I didn't have time to try it; but today, I took the time to compare PHP-SAT and SWAAT with a test which can be view as a quite-exhaustive-basic-flaw-checker (it means that there is maybe 6 different vulnerabilities with variants and false positive/true positive check implementation).
You can see the PHP test file here: tests.php

The result of the two runs can be find here: php-sat-test-output.phps and swaat-output.html
How to read the reports:

  • SWAAT: HTML file with table for each type of vulnerabilities, it will report multiple lines (each line is a vulnerability). If there is a /* fase */ in that line, then, this is a false positive.
  • PHP-SAT: PHP-SAT takes the PHP source code and transform it by adding some information. For the vulnerability report you will have to look for the Malicious Code Vulnerability (MCV). Other report are more quality oriented.


I will not spend time to explain the difference of the tools but the tools don't really have the same goal (even if we can use them for the same utilization). Well, with the default configuration of both tools, SWAAT is really better! But as for many Source Code Security Analyzers, the configuration is really important, so I would mitigate my conclusion on these tools, I really need to dive into the configuration of that two tools and redo the tests.

2 comments

Wednesday, February 7 2007

How you should design a test suite for Web Apps Scanners

By Romain on Wednesday, February 7 2007, 18:43 UTC

If you have ever think about using a web application scanner for testing the security of your website, you certainly made a choice: Which web apps scanner should I buy/use ?

In this post, I will not tell you what is the better black box tester for whatever kind of web application.

The web applications may be very different, the tools are different and thus they could have different efficiency (i think it's non countable noun)... If you read this, you probably know that I am talking about scanners such as WebInspect, AppScan, Acunetix, Hailstorm, Pantera, Grabber... In the following sections, I will explain a main idea that should be used for testing such a tool.

A test suite for our tools is a website, this website has typically vulnerabilities; you can see this kind of website by watchfire, spi but also WebGoat, SiteGenerator or others. But all of these websites are not realistic and do not consider that the vulnerabilities may exist in different instances: variants.
If you don't know what is a variant check at the XSS Cheat Sheet (RSnake) or at the Attack Patterns (Sean Barnum). A variant is what the hacker use to perform his exploit.
A simple example for XSS is: Let's say you protect your website against XSS by checking the <script> tag; this is not perfect and not good because there is some way to insert other type of XSS strings (onmouseover).

Here comes the concept of Level Of Defense. If you are a developer you think about filters, if you are an attacker you think about variants of vulnerability and attack patterns. The level of defense of a website is the strength of its filters again a given vulnerability.

For a SQL Injection you can have multiple type of filters... Here is a possible list of levels for the SQL Injection:

  • Level 0: Show SQL errors / No input filtering
  • Level 1: Hide SQL errors / No input filtering
  • Level 2: Typecasting (integer, string etc.)
  • Level 3: Escaping input strings
  • Level 4: Restricted accounts...
  • ...


In the concept of the level of defense, it's important to not that depending of the type of vulnerability (weakness, failure...) the level n-1 is also performed in the level n or the level n is stronger (for the same variants) than the level n-1 (for instance, for Weak Hash Function it's not possible but using SHA-1 instead of MD5 is a level of defense higher).

A Key point: When you are implementing a level of defense for a vulnerbility, you must be sure that your implementation does the whole thing for that type of filter. For example, if you are escaping the HTML entities, you need to do all not only '<', '>' and in the next LoD escaping ' and ".

Why is the level of defense better than a simple system with vulnerabilities?

With the level of defense, you can calibrate a type of website which may be close to yours; you can construct a test suite with your kind of level of defense and see how the tool detect the vulnerabilities when the LoD increase. It is also a good way to know the state of the art of the tools for detecting vulnerabilities...

The idea was developed to create a test suite in order to evaluate web apps scanners; in this test suite we can select the current type of vulnerability and its level of defense (the hardness to break):


Thursday, January 11 2007

Virtualization for free!

By Romain on Thursday, January 11 2007, 14:59 UTC

Thanks to RSnake, I have now a free version of VMWare:


This is definitely a good stuff. In a previous post, I explained that I have to create different architectures for different kind of test suites; this will be a lot easier with virtualization.

no comment

Wednesday, January 10 2007

Test Suites for Web Application Scanners

By Romain on Wednesday, January 10 2007, 19:04 UTC

For a while, I've been working on a test suite for evaluating web application scanners. Now I have a test suite (PHP/MySQL/AJAX) with a bunch of variable vulnerabilities:


But there is a problem for a full evaluation. Web Application are not only a simple schema of scripts and databases and complex relation, there is also server configuration, infrastructure, different type of databases etc. Thus, I really have to create different test suites for a good coverage of what web apps could be.
I plan to use:

  • Ruby On Rails framework
  • ASP.NET/MS SQL based application
  • JSP application


This should cover the differnt type of application but I still have to think about server types, architectures,multiple databases etc.

no comment

Saturday, December 16 2006

Another tool: Acunetix

By Romain on Saturday, December 16 2006, 22:46 UTC

I've just found another commercial web apps scanner: "Acunetix Web Vulnerability Scanner". You can reach it here: http://www.acunetix.com

I usually do not quote or report some tools, but I tried the trial version which seems to be nice, but not more than WebInspect or AppScan. But while watching the tiny tools in the distribution, I saw an interesting file: RSnake_XSS cheat sheet.xml
This tool has a Fuzzer which performs some attacks from the XSS cheat sheet from http://ha.ckers.org and this is very interesting (this cheat sheet is something like the most relevant XSS attack dictionary).

no comment

Monday, December 11 2006

Updated todo list...

By Romain on Monday, December 11 2006, 13:58 UTC

  • Add the possibility to isolate a type of vulnerability in the test suite
  • Add the different encodings attack based in Grabber

no comment

Grabber

By Romain on Monday, December 11 2006, 11:08 UTC

I used to do craps with the Grabber distribution. Sometimes you could not use the soft at all...
It should be fixed now. The version seems to be quite "stable".

What's new in Grabber ?

  • Session ID / Server time retrieval
  • A better JavaScript/HTML parser
  • Some basic stuffs for the Hybrid Tool (I don't think I will support the regular expression soon even if it's almost in the code... I need to make my mind about the Source Code Scanner: I will look closer on PHP-Sat and other Stratego/XT based languages support)
  • A JavaScript quality checker plugin (using JavaScript Lint)

no comment

Wednesday, December 6 2006

A schema for the Hybrid tool

By Romain on Wednesday, December 6 2006, 17:50 UTC

For a small presentation today, I've made a small schema that explains (at least, should explain) how a Hybrid/Crystall Ball works.

You can have it here: http://rgaucher.info/beta/grabber/Grabber-Crystal.pdf

Another point: I can see lots of paper talking about "How a hybrid tool should be good"; but is there any real results outside ? I really have to go to DevInspect specification, and try to find other hybrid tools.

Next step for Crystal:

- Try to plug other Source Code Scanners (Python ?)

no comment

Friday, December 1 2006

Hybrid scanner / Crystal Ball

By Romain on Friday, December 1 2006, 14:57 UTC

Description

Some days ago, I really start thinking about the hybridization of the web apps scanners.
I'm pretty sure this is the key since this kind of tools should be used not only by the security experts but the web developers.

So, at the question How a developer can really test his code there is lots of possible answer from classical test to source code analysis and application analysis. Because I'm a developer and I really want to have a tool that can do what I want and doesn't give me that much errors or "this page is susceptible to xss in the parameter..." when there can be lots of instance of this parameter in the code... I decided to add the feature to test the code then, with the results test the application itself. This is a crystal box tester/scanner.
The only real interest of this kind of tool is to decrease the number of false-positive.
I mean, you cannot say at all that a website is secure... but you can report some real vulnerabilities.


The creation process was the following (hum.. to much work in a day cause people - me - writing idiots descriptions).

Crystal Module Cooking Book

Make-ahead Tip: Prepare lots of coffee before starting...

Preparation: 24 hours

Ingredients:

  • PHP-Sat
  • Grabber Modules lambda

Tools:

  • Context editor
  • Python 2.4
  • Nice music (Opera is not needed but you should listen this)


Directions:

0/ Read the configuration file (with boolean operator in patterns)

1/ Scan the PHP sources with PHP-Sat handler (which copy everything in the '/local/crystal/' directory).

2/ Make a kind of diff then:

If the diff results, check for the patterns (given in the configuration file) Parse the PHP line under the end of the pattern Try to get a variable value

<after-hypothetical-stuff-toussa>
If no direct variable... backtrack sequentially or in the AST
</after-hypothetical-stuff-toussa>


3/ Generate the XML report of "the crystal-static-analysis" module
4/ Build a database of:

transformed_into_URL(hypothetical flawed files)  = [list of "flawed" params]


5/ Run the classical tools against the only parameters given buy the SwA tool

The results ?

Because I use Grabber to do the black box testing and PHP-Sat for the white box testing, the limitations is coming from the both sides.
First Grabber, because of the vector, the detection techniques and all flavors of Web Apps Scanners, and PHP-Sat... which is not finished yet and seems to only report the possible Cross-Site Scripting.

The configuration file

I'm quite proud of this, a good configuration file can make people happy :) to see that they can plug/do whatever they want with this. Let's see:

<?xml version="1.0"?>
<!-- Grabber configuration file -->
<crystal version="0.1">
  <!-- Give some information, distant/local files -->
  <url >http://192.168.1.2/bank</url>
  <files>\\192.168.1.2\htdocs\bank</files>
    <!-- Analyzer information, here PHP-Sat -->
    <analyzer>
      <path input="-i" output="-o">C:\msys\1.0\bin\php-sat.exe</path>
      <extension>php</extension>
      <!--
        Typical pattern block:
        
        11: not flagged php line
        12: /**
        13: 	pattern content...
        14: */
        15: php line with the flaw +- FLAGGED!
      -->
      <patterns start="/**" end="*/">
        <!-- Analyze with the pattern -->
        <pattern module="xss">
        PHP-SAT check (Malicious Code CodeVulnerability) __OR__ Pattern ID: MCV000
        </pattern>
        <pattern module="sql,bsql">
        PHP-SAT check (Malicious Code CodeVulnerability) __AND__ Pattern ID: MCV001
        </pattern>
      </patterns>
  </analyzer>
</crystal>

The configuration will support binary operators for combining some patterns, and later regular expressions in the XML.

no comment

Thursday, November 30 2006

I'm lazy but I do scan JavaScript

By Romain on Thursday, November 30 2006, 14:04 UTC

One of the biggest issue with Grabber and AJAX stuffs is to get the script names, parameters etc. The best solution is of course to emulate/plug a JavaScript interpreter in the scanner thus you can see what calls are running etc.

But it's hard to do (even if I plan to plug spidermonkey with Grabber...)! Then, I've made a very small JavaScript scanner that try to get the URL and the parameters of the scripts.
It seems to work well even if the list of theses "dumb_parameters" is, in my tests, not twice bigger as the real list; but it catch everything.

I should be able to say that it will run every callable servers scripts.

This will be in the next version of Grabber.

no comment

Tuesday, November 28 2006

Web Apps Scanner pre-release

By Romain on Tuesday, November 28 2006, 22:38 UTC

Just an explanation about Grabber and a pre-release version.

I plan to release it when it will be really interesting, but you can reach it's page here: http://rgaucher.info/beta/grabber
But you can already download and use it. Every comments are welcome...

no comment

Monday, November 20 2006

If I had time to dive into...

By Romain on Monday, November 20 2006, 10:09 UTC

I would work on the creation of a hybrid/crystal box tool using:

  • PHP-Sat for the static analysis part or a Simple RegEx matcher
  • My own black box tester

Actually, it's quite easy to combine:

# don't care about the false positive rate
If you find something with the static analyser :
   # <=> check for false positive  
    test the parameter/address with the black box tester.

The result would be a serious decrease of the false-positive and hopefully an increase of the true-positive...

no comment

Friday, November 17 2006

Tools evaluation state...

By Romain on Friday, November 17 2006, 15:48 UTC

For my work in the Samate Project, in the web apps scanners evaluation, I made a website with a variable level of security, because I was totally not satisfied by the Watchfire or the SPI-Dynamics demo websites.

Then, I started to consider this website as a test suite... The problem is the gap that could be in different type of tools: - basic tools (Paros, Pantera, Wapiti etc.) - famous commercials (webinspect, appscan, ntospider etc.) Mainly because of the AJAX.

Actually I use AJAX in different part of the website such as login system, registration, dynamic verification and I'm sure that if you cannot interpret the JavaScript, you cannot see the vulnerabilities in this code. Maybe the tools can parse some urls... maybe i have to create another "more classical" website, with only {php,mysql,sessions,cookies}... Wait and see the first results

no comment

Tuesday, November 7 2006

Feet in the Soup

By Romain on Tuesday, November 7 2006, 10:31 UTC

Since I'm working on Web Apps Scanner, I made scripts to automate some vulnerability detection. This work would have been a pain without Beautiful Soup.

This library is simply amazing, here is an example to retrieve every links on a webpage:

import urllib
from BeautifulSoup import BeautifulSoup
htmlContent = urllib.urlopen("http://rgaucher.info/").read()
soup = BeautifulSoup(htmlContent)
for a in soup.fetch('a'):
	print a['href']|php:import urllib

And because it does only html/xml parsing, it's quite easy to deal with cookies, proxies etc. (cookielib & urllib)!

no comment

Monday, October 30 2006

How to fill a database ?

By Romain on Monday, October 30 2006, 21:33 UTC

Because Internet and the non limited number of blogs is a nice source of words, I use to crawl the web to fill the Reverse database. So, sorry to:

  • ha.ckers.org (an amazing website!)
  • yaronet.com (for french words)
  • myspace.com ^^

but it was the origins of my scan.

The crawler is a very simple 100-lines Python script, even if it's not the fastest, it's nice enough to be used here.

no comment

Wapiti! Piti piti

By Romain on Monday, October 30 2006, 15:57 UTC

You: What a sense of humour!
Me: I know

By the way, this thread is only to give a URL: http://wapiti.sourceforge.net This is a quite simple web apps scanner. I have to test it for wednesday (when I'll give a presentation on Web Apps Scanners with Demos).

And because I'm glad you're reading theses lines, here is a new 'stuff' on OWASP website (meaning Cool Stuff For Web Developpers/Security) : Pantera

no comment

Sunday, October 29 2006

Special Search Engine

By Romain on Sunday, October 29 2006, 15:14 UTC

Looking for a password or reversing a value for md5 or sha1 ? There is already a service given by rednoize.com but it only reverse the md5... so, as sha1 is more and more used (since Md5 has some weaknesses).

The idea is to provide a huge database and then start some mining of this database (getting some new collisions ?) You can reach this tool here!

no comment

I <3 Bots!