Subscribe to the RSS feed

Keyword - Black Box

Entries feed - Comments feed

Wednesday, November 21 2007

The new grabber

By Romain on Wednesday, November 21 2007, 19:32 UTC - Information

Grabber was a nice project. The main goal for me was to learn stuff around web application security/scanners; I didn't really know much before I started this project. But now that I've been playing with web apps scanners for more than 10months, I need to create a new one and go deeper in heuristics, browser integration and AI.

Grabber was in fact more a spider+fuzzer than something else... Not a good web apps scanner at all. Thinking of the analysis engine... It's something kinda stupid, no JavaScript execution, just simple heuristics for parsing and levenstein distances ;)

Anyway, I decided to start over this project. It's not gonna be a bunch of python scripts anymore, I am gonna use Qt/C++ extensively. The idea if this project is to be pen-testers oriented and open, I want to create a kind of wrapper around WebKit (especially using QtWebKit), a spider as core utilities and after, using plugins. The plugins should be either in C++ or JavaScript (QtScript actually). So far, we are 3 guys thinking of this project: we didn't start yet but we are open to every contribution; the project will of course be free and GPL'd.

I just post this in order to get some comments or suggestions about what a web apps scanner should do... Feel free to comment/mail...

no comment

Monday, November 12 2007

Interoperability and web application scanners

By Romain on Monday, November 12 2007, 14:46 UTC - Discussion

Talking about web application security scanners , we all have the same problem: False Positive. It's a fact that cannot exactly be solve by the testing methodology itself (since it relies on pattern detection). So, the idea I started talking about on #webappsec today is a common format for exchanging information between tools.

Ideally, this would work like this:

  1. Tool A is scanning a website.
  2. It exports some information a given format: out-tool-a.xml
  3. Tool B is able to understand out-tool-a.xml and take this as an input
  4. Tool B would then be able to verify the results/false-positive of Tool A by scanning with the information in the out-tool-a.xml

I really think that would be helpful somehow, at least for open-source tools. I'm gonna try to implement this for the next release of Grabber.

4 comments

Thursday, November 1 2007

My talk at the Verify Conference

By Romain on Thursday, November 1 2007, 09:04 UTC - Discussion

Last Tuesday, I went to the Verify conference to give a talk about Web application scanners evaluation: what we are actually doing at NIST. I'm gonna make a simple entry reviewing what I actually talked about. The slides are here.

First of all, the evaluation was made with a test suite I made. The choices for the test suite are kinda simple, I wanted something really close to a real website. So I decided to use a real website (not a couple of test cases). The website contains multiple seeded vulnerabilities from different kinds (XSS, SQLi, RFi, CSRF, etc.). The website is actually configurable in a sense of vulnerability: you can choose what vulnerabilities will be in the website or not (let's say, I only want to have XSS vulnerabilities). Moreover, in order to see the web apps scanners capabilities, we can select a type of defense for the current protection: the level of defense.

Level of defenses

Programmers are different. They have different background, knowledge and approach to solve security problems. The filters we can see in wild web applications are not equivalents, some are good, some are just bad and we have the full shade of effectiveness. So, in order to test web apps scanner with different difficulties (for them) we implemented different level of protection around the vulnerabilities: the level of defenses.

A simple example: SQL Injection

  • Level 0: No protection
  • Level 1: Typecasting (in order to convert integer, boolean, double, strings, dates etc.). This protection will limit the SQL Injection on SQL native number types (integers will be converted as integer: 1' OR 1=1-- will be converted into 1).
  • Level 2: Escaping the meta-characters. We are protecting about quote injection, etc.
  • Level 3: Hiding the MySQL errors, we will now have Blind SQL Injections.
  • Level 4: Restricted user management.
  • Level 5: Using prepared statements.

Since the level of defenses will be use in combination, the order is important. (combination: level 2 = level 2(level 1(level 0))). So, using these level of defenses we are able to select the difficulty that the tool will have to break the vulnerabilities. For the results, if you are looking at the slides, in the detection rate slide, you'll see that there is not result for the level 2 which means that no tools were able to find vulnerabilities in the level of defense 2.

Attack Surface Coverage

Another point I have been working on is the attack surface coverage. A webapps scanner is not a simple piece of software which launches attacks! The crawling/parsing step is actually really important maybe the most important since it will try to understand the application. The attack surface of the test application is the places where the user has a direct interaction, means no algorithms etc. just inputs handling, error messages etc.

Here is an example of attack surface coverage check points (with numbers) for a login function:

(1) Touch the file [login.php]
if ( all fields are set ) then
	(2) All fields are set [login.php]
	Boolean goodCredentials = checkThisUser(fields)
	if ( goodCredentials ) then
		(3) Credentials are correct; the User is now log in [login.php]
		registerCurrentUser()
	else
		if ( available login test > 0 ) then
			(4) Login information incorrect [login.php]
			displayErrorLogin()
			available login test -= 1
		else
			(5) Too much try with wrong credential [login.php]
			displayErrorLogin()
			askUserToSolveCAPTCHA()
		endif
	endif
endif

Basically, we would like the scanner to use the normal behavior paths and also the abnormals (errors etc.) in order to find vulnerabilities there such as Information Leakage etc. Just a note about the attack surface coverage rate: this number cannot be interpreted alone. You need to use this with the detection rate and the false positive rate. In the slides you can see that the tool A as a 25% attack surface coverage of the application, but this is also the tool with best findings and no false positive. This means that the tool were able to find 33% of vulnerabilities (best results from all the 4 scanner we tested) in 25% of the application which can be considered as accurate compared to the others.

The attack surface coverage may have an important impact, depending on what type of testing you are doing with your webapps scanner. If you want a tool to run at the end, doing a full assessement, then you will need a tool which as a very good coverage (since you only rely on that). But if you are looking for a tool which is fully integrated in your testing process (testing == quality and security) then, I think it's better to have an accurate tool which will cover a lower surface, but the tool will cover the important points.

Conclusions

This is actually hard to make a real strong conclusion about the results given in the slides. The test application is a real simple website (banking application) and is far from a real company website; this is a huge confounding factor. Another problem is that I did the evaluation one vulnerability at the time (and one level of defense at the time). This prevent a couple of real life behaviors...

no comment

Thursday, August 23 2007

Web App Security Scanner Evaluation Criteria

By Romain on Thursday, August 23 2007, 15:36 UTC - Information

Here is a new interesting project: WASSEC. This WASC's project is run by Anurag Agarwal and is about the evaluation of web application scanners such as Watchfire's AppScan, SPI's WebInspect etc.

If you are in the field, don't wait to help us :). Here is Anurag's words:

Thank you all for your patience. We have received an overwhelming response from the WASSEC (Web Application Security Scanner Evaluation Criteria) project. To proceed with the project please

1. Please email wasc-wassec-subscribe(AT)webappsec(DOT)org and reply to confirmation email.

2. It is moderated subscription so every contributor has to be approved to send messages to the list.

3. Once you are subscribed to the list, then email wasc-wassec(AT)webappsec(DOT)org to post messages.

All further communication will be done through the mailing list. Please keep checking your junk mail folder in case some messages might go there. We are also in the process of setting up a wiki for the length of the project to post updates, etc. Until then I will be updating my blog with the project details.

Once again, thank you for your participation.

You can checkout the project here: http://webappsec.org/projects/wassec

no comment

Monday, July 23 2007

Python script utility called wwwCall and Grabber news

By Romain on Monday, July 23 2007, 18:15 UTC - Python

wwwCall: HTTP(S) utilities

wwwCall is a very small module for Python (tested under python 2.5 but should be okay for python >= 2.3) which handle the HTTP(S) connection with some special features like proxy, cookies, authentification (basic, digest). This morning, I was working on Grabber and I just realized how ugly the code was, mostly because of how I handled the web connections, so I decided to create a simple module to do the job easily. The idea is to have a single object handling some basic function of the python urllib2.

If you have ever use Python for doing web calls, you'll see that the utilization is damn simple and I think, pretty cool... Example:

# create the object
http = wwwCall('http://rgaucher.info')
# add the features you want (cookies,auth)
http.setCookieFile('./the_path/file.cookie')
# reaching a logging URL and saving the cookie
http.post("http://rgaucher.info/login.php",{'username' : 'foo', 'password' : 'bar'})
# register the username/password for the basic authentification
http.setAuthBasic("romain","mypassword")
# print the content of the protected page
print http.get("http://rgaucher.info/401protected").read()

Download: wwwCall.zip

The next Grabber

So, I've been working on Grabber for a couple of months without a release now; it's mainly because I don't have that much time to work on it, but also because I made lots of modification. Today I added a couple of features:

  • Understanding some mod_rewrite rules for the spider
  • URL exclusion
  • Basic/Digest Authentification

This comes in addition on the previous features I added, mainly:

  • Multi Site
  • Multi threads
  • Cookie analyzer
  • XSS Locator in addition of the XSS Fuzzer which is definitely faster
  • Spider module, only to crawl the site and export it in XML
  • Login ability, keeping session state

I cannot give a d-day for the release of the 0.2 version because I really want to have a more stable product and will feed some test suites I made at work the tool, to be sure it's reasonable (I will not give comparison results with commercial products :P). I also want to have a better spider...

no comment

Wednesday, February 7 2007

How you should design a test suite for Web Apps Scanners

By Romain on Wednesday, February 7 2007, 18:43 UTC - Tools

If you have ever think about using a web application scanner for testing the security of your website, you certainly made a choice: Which web apps scanner should I buy/use ?

In this post, I will not tell you what is the better black box tester for whatever kind of web application.

The web applications may be very different, the tools are different and thus they could have different efficiency (i think it's non countable noun)... If you read this, you probably know that I am talking about scanners such as WebInspect, AppScan, Acunetix, Hailstorm, Pantera, Grabber... In the following sections, I will explain a main idea that should be used for testing such a tool.

A test suite for our tools is a website, this website has typically vulnerabilities; you can see this kind of website by watchfire, spi but also WebGoat, SiteGenerator or others. But all of these websites are not realistic and do not consider that the vulnerabilities may exist in different instances: variants.
If you don't know what is a variant check at the XSS Cheat Sheet (RSnake) or at the Attack Patterns (Sean Barnum). A variant is what the hacker use to perform his exploit.
A simple example for XSS is: Let's say you protect your website against XSS by checking the <script> tag; this is not perfect and not good because there is some way to insert other type of XSS strings (onmouseover).

Here comes the concept of Level Of Defense. If you are a developer you think about filters, if you are an attacker you think about variants of vulnerability and attack patterns. The level of defense of a website is the strength of its filters again a given vulnerability.

For a SQL Injection you can have multiple type of filters... Here is a possible list of levels for the SQL Injection:

  • Level 0: Show SQL errors / No input filtering
  • Level 1: Hide SQL errors / No input filtering
  • Level 2: Typecasting (integer, string etc.)
  • Level 3: Escaping input strings
  • Level 4: Restricted accounts...
  • ...


In the concept of the level of defense, it's important to not that depending of the type of vulnerability (weakness, failure...) the level n-1 is also performed in the level n or the level n is stronger (for the same variants) than the level n-1 (for instance, for Weak Hash Function it's not possible but using SHA-1 instead of MD5 is a level of defense higher).

A Key point: When you are implementing a level of defense for a vulnerbility, you must be sure that your implementation does the whole thing for that type of filter. For example, if you are escaping the HTML entities, you need to do all not only '<', '>' and in the next LoD escaping ' and ".

Why is the level of defense better than a simple system with vulnerabilities?

With the level of defense, you can calibrate a type of website which may be close to yours; you can construct a test suite with your kind of level of defense and see how the tool detect the vulnerabilities when the LoD increase. It is also a good way to know the state of the art of the tools for detecting vulnerabilities...

The idea was developed to create a test suite in order to evaluate web apps scanners; in this test suite we can select the current type of vulnerability and its level of defense (the hardness to break):


Monday, January 29 2007

When Black Box becomes Dark Box...

By Romain on Monday, January 29 2007, 13:37 UTC - Grabber

What if - in some cases - a Web Application Scanner (black box tester) could tell you that you have this vulnerability/weakness in your code at this line?

Got some ideas this morning on this, I'll try to implement this in Grabber in the next weeks.

Thursday, January 11 2007

What I want to for early 2oo7.

By Romain on Thursday, January 11 2007, 11:44 UTC - Stuffs

Even if i'll be busy with papers and tests, I really would like to do different things:

  1. Grabber: Adding an encoding stuffs for testing with different type of charsets (UTF-7/8/16 and other type of languages)
  2. Create a JavaScript functional analyzer: I've been thinking on this for a while, I think this is a good idea to detect XSS. I was thinking of using Stratego/XT for the parsing/AST construction; but still, because it's javascript, it's really hard to parse every possible things.
  3. XSS Handler: Just for fun, I want to do a PHP function for preventing XSS (using mb_strings) and the same kind of thing in Python

no comment

Tuesday, December 26 2006

Extended JavaScript/CSS parser for Grabber

By Romain on Tuesday, December 26 2006, 15:04 UTC - Grabber

I took some time this morning to extend the JavaScript parser; I also added a CSS parser.
The parsers can detect some basic comment based obfuscation. The JavaScript parser is also launched on the CSS's expression and url functions.
Now, I only have to parse the onbody, onmouseover etc. to get the JavaScript in these tags (samethings with the style tag for CSS); it should be done easily.

The following lines should be detected:

  • JS in CSS: background: expression(foo("script.ext"));
  • CSS: background: url(http://bad.com/script.jpg)
  • CSS: <style>

@imp/* This is a nested comment */ort('css-parser-nested-comment.css') </style>

  • JavaScript: foo(){var script="script.ext";var params="?kikoo=plop";async(script+params);}



The new Spider with the parser will be added in the next Grabber release.
I also have to say that I'm very proud that Simon Roses Femerling chooses to include the JavaScript/CSS parser from Grabber in the OWASP Pantera project :) !

no comment

Saturday, December 16 2006

Another tool: Acunetix

By Romain on Saturday, December 16 2006, 22:46 UTC - Tools

I've just found another commercial web apps scanner: "Acunetix Web Vulnerability Scanner". You can reach it here: http://www.acunetix.com

I usually do not quote or report some tools, but I tried the trial version which seems to be nice, but not more than WebInspect or AppScan. But while watching the tiny tools in the distribution, I saw an interesting file: RSnake_XSS cheat sheet.xml
This tool has a Fuzzer which performs some attacks from the XSS cheat sheet from http://ha.ckers.org and this is very interesting (this cheat sheet is something like the most relevant XSS attack dictionary).

no comment

Tuesday, November 28 2006

Web Apps Scanner pre-release

By Romain on Tuesday, November 28 2006, 22:38 UTC - Tools

Just an explanation about Grabber and a pre-release version.

I plan to release it when it will be really interesting, but you can reach it's page here: http://rgaucher.info/beta/grabber
But you can already download and use it. Every comments are welcome...

no comment

Friday, November 17 2006

Tools evaluation state...

By Romain on Friday, November 17 2006, 15:48 UTC - Tools

For my work in the Samate Project, in the web apps scanners evaluation, I made a website with a variable level of security, because I was totally not satisfied by the Watchfire or the SPI-Dynamics demo websites.

Then, I started to consider this website as a test suite... The problem is the gap that could be in different type of tools: - basic tools (Paros, Pantera, Wapiti etc.) - famous commercials (webinspect, appscan, ntospider etc.) Mainly because of the AJAX.

Actually I use AJAX in different part of the website such as login system, registration, dynamic verification and I'm sure that if you cannot interpret the JavaScript, you cannot see the vulnerabilities in this code. Maybe the tools can parse some urls... maybe i have to create another "more classical" website, with only {php,mysql,sessions,cookies}... Wait and see the first results

no comment

http://rgaucher.info/bot