Comprehensive Web App Vulnerability Analysis with Grendel -ScanGrendel -Scan

David ByrneTrustwave

Eric DupreyDish Network

Features

� Miscellaneous� Written in Java� Windows, Linux & OS X ports

� Manual testing� Internal intercepting / testing proxyInternal intercepting / testing proxy� HTTP request fuzzer� Manual requests

Selected Test Modules

� Spider� HTML tag requester� Form baseline� Search engine recon

� File enumerationFile enumeration� Session management

� Session ID strength� URL session IDs� Session fixation� Authentication enforcement - experimental

� Cross-site scripting (XSS)

Selected Test Modules

� SQL injection� Error-based� SQL tautologies - experimental

� Miscellaneous tests� CRLF injectionCRLF injection� Directory traversal – experimental� Generic fuzzing

� Information Leakage� Platform error messages � Robots.txt� Comment lister

Selected Test Modules

� Web server configuration� Cross-site tracing (XST)� Proxy detection

� Application architecture� Input / output flowsInput / output flows� Offline website mirror

� Nikto

New Features

� X509 Certificate Authority

� Reverse Proxy

� Advanced Response ComparisonAdvanced Response Comparison

� AMF

� GUI Changes

Integrated X509 Certificate Authority

� CA / root cert generated on first start of proxy� Persisted until deleted or requested to regenerate

� On client CONNECT request, a new X509 certificate is generated for hostname (signed by CA key)

� Server certificates kept in memory only (not persisted on close)

� Minimal performance impact

Towards “valid” MITM certificates: Wildcard?

"There is always an easy solution to every complex problem—neat, plausible, and wrong.”--H. L. Mencken

� Tried a static root cert and server cert for “*”

�Firefox accepts this, Internet Explorer not so much

Variations on this theme:� Variations on this theme:

�“*.” accepted in FireFox for https://victim.com.� Still not acceptable in IE

� Nothing in RFC suggests IE's implementation, but it is more secure in practice.

� Other browsers not tested (area for further research)

Reverse Proxy

� Uses integrated certificate authority

� Maps a single local port to a single remote port

� Future versions will support more intelligent routingFuture versions will support more intelligent routing

� No rewriting currently supported (local and remote ports must be the same number)

Response Comparison

� Logical file-not-found detection

� SQL tautologies

� Directory traversalDirectory traversal

� Logged-out detection

Grendel’s Comparison Techniques

� Tracks actual score & maximum possible score� HTTP response code� MIME type� Set-Cookie name – 100� Skewed Levenshtein distance of HTTP location headers - 100� Levenshtein distance of normalized HTML text nodes - 50Levenshtein distance of normalized HTML text nodes - 50� HTML tag count ratios (min count / max count)

� APPLET - 50� OBJECT - 50� EMBED - 50� TABLE - 30� TR - 15� A - 10� LINK - 10� IMG - 10

Fuzzing

AMF Overview

� Action Message Format� ActionScript / JavaScript� Flash pile: Flex, Air, Shockwave, etc

� AMF0 released in 2001 with Flash Player 6� AMF0 released in 2001 with Flash Player 6

� AMF3 released with Flash Player 9

� In theory, an open standard

� Loosely based on SOAP; rides on HTTP, but binary format

AMF Overview

� Data transfer� Primitive data (numbers, Boolean, etc.)� Collections (Arrays & maps)� Serialized objects

� Remote procedure call

� Pass data by reference, only within the same request

� Stateless; no built-in session handling

BlazeDS

� Java-based Remoting/Messaging server

� Supports communication via AMF rather than traditional XML/SOAP methods\

� Messaging component allows for publisher/subscribe communication

� Remoting component allows Flex applications to invoke methods on server-side objects

� OpenSource / GPL!

AMF 0 Constants

int kNumberType = 0;int kBooleanType = 1;int kStringType = 2;int kObjectType = 3;int kMovieClipType = 4;

int kLongStringType = 12;int kUnsupportedType = 13;int kRecordsetType = 14;int kXMLObjectType = 15;int kTypedObjectType = 16;int kMovieClipType = 4;

int kNullType = 5;int kUndefinedType = 6;int kReferenceType = 7;int kECMAArrayType = 8;int kObjectEndType = 9;int kStrictArrayType = 10;int kDateType = 11;

int kTypedObjectType = 16;int kAvmPlusObjectType = 17;

AMF 3 Constants

int a3UndefinedType = 0;int a3NullType = 1;int a3FalseType = 2;int a3TrueType = 3;int a3IntegerType = 4;int a3DoubleType = 5;int a3DoubleType = 5;int a3StringType = 6;int a3XMLType = 7;int a3DateType = 8;int a3ArrayType = 9;int a3ObjectType = 10;int a3AvmPlusXmlType = 11;int a3ByteArrayType = 12;

AMF Example

Rants

� “What Works in Penetration Testing?”

� Not automated scanners… er… at least they don’t work well

� Discuss testing plan with clientDiscuss testing plan with client

Ever-changing Threats

� Everyone knows about SQL Injection, XSS, etc � OWASP Top Ten was never intended as a complete list� Simple vulnerabilities are easy to exploit, easy to find, and

easy to fix� Absence of simple vulnerabilities is not sufficient protection� Criminals can improve their skills too

What Automated Solutions Miss

� Theoretical� Logic flaws (business and application)� Design flaws� The Stupid

� PracticalDifficulty interacting with Rich Internet Applications (RIA)� Difficulty interacting with Rich Internet Applications (RIA)

� Complex variants of common attacks (SQL Injection, XSS, etc)

� Cross-Site Request Forgery (CSRF)� Uncommon or custom infrastructure� Authorization enforcement � Abstract information leakage

Real World Automation Results

The Stupid: Defense In-Depth

'2007-11-27 If single quote is at the start of the 'search string, replace it with an empty string'refer to scanner reportIf uQuery.IndexOf ("'") = 0 ThenIf uQuery.IndexOf ("'") = 0 Then

uQuery = uQuery.Substring(1, uQuery.Length -1)End If

The Very Stupid: Awesome Exploit

POST https://secure.example.com:443/Coupon.aspx HTT P/1.1Host: secure.example.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US;Accept: text/xml,application/xml,application/xhtml+xml,text /html;q=0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipAccept - Charset : ISO - 8859 - 1,utf - 8;q= 0. 7,*;q= 0. 7Accept - Charset : ISO - 8859 - 1,utf - 8;q= 0. 7,*;q= 0. 7Keep-Alive: 300Connection: keep-aliveReferer: https://secure.example.com/CartSummary.asp xCookie: FDCX=RVLAXGDGJSQX634; email=dbyrne@trustwav e.comContent-Type: application/x-www-form-urlencodedContent-length: 69

FreePurchase=yes&Command=use-coupon&CouponNumber=11111111111111111111

FreePurchase=yes

Misc

� Web recon

� Future of Grendel� Selfish� XML web servicesXML web services

www.grendel-scan.comDavid Byrnedbyrne@trustwave.com

Eric Dupreyeduprey@exploits.org