Skyfallscanner de vulnerabilidades em web

applications

fork skipfish

Mauro Risonho de Paula Assumpção

firebits

mauro.risonho@gmail.com

http://www.linkedin.com/profile/view?id=35593661&trk=tab_pro

● Google Open Source Jam 2013 – Brazil - SP● 007 James Bond – Operation Skyfall● 09/03/2013● Scanner web

Skyfall (Ideias) ?

Skyfall - repo

Skyfall – on demand

Skyfall0132Ram

(www.example.com)

Skyfall0232Ram

(www.tes1.com)

Skyfall02332Ram

(www.ext2.com)

frontend32Ram

(www.example.com)(www.tes1.com)(www.ext2.com)

Skyfall0232Ram

(www.tes1.com)

Skyfall0232Ram

(www.tes1.com)

Skyfall0232Ram

(www.tes1.com)

REPORTS

OFF

ON

ON

DATABASE ->SSH

● High performance:

– 500+ requests per second against responsive Internet targets

– 2000+ requests per second on LAN / MAN networks

– 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint.

Skyfall - Features

● This can be attributed to:

– Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.

– Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.

FeaturesSkyfall

● This can be attributed to:

– Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.

– Performance-oriented, pure C implementation, including a custom HTTP stack.

FeaturesSkyfall

● Ease of use: skyfall is highly adaptive and reliable. The scanner features:

– Heuristic recognition of obscure path- and query-based parameter handling Schemes.

– Graceful handling of multi-framework sites where certain paths obey completely different semantics, or are subject to different filtering rules.

FeaturesSkyfall

● Ease of use: skyfall is highly adaptive and reliable. The scanner features:– Automatic wordlist construction based on site

content analysis.

– Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.

FeaturesSkyfall

● Well-designed security checks: the tool is meant to provide accurate and meaningful results:– Handcrafted dictionaries offer excellent coverage

and permit thorough $keyword.$extension testing in a reasonable timeframe.

– Three-step differential probes are preferred to signature checks for detecting vulnerabilities.

FeaturesSkyfall

● Well-designed security checks: the tool is meant to provide accurate and meaningful results:– Ratproxy-style logic is used to spot subtle security

problems:

– cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.

FeaturesSkyfall

● Well-designed security checks: the tool is meant to provide accurate and meaningful results:

– Bundled security checks are designed to handle tricky scenarios:

● stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.

FeaturesSkyfall

● Well-designed security checks: the tool is meant to provide accurate and meaningful results:– Snort style content signatures which will highlight

server errors, information leaks or potentially dangerous web applications.

– Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.

FeaturesSkyfall

● What specific tests are implemented?– High risk flaws (potentially leading to system

compromise):

● Server-side query injection (including blind vectors, numerical parameters).

● Explicit SQL-like syntax in GET or POST parameters.

FeaturesSkyfall

● What specific tests are implemented?– High risk flaws (potentially leading to system

compromise):

● Server-side shell command injection (including blind vectors).

● Server-side XML / XPath injection (including blind vectors).

FeaturesSkyfall

● What specific tests are implemented?– High risk flaws (potentially leading to system

compromise):

● Format string vulnerabilities.● Integer overflow vulnerabilities.● Locations accepting HTTP PUT

FeaturesSkyfall

● What specific tests are implemented?– Medium risk flaws (potentially leading to data

compromise):

● Stored and reflected XSS vectors in document body (minimal JS XSS support).

● Stored and reflected XSS vectors via HTTP redirects.● Stored and reflected XSS vectors via HTTP header

splitting.

FeaturesSkyfall

● What specific tests are implemented?– Medium risk flaws (potentially leading to data

compromise):

● Directory traversal / LFI / RFI (including constrained vectors).

● Assorted file POIs (server-side sources, configs, etc).● Attacker-supplied script and CSS inclusion vectors

(stored and reflected).

FeaturesSkyfall

● What specific tests are implemented?– Medium risk flaws (potentially leading to data

compromise):

● External untrusted script and CSS inclusion vectors.● Mixed content problems on script and CSS resources

(optional).● Password forms submitting from or to non-SSL pages

(optional).

FeaturesSkyfall

● What specific tests are implemented?– Medium risk flaws (potentially leading to data

compromise):

● Incorrect or missing MIME types on renderables.● Generic MIME types on renderables.● Incorrect or missing charsets on renderables.● Conflicting MIME / charset info on renderables.● Bad caching directives on cookie setting responses.

FeaturesSkyfall

● What specific tests are implemented?– Medium risk flaws (potentially leading to data

compromise):

● Incorrect or missing MIME types on renderables.● Generic MIME types on renderables.● Incorrect or missing charsets on renderables.● Conflicting MIME / charset info on renderables.● Bad caching directives on cookie setting responses.

FeaturesSkyfall

● What specific tests are implemented?– Internal warnings:

● Failed resource fetch attempts.● Exceeded crawl limits.● Failed 404 behavior checks.● IPS filtering detected.● Unexpected response variations.● Seemingly misclassified crawl nodes.

FeaturesSkyfall

● What specific tests are implemented?– Non-specific informational entries:

● General SSL certificate information.● Significantly changing HTTP cookies.● Changing Server, Via, or X-... headers.● New 404 signatures.● Resources that cannot be accessed.● Resources requiring HTTP authentication.

FeaturesSkyfall

● What specific tests are implemented?– Non-specific informational entries:

● Broken links.● Server errors.● All external links not classified otherwise (optional).● All external e-mails (optional).● All external URL redirectors (optional).● Links to unknown protocols.

FeaturesSkyfall

● What specific tests are implemented?– Non-specific informational entries:

● Form fields that could not be autocompleted.● Password entry forms (for external brute-force).● File upload forms.● Other HTML forms (not classified otherwise).● Numerical file names (for external brute-force).● User-supplied links otherwise rendered on a page.

FeaturesSkyfall

● What specific tests are implemented?– Non-specific informational entries:

● Incorrect or missing MIME type on less significant content.● Generic MIME type on less significant content.● Incorrect or missing charset on less significant content.● Conflicting MIME / charset information on less significant

content.● OGNL-like parameter passing conventions..

FeaturesSkyfall

DEMOSkyfall

DEMO

DEMOSkyfallOS = 31 Mb RAM + Skyfall = 1MB

DEMOSkyfallOS = 31 Mb RAM + Skyfall = 1MB

● Database SQLite3 in memory● Database SQLite3 in disk - HD● GUI QT/Frontend Web (ligthing web server +

tags HTML)● Reports Html, PDF(libharu), DOCX, XML● + mime types● MultiScanning URLs● Scannig plugins joomla, wp, drupal● Brute-force CAPTCHA

ToDOSkyfall

● skyfallsec– https://bitbucket.org/skyfallsec

● skipfish– http://code.google.com/p/skipfish/

● Gcc– http://gcc.gnu.org/

● Clang– http://clang.llvm.org/

● Archlinux● https://www.archlinux.org/

ReferencesSkyfall

THANKS!

ReferencesSkyfall