skyfall flisol-campinas-2013
DESCRIPTION
Skyfall flisol-campinas-2013 - scanner deTRANSCRIPT
Skyfallscanner de vulnerabilidades em web
applications
fork skipfish
Mauro Risonho de Paula Assumpção
firebits
http://www.linkedin.com/profile/view?id=35593661&trk=tab_pro
● Google Open Source Jam 2013 – Brazil - SP● 007 James Bond – Operation Skyfall● 09/03/2013● Scanner web
Skyfall (Ideias) ?
Skyfall - repo
Skyfall – on demand
Skyfall0132Ram
(www.example.com)
Skyfall0232Ram
(www.tes1.com)
Skyfall02332Ram
(www.ext2.com)
frontend32Ram
(www.example.com)(www.tes1.com)(www.ext2.com)
Skyfall0232Ram
(www.tes1.com)
Skyfall0232Ram
(www.tes1.com)
Skyfall0232Ram
(www.tes1.com)
REPORTS
OFF
ON
ON
DATABASE ->SSH
● High performance:
– 500+ requests per second against responsive Internet targets
– 2000+ requests per second on LAN / MAN networks
– 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint.
Skyfall - Features
● This can be attributed to:
– Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients.
– Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network-level overhead in check.
FeaturesSkyfall
● This can be attributed to:
– Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic.
– Performance-oriented, pure C implementation, including a custom HTTP stack.
FeaturesSkyfall
● Ease of use: skyfall is highly adaptive and reliable. The scanner features:
– Heuristic recognition of obscure path- and query-based parameter handling Schemes.
– Graceful handling of multi-framework sites where certain paths obey completely different semantics, or are subject to different filtering rules.
FeaturesSkyfall
● Ease of use: skyfall is highly adaptive and reliable. The scanner features:– Automatic wordlist construction based on site
content analysis.
– Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results:– Handcrafted dictionaries offer excellent coverage
and permit thorough $keyword.$extension testing in a reasonable timeframe.
– Three-step differential probes are preferred to signature checks for detecting vulnerabilities.
FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results:– Ratproxy-style logic is used to spot subtle security
problems:
– cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.
FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results:
– Bundled security checks are designed to handle tricky scenarios:
● stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.
FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results:– Snort style content signatures which will highlight
server errors, information leaks or potentially dangerous web applications.
– Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.
FeaturesSkyfall
● What specific tests are implemented?– High risk flaws (potentially leading to system
compromise):
● Server-side query injection (including blind vectors, numerical parameters).
● Explicit SQL-like syntax in GET or POST parameters.
FeaturesSkyfall
● What specific tests are implemented?– High risk flaws (potentially leading to system
compromise):
● Server-side shell command injection (including blind vectors).
● Server-side XML / XPath injection (including blind vectors).
FeaturesSkyfall
● What specific tests are implemented?– High risk flaws (potentially leading to system
compromise):
● Format string vulnerabilities.● Integer overflow vulnerabilities.● Locations accepting HTTP PUT
FeaturesSkyfall
● What specific tests are implemented?– Medium risk flaws (potentially leading to data
compromise):
● Stored and reflected XSS vectors in document body (minimal JS XSS support).
● Stored and reflected XSS vectors via HTTP redirects.● Stored and reflected XSS vectors via HTTP header
splitting.
FeaturesSkyfall
● What specific tests are implemented?– Medium risk flaws (potentially leading to data
compromise):
● Directory traversal / LFI / RFI (including constrained vectors).
● Assorted file POIs (server-side sources, configs, etc).● Attacker-supplied script and CSS inclusion vectors
(stored and reflected).
FeaturesSkyfall
● What specific tests are implemented?– Medium risk flaws (potentially leading to data
compromise):
● External untrusted script and CSS inclusion vectors.● Mixed content problems on script and CSS resources
(optional).● Password forms submitting from or to non-SSL pages
(optional).
FeaturesSkyfall
● What specific tests are implemented?– Medium risk flaws (potentially leading to data
compromise):
● Incorrect or missing MIME types on renderables.● Generic MIME types on renderables.● Incorrect or missing charsets on renderables.● Conflicting MIME / charset info on renderables.● Bad caching directives on cookie setting responses.
FeaturesSkyfall
● What specific tests are implemented?– Medium risk flaws (potentially leading to data
compromise):
● Incorrect or missing MIME types on renderables.● Generic MIME types on renderables.● Incorrect or missing charsets on renderables.● Conflicting MIME / charset info on renderables.● Bad caching directives on cookie setting responses.
FeaturesSkyfall
● What specific tests are implemented?– Internal warnings:
● Failed resource fetch attempts.● Exceeded crawl limits.● Failed 404 behavior checks.● IPS filtering detected.● Unexpected response variations.● Seemingly misclassified crawl nodes.
FeaturesSkyfall
● What specific tests are implemented?– Non-specific informational entries:
● General SSL certificate information.● Significantly changing HTTP cookies.● Changing Server, Via, or X-... headers.● New 404 signatures.● Resources that cannot be accessed.● Resources requiring HTTP authentication.
FeaturesSkyfall
● What specific tests are implemented?– Non-specific informational entries:
● Broken links.● Server errors.● All external links not classified otherwise (optional).● All external e-mails (optional).● All external URL redirectors (optional).● Links to unknown protocols.
FeaturesSkyfall
● What specific tests are implemented?– Non-specific informational entries:
● Form fields that could not be autocompleted.● Password entry forms (for external brute-force).● File upload forms.● Other HTML forms (not classified otherwise).● Numerical file names (for external brute-force).● User-supplied links otherwise rendered on a page.
FeaturesSkyfall
● What specific tests are implemented?– Non-specific informational entries:
● Incorrect or missing MIME type on less significant content.● Generic MIME type on less significant content.● Incorrect or missing charset on less significant content.● Conflicting MIME / charset information on less significant
content.● OGNL-like parameter passing conventions..
FeaturesSkyfall
DEMOSkyfall
DEMO
DEMOSkyfallOS = 31 Mb RAM + Skyfall = 1MB
DEMOSkyfallOS = 31 Mb RAM + Skyfall = 1MB
● Database SQLite3 in memory● Database SQLite3 in disk - HD● GUI QT/Frontend Web (ligthing web server +
tags HTML)● Reports Html, PDF(libharu), DOCX, XML● + mime types● MultiScanning URLs● Scannig plugins joomla, wp, drupal● Brute-force CAPTCHA
ToDOSkyfall
● skyfallsec– https://bitbucket.org/skyfallsec
● skipfish– http://code.google.com/p/skipfish/
● Gcc– http://gcc.gnu.org/
● Clang– http://clang.llvm.org/
● Archlinux● https://www.archlinux.org/
ReferencesSkyfall
THANKS!
ReferencesSkyfall