Today we will talk about the code to automate this checks.
The attack surface
Discovering the attack surface it will be the first part of my talk. It’s about:
|Category||Owasp Testing guide reference||Test name|
|Information Gathering||OWASP-IG-001||Spiders, Robots and Crawlers|
|Information Gathering||OWASP-IG-002||Search Engine Discovery/Reconnaissance|
|Information Gathering||OWASP-IG-003||Identify application entry points|
|Information Gathering||OWASP-IG-004||Testing for Web Application Fingerprint|
|Information Gathering||OWASP-IG-005||Application Discovery|
|Information Gathering||OWASP-IG-006||Analysis of Error Codes|
|Configuration Management Testing||OWASP-CM-001||SSL/TLS Testing|
|Configuration Management Testing||OWASP-CM-002||DB Listener Testing|
|Configuration Management Testing||OWASP-CM-003||Infrastructure Configuration Management Testing|
|Configuration Management Testing||OWASP-CM-004||Application Configuration Management Testing|
|Configuration Management Testing||OWASP-CM-005||Testing for File Extensions Handling|
|Configuration Management Testing||OWASP-CM-006||Old, backup and unreferenced files|
|Configuration Management Testing||OWASP-CM-007||Infrastructure and Application Admin Interfaces|
|Configuration Management Testing||OWASP-CM-008||Testing for HTTP Methods and XST|
OWASP-IG-001: Spiders, Robots and Crawlers
Acting as a spider it is possible to discover how much your website is wide and to spot interesting entry points.
Robots.txt file is the first thing I test if I want to find more out of your site.
links rubygem is a piece of code I wrote to automate OWASP-IG-001 testing.
As you may see… the Net::HTTP is enough to play with this test.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
In the bin/links ruby script we check if the link disallowed is accessible or not. Discovering disallowed urls that are accessible is important if we’re wondering to discover service door and try to break-in
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Crawling: the clean way
What about crawling a website? By crawling I mean retrieving all the possible urls starting from the homepage, extracting all the links in the HTML and recursive make a lot of requests.
But we’re lucky enough and there is something who make a great gem for us.
Using anemone rubygem, we have a clean DSL for crawling a website starting from the links extracted by the web pages we find.
1 2 3 4 5 6 7
Crawling: the bruteforce way
Using a bruteforce approach can be useful if an important link is not in robots.txt (and I do suggest not to do this) and it’s likely not linked in any of the public pages.
Enchant::Engine.get_list method is trivial, it take the words from a dictionary I borrow from Owasp Zap project.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
There is no real magic in the Enchant::Engine.scan method… just a bunch of get and check for error codes… I know, I won’t win the A.Turing awards for these pieces of code, but sometimes they saved me the day in real pentest.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
OWASP-IG-002: Search Engine Discovery/Reconnaissance
This task can be done easily with a browser. Just point it to google.com and use the ‘site:’ special keyword to search for all pages about a website indexed with google.
A sample query that enumerate all the stuff you can find related to armoredcode.com domain is: http://www.google.it/search?q=site:armoredcode.com
Of course you can use Net::HTTP also in this case, but Google is not happy to be called in an automated way without authentication and their api usage… so it’s easy not to automate the task at all :-)
OWASP-IG-004: Testing for Web Application Fingerprint
This is a 2 years old project, may be it would a great idea to write down a new and better fingerprinter, however wafp script can be used to try to detect the CMS version or a particular Application server serving our target.
OWASP-CM-001: SSL/TLS Testing
For SSL/TSL testing I use a rubygem I wrote a couple of months ago: ciphersurfer.
Maybe those two posts deserve a repost over armoredcode.com.
However the trick behind ciphersurfer is trying to make HTTPS calls, using standard Ruby networking APIs (against, no voodoo here).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Here we don’t use httpclient helpers since I want to play with different ciphers at time.
That’s it. All the magic happens there. Now, let’s look like at the bin script to see how the scoring system has been used.
First of all, we must scan the target for all the protocols we support.
1 2 3 4 5 6 7 8 9 10 11
1 2 3 4 5 6 7 8
Note that we don’t make another GET here since we did it at the beginning of the engagement when we checked if the target was alive or not.
Now, let’s calculate the scores, all of them in a 0..100 range.
1 2 3 4
And then, some graphics to make the experience more appealing.
1 2 3 4 5 6 7 8 9 10
This is the first episode about leveraging the attack surface of a web application and, as along I was writing it I realized a couple of things:
- in the friday talk I’ll go completely out of time
- there is a lot of things to say about using ruby and the Owasp testing guide that it’s worth making something bigger…
- I have a lot of things yet to learn
- I don’t have fancy pictures to put on my Friday slideshow
Please note that this post series is built using Owasp testing guide as skeleton.
True to be told I’m nervous for #rubyday talk. The talks I gave since today were done at security conferences where I’m confortable.
Here I’m going to talk about code to people who do uunderstand and that they do write great code, and they are not afraid to show it.
Just a bit scared… I hope they like it.