skipfish10 November 2011Ernst & Young, Sydney AustraliaPreviously presented at:OWASP NL30 June 2010
OverviewNot an OWASP ProjectBy Michal ZalewskiMajor contributions to webappsec with Google  RatProxy;  Browser Security Ha...
OverviewFast webappsec scanner which“spiders” using word lists  Could be used to test www DOS
OverviewFast webappsec scanner which“spiders” using word lists  Similar to Burp Scanner, etc  Does not satisfy WASC Securi...
Overview3.Fast webappsec scanner which“spiders” using word lists     Similar to DirBuster maybe Nikto, etc     “2007 entri...
Build/InstallFrom Source Code   Doesn’t build on OpenBSD (issue noted)   Dependency on libidn     Builds on backtrack
Release Cyclelcamtuf rapidly updates via minor releases   i.e. RatProxy followed same development                         ...
Build/Installhttp://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html   Not mantained with each rele...
Spidering./skipfish -W /dev/null -LV ...
Word Listkeywords and extensionstype hits total_age last_age keyword
Supplied Word Lists1. Empty2. extensions-only.wl   Must be used in conjunction with ./skipfish -Y
Word ListThe following all contain 1.7K keywords:
Word Listminimal.wl~50,000 HTTP Requestsmedium.wl~50,000 HTTP Requests x 2complete.wl~50,000 HTTP Requests x 3
Word List                                         Insert sh script1.Select wordlist from ./dictionaries/2.Copy as ../skipf...
WordlistCustom Wordlist  ./skipfish -W custom_wl ...Suppress Automatic Learning  ./skipfish -L ...Suppress Amending Wordli...
Lightweight Brute Force~1,700 HTTP Requestscp ./dictionaries/complete.wl dictionary.wl./skipfish -W dictionary.wl -Y ...
Word ListLimit Keyword Guess Size Jar  ./skipfish -G ...Drop Old Dictionary Entries  ./skipfish -R ...Don’t fuzz $keyword....
Basic UsageOutput Directory  ./skipfish -o output_dir URL ...Suppress Real-Time Statistics  ./skipfish -u ...
Usage - SchedulingPercentage of links and directories  ./skipfish -p percentage ...Repeat previous scan  ./skipfish -q see...
Usage - AuthenticationHTTP Auth   ./skipfish -A user:pass ...Cookie   ./skipfish -C name=value ...Autocomplete Forms   ./s...
Usage - CookieCookie    ./skipfish -C name=value ...Ignore new set-cookies from specific locationsi.e. prevent URIs from be...
Usage - HTTP HeadersUser Agent  ./skipfish -b ffox or ie or phone...Custom HTTP Header  ./skipfish -H Header ...
Usage - ScopingSpider from  ./skipfish -I URI ...Parameters not to Fuzz, such as SessionID  ./skipfish -K SessionID_parame...
Usage - ScopingLimit crawl depth to number of sub directories/folders  ./skipfish -d number ...Limit the number of child d...
Usage - ScopingNo parsing of Form  ./skipfish -O ...No parsing of HTML  ./skipfish -P ...
Usage - Low ImpactMixed TLS/SSLv3 and HTTP (i.e. Cleartext)  ./skipfish -M ...  Low severity i.e. images are out of scopeC...
Usage - ReportingSuppress reporting of duplicates hosts  ./skipfish -Q ...Suppress warning of “trusted” domains  ./skipfis...
Delta Reportingsfscandiff  non-destructively annotated by adding red  background to all new or changed nodes; and blue  ba...
IssuesWon’t detect common low risks, such as:  cookie without HTTPonly or secure flags  autocomplete enabled Forms
Issues (Credit ‘FX’)High Number of False Positives  ASCII txt interpreted as JSON reply with XSSI  Deviation between chars...
Issues (Credit ‘FX’)                                                ResolvedDoes not write output while the tool is execut...
IssuesDoes not support intercepting web proxy  No supporting log entires that skipfish was used  Use wireshark instead i.e...
Benefits (Credit ‘FX’)Will display the source of CGI scriptCan detect IPS  HTTP 500 for ASP.NET HttpRequestValidationExcept...
Performance TuningNumber of connections to all hosts  ./skipfish -g ...  Recommended to be < 50Per IP  ./skipfish -m numbe...
Performance TuningI/O Timeout  ./skipfish -w number ...Total Request Timeout  ./skipfish -t number ...Number of HTTP Error...
Q&AThanks Wouter - Ernst & YoungLatest slides available from  http://slideshare.net/cmlh  http://github.com/cmlh/skipfishh...
Upcoming SlideShare
Loading in …5
×

skipfish

6,178 views
6,036 views

Published on

Delivered on 10 November 2011

Previously delivered at OWASP Chapter Netherlands Chapter Meeting on 30 June 2010

Published in: Technology, Design
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
6,178
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
61
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • http://lcamtuf.coredump.cx/\nhttp://lcamtuf.blogspot.com/\n\nhttp://twitter.com/lcamtuf\n\nEmployed by Google\nImage Attribution http://www.knackery.net/hackers.php and http://lcamtuf.coredump.cx\n
  • webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • RatProxy had a similar release cycle\n\nhttps://gist.github.com/1321223\n
  • \n
  • http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html\n
  • http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • extensions (a s extensions (a subset of keywords) ubset of keywords)\n
  • -Y is &amp;#x201C;don&amp;#x2019;t fuzz $keyword.$extension&amp;#x201D;\n\n
  • \n
  • \n
  • \n\n\n
  • \n
  • http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • \n
  • \n\n
  • \n\n
  • -C is cookie, can you curl to determine cookie\n
  • -C is cookie, can you curl to determine cookie\n\nhttp://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • -H Custom HTTP Header\n\n
  • -I i.e. capital &amp;#x201C;i&amp;#x201D;\n-S or -X i.e. Exclude locations\n\n\n
  • -c Limits the number of child directories per parent - not clear in Google Code documentation\nNeed to read this -F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  • -c Limits the number of child directories per parent - not clear in Google Code documentation\n-F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  • \n
  • -B suppress warning of trusted domains i.e. Cross Domain Content Inclusion\n-Q Suppress the reporting of duplicate nodes i.e. might miss something in report\n-p Used to perform a percentage of the scan (i.e. periodic scanning) supplement with -q\n-e http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n\n\n
  • http://code.google.com/p/skipfish/wiki/SkipfishDoc\n
  • These low risk are quoted from the documentation hosted on Google Code\n
  • FX is Felix Lindner http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n\n&amp;#x201C;some regular ASCII text files were interpreted as JSON responses without XSSI (Cross Site Script Inclusion) protection&amp;#x201D;\n\nskipfish -J was not mentioned by FX\n
  • http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  • \n
  • http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  • \n
  • \n
  • \n
  • skipfish

    1. 1. skipfish10 November 2011Ernst & Young, Sydney AustraliaPreviously presented at:OWASP NL30 June 2010
    2. 2. OverviewNot an OWASP ProjectBy Michal ZalewskiMajor contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
    3. 3. OverviewFast webappsec scanner which“spiders” using word lists Could be used to test www DOS
    4. 4. OverviewFast webappsec scanner which“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
    5. 5. Overview3.Fast webappsec scanner which“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
    6. 6. Build/InstallFrom Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
    7. 7. Release Cyclelcamtuf rapidly updates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
    8. 8. Build/Installhttp://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
    9. 9. Spidering./skipfish -W /dev/null -LV ...
    10. 10. Word Listkeywords and extensionstype hits total_age last_age keyword
    11. 11. Supplied Word Lists1. Empty2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
    12. 12. Word ListThe following all contain 1.7K keywords:
    13. 13. Word Listminimal.wl~50,000 HTTP Requestsmedium.wl~50,000 HTTP Requests x 2complete.wl~50,000 HTTP Requests x 3
    14. 14. Word List Insert sh script1.Select wordlist from ./dictionaries/2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
    15. 15. WordlistCustom Wordlist ./skipfish -W custom_wl ...Suppress Automatic Learning ./skipfish -L ...Suppress Amending Wordlist ./skipfish -V ...
    16. 16. Lightweight Brute Force~1,700 HTTP Requestscp ./dictionaries/complete.wl dictionary.wl./skipfish -W dictionary.wl -Y ...
    17. 17. Word ListLimit Keyword Guess Size Jar ./skipfish -G ...Drop Old Dictionary Entries ./skipfish -R ...Don’t fuzz $keyword.$extension ./skipfish -Y ...
    18. 18. Basic UsageOutput Directory ./skipfish -o output_dir URL ...Suppress Real-Time Statistics ./skipfish -u ...
    19. 19. Usage - SchedulingPercentage of links and directories ./skipfish -p percentage ...Repeat previous scan ./skipfish -q seed ...
    20. 20. Usage - AuthenticationHTTP Auth ./skipfish -A user:pass ...Cookie ./skipfish -C name=value ...Autocomplete Forms ./skipfish -T form_field=value ...
    21. 21. Usage - CookieCookie ./skipfish -C name=value ...Ignore new set-cookies from specific locationsi.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ...Ignore new set-cookies from all locations ./skipfish -N ...
    22. 22. Usage - HTTP HeadersUser Agent ./skipfish -b ffox or ie or phone...Custom HTTP Header ./skipfish -H Header ...
    23. 23. Usage - ScopingSpider from ./skipfish -I URI ...Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ...Include Domain ./skipfish -D FQDN...Exclude URI ./skipfish -S URI or -X URI ...
    24. 24. Usage - ScopingLimit crawl depth to number of sub directories/folders ./skipfish -d number ...Limit the number of child directories per parent ./skipfish -c number ...Limit Total HTTP Requests ./skipfish -r number ...
    25. 25. Usage - ScopingNo parsing of Form ./skipfish -O ...No parsing of HTML ./skipfish -P ...
    26. 26. Usage - Low ImpactMixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scopeCaching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ...Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
    27. 27. Usage - ReportingSuppress reporting of duplicates hosts ./skipfish -Q ...Suppress warning of “trusted” domains ./skipfish -B ...Purge binary content without affecting report quality ./skipfish -e ...
    28. 28. Delta Reportingsfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
    29. 29. IssuesWon’t detect common low risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
    30. 30. Issues (Credit ‘FX’)High Number of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
    31. 31. Issues (Credit ‘FX’) ResolvedDoes not write output while the tool is executingTotal Size of HTTP Request vs File System Image
    32. 32. IssuesDoes not support intercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
    33. 33. Benefits (Credit ‘FX’)Will display the source of CGI scriptCan detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
    34. 34. Performance TuningNumber of connections to all hosts ./skipfish -g ... Recommended to be < 50Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
    35. 35. Performance TuningI/O Timeout ./skipfish -w number ...Total Request Timeout ./skipfish -t number ...Number of HTTP Errors before Terminating ./skipfish -f number ...Truncate HTTP Response ./skipfish -s number ...
    36. 36. Q&AThanks Wouter - Ernst & YoungLatest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfishhttp://cmlh.id.au/contact

    ×