skipfish
Upcoming SlideShare
Loading in...5
×
 

skipfish

on

  • 5,934 views

Delivered on 10 November 2011

Delivered on 10 November 2011

Previously delivered at OWASP Chapter Netherlands Chapter Meeting on 30 June 2010

Statistics

Views

Total Views
5,934
Views on SlideShare
5,622
Embed Views
312

Actions

Likes
1
Downloads
47
Comments
1

10 Embeds 312

http://cmlh.id.au 252
http://dataanxiety.tumblr.com 28
http://translate.googleusercontent.com 13
http://safe.tumblr.com 6
http://www.linkedin.com 6
https://www.linkedin.com 3
http://www.tumblr.com 1
http://a0.twimg.com 1
http://flavors.me 1
http://safe.txmblr.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Slides have been updated from their presentation in Sydney, Australia on 10 November 2011
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • http://lcamtuf.coredump.cx/\nhttp://lcamtuf.blogspot.com/\n\nhttp://twitter.com/lcamtuf\n\nEmployed by Google\nImage Attribution http://www.knackery.net/hackers.php and http://lcamtuf.coredump.cx\n
  • webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n“2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests” quoted from Felix “FX” Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n“2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests” quoted from Felix “FX” Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n“2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests” quoted from Felix “FX” Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  • RatProxy had a similar release cycle\n\nhttps://gist.github.com/1321223\n
  • \n
  • http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html\n
  • http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • extensions (a s extensions (a subset of keywords) ubset of keywords)\n
  • -Y is “don’t fuzz $keyword.$extension”\n\n
  • \n
  • \n
  • \n\n\n
  • \n
  • http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • \n
  • \n\n
  • \n\n
  • -C is cookie, can you curl to determine cookie\n
  • -C is cookie, can you curl to determine cookie\n\nhttp://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  • -H Custom HTTP Header\n\n
  • -I i.e. capital “i”\n-S or -X i.e. Exclude locations\n\n\n
  • -c Limits the number of child directories per parent - not clear in Google Code documentation\nNeed to read this -F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  • -c Limits the number of child directories per parent - not clear in Google Code documentation\n-F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  • \n
  • -B suppress warning of trusted domains i.e. Cross Domain Content Inclusion\n-Q Suppress the reporting of duplicate nodes i.e. might miss something in report\n-p Used to perform a percentage of the scan (i.e. periodic scanning) supplement with -q\n-e http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n\n\n
  • http://code.google.com/p/skipfish/wiki/SkipfishDoc\n
  • These low risk are quoted from the documentation hosted on Google Code\n
  • FX is Felix Lindner http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n\n“some regular ASCII text files were interpreted as JSON responses without XSSI (Cross Site Script Inclusion) protection”\n\nskipfish -J was not mentioned by FX\n
  • http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  • \n
  • http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  • \n
  • \n
  • \n

skipfish skipfish Presentation Transcript

  • skipfish10 November 2011Ernst & Young, Sydney AustraliaPreviously presented at:OWASP NL30 June 2010
  • OverviewNot an OWASP ProjectBy Michal ZalewskiMajor contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
  • OverviewFast webappsec scanner which“spiders” using word lists Could be used to test www DOS
  • OverviewFast webappsec scanner which“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
  • Overview3.Fast webappsec scanner which“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
  • Build/InstallFrom Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
  • Release Cyclelcamtuf rapidly updates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
  • Build/Installhttp://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
  • Spidering./skipfish -W /dev/null -LV ...
  • Word Listkeywords and extensionstype hits total_age last_age keyword
  • Supplied Word Lists1. Empty2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
  • Word ListThe following all contain 1.7K keywords:
  • Word Listminimal.wl~50,000 HTTP Requestsmedium.wl~50,000 HTTP Requests x 2complete.wl~50,000 HTTP Requests x 3
  • Word List Insert sh script1.Select wordlist from ./dictionaries/2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
  • WordlistCustom Wordlist ./skipfish -W custom_wl ...Suppress Automatic Learning ./skipfish -L ...Suppress Amending Wordlist ./skipfish -V ...
  • Lightweight Brute Force~1,700 HTTP Requestscp ./dictionaries/complete.wl dictionary.wl./skipfish -W dictionary.wl -Y ...
  • Word ListLimit Keyword Guess Size Jar ./skipfish -G ...Drop Old Dictionary Entries ./skipfish -R ...Don’t fuzz $keyword.$extension ./skipfish -Y ...
  • Basic UsageOutput Directory ./skipfish -o output_dir URL ...Suppress Real-Time Statistics ./skipfish -u ...
  • Usage - SchedulingPercentage of links and directories ./skipfish -p percentage ...Repeat previous scan ./skipfish -q seed ...
  • Usage - AuthenticationHTTP Auth ./skipfish -A user:pass ...Cookie ./skipfish -C name=value ...Autocomplete Forms ./skipfish -T form_field=value ...
  • Usage - CookieCookie ./skipfish -C name=value ...Ignore new set-cookies from specific locationsi.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ...Ignore new set-cookies from all locations ./skipfish -N ...
  • Usage - HTTP HeadersUser Agent ./skipfish -b ffox or ie or phone...Custom HTTP Header ./skipfish -H Header ...
  • Usage - ScopingSpider from ./skipfish -I URI ...Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ...Include Domain ./skipfish -D FQDN...Exclude URI ./skipfish -S URI or -X URI ...
  • Usage - ScopingLimit crawl depth to number of sub directories/folders ./skipfish -d number ...Limit the number of child directories per parent ./skipfish -c number ...Limit Total HTTP Requests ./skipfish -r number ...
  • Usage - ScopingNo parsing of Form ./skipfish -O ...No parsing of HTML ./skipfish -P ...
  • Usage - Low ImpactMixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scopeCaching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ...Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
  • Usage - ReportingSuppress reporting of duplicates hosts ./skipfish -Q ...Suppress warning of “trusted” domains ./skipfish -B ...Purge binary content without affecting report quality ./skipfish -e ...
  • Delta Reportingsfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
  • IssuesWon’t detect common low risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
  • Issues (Credit ‘FX’)High Number of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
  • Issues (Credit ‘FX’) ResolvedDoes not write output while the tool is executingTotal Size of HTTP Request vs File System Image
  • IssuesDoes not support intercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
  • Benefits (Credit ‘FX’)Will display the source of CGI scriptCan detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
  • Performance TuningNumber of connections to all hosts ./skipfish -g ... Recommended to be < 50Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
  • Performance TuningI/O Timeout ./skipfish -w number ...Total Request Timeout ./skipfish -t number ...Number of HTTP Errors before Terminating ./skipfish -f number ...Truncate HTTP Response ./skipfish -s number ...
  • Q&AThanks Wouter - Ernst & YoungLatest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfishhttp://cmlh.id.au/contact