SlideShare a Scribd company logo

skipfish

Download as KEY, PDF
Christian Heinrich
Christian Heinrich

Delivered on 10 November 2011 Previously delivered at OWASP Chapter Netherlands Chapter Meeting on 30 June 2010

TechnologyDesign
1 of 36
skipfish 10 November 2011 Ernst & Young, Sydney Australia Previously presented at: OWASP NL 30 June 2010
Overview Not an OWASP Project By Michal Zalewski Major contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
Overview Fast webappsec scanner which“spiders” using word lists Could be used to test www DOS
Overview Fast webappsec scanner which“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
Overview 3.Fast webappsec scanner which“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
Build/Install From Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
Release Cycle lcamtuf rapidly updates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
Build/Install http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
Spidering ./skipfish -W /dev/null -LV ...
Word List keywords and extensions type hits total_age last_age keyword
Supplied Word Lists 1. Empty 2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
Word List The following all contain 1.7K keywords:
Word List minimal.wl ~50,000 HTTP Requests medium.wl ~50,000 HTTP Requests x 2 complete.wl ~50,000 HTTP Requests x 3
Word List Insert sh script 1.Select wordlist from ./dictionaries/ 2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
Wordlist Custom Wordlist ./skipfish -W custom_wl ... Suppress Automatic Learning ./skipfish -L ... Suppress Amending Wordlist ./skipfish -V ...
Lightweight Brute Force ~1,700 HTTP Requests cp ./dictionaries/complete.wl dictionary.wl ./skipfish -W dictionary.wl -Y ...
Word List Limit Keyword Guess Size Jar ./skipfish -G ... Drop Old Dictionary Entries ./skipfish -R ... Don’t fuzz $keyword.$extension ./skipfish -Y ...
Basic Usage Output Directory ./skipfish -o output_dir URL ... Suppress Real-Time Statistics ./skipfish -u ...
Usage - Scheduling Percentage of links and directories ./skipfish -p percentage ... Repeat previous scan ./skipfish -q seed ...
Usage - Authentication HTTP Auth ./skipfish -A user:pass ... Cookie ./skipfish -C name=value ... Autocomplete Forms ./skipfish -T form_field=value ...
Usage - Cookie Cookie ./skipfish -C name=value ... Ignore new set-cookies from specific locations i.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ... Ignore new set-cookies from all locations ./skipfish -N ...
Usage - HTTP Headers User Agent ./skipfish -b ffox or ie or phone... Custom HTTP Header ./skipfish -H Header ...
Usage - Scoping Spider from ./skipfish -I URI ... Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ... Include Domain ./skipfish -D FQDN... Exclude URI ./skipfish -S URI or -X URI ...
Usage - Scoping Limit crawl depth to number of sub directories/folders ./skipfish -d number ... Limit the number of child directories per parent ./skipfish -c number ... Limit Total HTTP Requests ./skipfish -r number ...
Usage - Scoping No parsing of Form ./skipfish -O ... No parsing of HTML ./skipfish -P ...
Usage - Low Impact Mixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scope Caching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ... Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
Usage - Reporting Suppress reporting of duplicates hosts ./skipfish -Q ... Suppress warning of “trusted” domains ./skipfish -B ... Purge binary content without affecting report quality ./skipfish -e ...
Delta Reporting sfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
Issues Won’t detect common low risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
Issues (Credit ‘FX’) High Number of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
Issues (Credit ‘FX’) Resolved Does not write output while the tool is executing Total Size of HTTP Request vs File System Image
Issues Does not support intercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
Benefits (Credit ‘FX’) Will display the source of CGI script Can detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
Performance Tuning Number of connections to all hosts ./skipfish -g ... Recommended to be < 50 Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
Performance Tuning I/O Timeout ./skipfish -w number ... Total Request Timeout ./skipfish -t number ... Number of HTTP Errors before Terminating ./skipfish -f number ... Truncate HTTP Response ./skipfish -s number ...
Q&A Thanks Wouter - Ernst & Young Latest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfish http://cmlh.id.au/contact

Recommended

Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
Aleksandr Maklakov
 
Firewalls Security – Features and Benefits
Firewalls Security – Features and BenefitsFirewalls Security – Features and Benefits
Firewalls Security – Features and Benefits
Anthony Daniel
 
Apache web server
Apache web serverApache web server
Apache web server
Sabiha M
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
The linux file system structure
The linux file system structureThe linux file system structure
The linux file system structure
Teja Bheemanapally
 
An Introduction to Windows PowerShell
An Introduction to Windows PowerShellAn Introduction to Windows PowerShell
An Introduction to Windows PowerShell
Dale Lane
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 

Recommended

Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
Aleksandr Maklakov
 
Firewalls Security – Features and Benefits
Firewalls Security – Features and BenefitsFirewalls Security – Features and Benefits
Firewalls Security – Features and Benefits
Anthony Daniel
 
Apache web server
Apache web serverApache web server
Apache web server
Sabiha M
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
The linux file system structure
The linux file system structureThe linux file system structure
The linux file system structure
Teja Bheemanapally
 
An Introduction to Windows PowerShell
An Introduction to Windows PowerShellAn Introduction to Windows PowerShell
An Introduction to Windows PowerShell
Dale Lane
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
Jenkins with SonarQube
Jenkins with SonarQubeJenkins with SonarQube
Jenkins with SonarQube
Somkiat Puisungnoen
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper
Merve Karabudağ
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Cloud Engineer Roles and Responsibilities | Edureka
Cloud Engineer Roles and Responsibilities | EdurekaCloud Engineer Roles and Responsibilities | Edureka
Cloud Engineer Roles and Responsibilities | Edureka
Edureka!
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
iberrywifisecurity
 
Linux.ppt
Linux.ppt Linux.ppt
Linux.ppt
onu9
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
NetProtocol Xpert
 
Types of firewall
Types of firewallTypes of firewall
Types of firewall
Pina Parmar
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
Amandeep Kaur
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
Sourav Roy
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Firewalls in network security
Firewalls in network securityFirewalls in network security
Firewalls in network security
Vikram Khanna
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Windows Security
Windows Security Windows Security
Windows Security
Pooja Talreja
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck Threads
Maarten Smeets
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
n|u - The Open Security Community
 
ssh
sshssh
ssh
Christian Heinrich
 
tit
tittit
tit
Christian Heinrich
 

More Related Content

What's hot

Cloud Engineer Roles and Responsibilities | Edureka
Cloud Engineer Roles and Responsibilities | EdurekaCloud Engineer Roles and Responsibilities | Edureka
Cloud Engineer Roles and Responsibilities | Edureka
Edureka!
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
Amandeep Kaur
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck Threads
Maarten Smeets
 

What's hot (20)

Jenkins with SonarQube
Jenkins with SonarQubeJenkins with SonarQube
Jenkins with SonarQube
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Cloud Engineer Roles and Responsibilities | Edureka
Cloud Engineer Roles and Responsibilities | EdurekaCloud Engineer Roles and Responsibilities | Edureka
Cloud Engineer Roles and Responsibilities | Edureka
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
Linux.ppt
Linux.ppt Linux.ppt
Linux.ppt
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
 
Types of firewall
Types of firewallTypes of firewall
Types of firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Firewalls in network security
Firewalls in network securityFirewalls in network security
Firewalls in network security
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Windows Security
Windows Security Windows Security
Windows Security
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck Threads
 
malware analysis
malware analysismalware analysis
malware analysis
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 

Viewers also liked

Metadata - What is Unseen
Metadata - What is UnseenMetadata - What is Unseen
Metadata - What is Unseen
Edith Cowan University
 
Aberraciones sexuales
Aberraciones sexualesAberraciones sexuales
Aberraciones sexuales
daniguzman
 
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
Macpaul Lin
 
Sobre la pornografía y el cine - Manuel Bláuab
Sobre la pornografía y el cine - Manuel BláuabSobre la pornografía y el cine - Manuel Bláuab
Sobre la pornografía y el cine - Manuel Bláuab
Manuel Sierra Alonso
 
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
Oscar Ayala A. International Consulting Services
 

Viewers also liked (19)

ssh
sshssh
ssh
 
tit
tittit
tit
 
Maltego Breach
Maltego BreachMaltego Breach
Maltego Breach
 
TERMS THAT WOULD MAKE KINK LOOK INNOCENT
TERMS THAT WOULD MAKE KINK LOOK INNOCENTTERMS THAT WOULD MAKE KINK LOOK INNOCENT
TERMS THAT WOULD MAKE KINK LOOK INNOCENT
 
Cómo hablar de sexualidad con los adolescentes
Cómo hablar de sexualidad con los adolescentes Cómo hablar de sexualidad con los adolescentes
Cómo hablar de sexualidad con los adolescentes
 
Metadata - What is Unseen
Metadata - What is UnseenMetadata - What is Unseen
Metadata - What is Unseen
 
Aberraciones sexuales
Aberraciones sexualesAberraciones sexuales
Aberraciones sexuales
 
Sin City
Sin CitySin City
Sin City
 
BDSM
BDSMBDSM
BDSM
 
Amatorski as a 'music career' example?
Amatorski as a 'music career' example?Amatorski as a 'music career' example?
Amatorski as a 'music career' example?
 
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
從u-boot 移植 NDS32 談 嵌入式系統開放原始碼開發的 一些經驗
 
Sobre la pornografía y el cine - Manuel Bláuab
Sobre la pornografía y el cine - Manuel BláuabSobre la pornografía y el cine - Manuel Bláuab
Sobre la pornografía y el cine - Manuel Bláuab
 
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
La Pornografía se Parece Al Fin Del Mundo - Art. Chris Hedges - Truthdig Feb...
 
부천오피, 목동오피,안양오피@(다솜넷)수원오피
부천오피, 목동오피,안양오피@(다솜넷)수원오피부천오피, 목동오피,안양오피@(다솜넷)수원오피
부천오피, 목동오피,안양오피@(다솜넷)수원오피
 
Bdsm intro PART II/2/B
Bdsm intro PART II/2/BBdsm intro PART II/2/B
Bdsm intro PART II/2/B
 
Bdsm intro
Bdsm introBdsm intro
Bdsm intro
 
SpeakerText Pres
SpeakerText PresSpeakerText Pres
SpeakerText Pres
 
Cuadernos BDSM 1
Cuadernos BDSM 1Cuadernos BDSM 1
Cuadernos BDSM 1
 
Magazines download. magazines online. pdf magazines
Magazines download. magazines online. pdf magazines Magazines download. magazines online. pdf magazines
Magazines download. magazines online. pdf magazines
 

Similar to skipfish

Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Ontico
 
01 overview-and-setup
01 overview-and-setup01 overview-and-setup
01 overview-and-setup
snopteck
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Nginx وب سروری برای تمام فصول
Nginx وب سروری برای تمام فصولNginx وب سروری برای تمام فصول
Nginx وب سروری برای تمام فصول
efazati
 

Similar to skipfish (20)

Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java Everything you wanted to know about writing async, concurrent http apps in java
Everything you wanted to know about writing async, concurrent http apps in java
 
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security Project
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
 
Four Times Microservices - REST, Kubernetes, UI Integration, Async
Four Times Microservices - REST, Kubernetes, UI Integration, AsyncFour Times Microservices - REST, Kubernetes, UI Integration, Async
Four Times Microservices - REST, Kubernetes, UI Integration, Async
 
01 overview-and-setup
01 overview-and-setup01 overview-and-setup
01 overview-and-setup
 
2016 03 15_biological_databases_part4
2016 03 15_biological_databases_part42016 03 15_biological_databases_part4
2016 03 15_biological_databases_part4
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprint
 
Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...
Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...
Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...
 
Nginx وب سروری برای تمام فصول
Nginx وب سروری برای تمام فصولNginx وب سروری برای تمام فصول
Nginx وب سروری برای تمام فصول
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talk
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
Play Framework: async I/O with Java and Scala
Play Framework: async I/O with Java and ScalaPlay Framework: async I/O with Java and Scala
Play Framework: async I/O with Java and Scala
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 

More from Christian Heinrich

More from Christian Heinrich (7)

Maltego "Have I been pwned?"
Maltego "Have I been pwned?"Maltego "Have I been pwned?"
Maltego "Have I been pwned?"
 
CVSS
CVSSCVSS
CVSS
 
BSAMMBO
BSAMMBOBSAMMBO
BSAMMBO
 
BSIMM
BSIMMBSIMM
BSIMM
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

skipfish

  • 1. skipfish 10 November 2011 Ernst & Young, Sydney Australia Previously presented at: OWASP NL 30 June 2010
  • 2. Overview Not an OWASP Project By Michal Zalewski Major contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
  • 3. Overview Fast webappsec scanner which“spiders” using word lists Could be used to test www DOS
  • 4. Overview Fast webappsec scanner which“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
  • 5. Overview 3.Fast webappsec scanner which“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
  • 6. Build/Install From Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
  • 7. Release Cycle lcamtuf rapidly updates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
  • 8. Build/Install http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
  • 10. Word List keywords and extensions type hits total_age last_age keyword
  • 11. Supplied Word Lists 1. Empty 2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
  • 12. Word List The following all contain 1.7K keywords:
  • 13. Word List minimal.wl ~50,000 HTTP Requests medium.wl ~50,000 HTTP Requests x 2 complete.wl ~50,000 HTTP Requests x 3
  • 14. Word List Insert sh script 1.Select wordlist from ./dictionaries/ 2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
  • 15. Wordlist Custom Wordlist ./skipfish -W custom_wl ... Suppress Automatic Learning ./skipfish -L ... Suppress Amending Wordlist ./skipfish -V ...
  • 16. Lightweight Brute Force ~1,700 HTTP Requests cp ./dictionaries/complete.wl dictionary.wl ./skipfish -W dictionary.wl -Y ...
  • 17. Word List Limit Keyword Guess Size Jar ./skipfish -G ... Drop Old Dictionary Entries ./skipfish -R ... Don’t fuzz $keyword.$extension ./skipfish -Y ...
  • 18. Basic Usage Output Directory ./skipfish -o output_dir URL ... Suppress Real-Time Statistics ./skipfish -u ...
  • 19. Usage - Scheduling Percentage of links and directories ./skipfish -p percentage ... Repeat previous scan ./skipfish -q seed ...
  • 20. Usage - Authentication HTTP Auth ./skipfish -A user:pass ... Cookie ./skipfish -C name=value ... Autocomplete Forms ./skipfish -T form_field=value ...
  • 21. Usage - Cookie Cookie ./skipfish -C name=value ... Ignore new set-cookies from specific locations i.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ... Ignore new set-cookies from all locations ./skipfish -N ...
  • 22. Usage - HTTP Headers User Agent ./skipfish -b ffox or ie or phone... Custom HTTP Header ./skipfish -H Header ...
  • 23. Usage - Scoping Spider from ./skipfish -I URI ... Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ... Include Domain ./skipfish -D FQDN... Exclude URI ./skipfish -S URI or -X URI ...
  • 24. Usage - Scoping Limit crawl depth to number of sub directories/folders ./skipfish -d number ... Limit the number of child directories per parent ./skipfish -c number ... Limit Total HTTP Requests ./skipfish -r number ...
  • 25. Usage - Scoping No parsing of Form ./skipfish -O ... No parsing of HTML ./skipfish -P ...
  • 26. Usage - Low Impact Mixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scope Caching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ... Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
  • 27. Usage - Reporting Suppress reporting of duplicates hosts ./skipfish -Q ... Suppress warning of “trusted” domains ./skipfish -B ... Purge binary content without affecting report quality ./skipfish -e ...
  • 28. Delta Reporting sfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
  • 29. Issues Won’t detect common low risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
  • 30. Issues (Credit ‘FX’) High Number of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
  • 31. Issues (Credit ‘FX’) Resolved Does not write output while the tool is executing Total Size of HTTP Request vs File System Image
  • 32. Issues Does not support intercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
  • 33. Benefits (Credit ‘FX’) Will display the source of CGI script Can detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
  • 34. Performance Tuning Number of connections to all hosts ./skipfish -g ... Recommended to be < 50 Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
  • 35. Performance Tuning I/O Timeout ./skipfish -w number ... Total Request Timeout ./skipfish -t number ... Number of HTTP Errors before Terminating ./skipfish -f number ... Truncate HTTP Response ./skipfish -s number ...
  • 36. Q&A Thanks Wouter - Ernst & Young Latest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfish http://cmlh.id.au/contact

Editor's Notes

  1. \n
  2. http://lcamtuf.coredump.cx/\nhttp://lcamtuf.blogspot.com/\n\nhttp://twitter.com/lcamtuf\n\nEmployed by Google\nImage Attribution http://www.knackery.net/hackers.php and http://lcamtuf.coredump.cx\n
  3. webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  4. webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  5. webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&amp;#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&amp;#x201D; quoted from Felix &amp;#x201C;FX&amp;#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
  6. RatProxy had a similar release cycle\n\nhttps://gist.github.com/1321223\n
  7. \n
  8. http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html\n
  9. http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  10. extensions (a s extensions (a subset of keywords) ubset of keywords)\n
  11. -Y is &amp;#x201C;don&amp;#x2019;t fuzz $keyword.$extension&amp;#x201D;\n\n
  12. \n
  13. \n
  14. \n\n\n
  15. \n
  16. http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  17. \n
  18. \n\n
  19. \n\n
  20. -C is cookie, can you curl to determine cookie\n
  21. -C is cookie, can you curl to determine cookie\n\nhttp://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
  22. -H Custom HTTP Header\n\n
  23. -I i.e. capital &amp;#x201C;i&amp;#x201D;\n-S or -X i.e. Exclude locations\n\n\n
  24. -c Limits the number of child directories per parent - not clear in Google Code documentation\nNeed to read this -F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  25. -c Limits the number of child directories per parent - not clear in Google Code documentation\n-F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
  26. \n
  27. -B suppress warning of trusted domains i.e. Cross Domain Content Inclusion\n-Q Suppress the reporting of duplicate nodes i.e. might miss something in report\n-p Used to perform a percentage of the scan (i.e. periodic scanning) supplement with -q\n-e http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n\n\n
  28. http://code.google.com/p/skipfish/wiki/SkipfishDoc\n
  29. These low risk are quoted from the documentation hosted on Google Code\n
  30. FX is Felix Lindner http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n\n&amp;#x201C;some regular ASCII text files were interpreted as JSON responses without XSSI (Cross Site Script Inclusion) protection&amp;#x201D;\n\nskipfish -J was not mentioned by FX\n
  31. http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  32. \n
  33. http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n
  34. \n
  35. \n
  36. \n