STS Scanner Tutorial

             By Jordan Del-Grande




Copyright © 2008 by Security Technology Science Pty Ltd
      ...
Table of Contents
STS Scanner Tutorial.......................................................................................
Preamble
This paper is an how-to on the correct usage of the STS Scanner. The tool is freely available
for download at htt...
Step 5: Check out the STS Scanner Options
Run ruby sts-scanner.rb –help




The Assessment
Now that some background contex...
Figure 1.0 – OnlineBusiness Home Page

At present we have gathered enough information to perform a reconnaissance/blind sc...
We will continue on with the reconnaissance to ensure that the majority of the applications
attack surface area is complet...
Finally, test that a request is passed through the Burp Proxy and begin the crawl of the entire
application.




         ...
Figure 1.4 – Session Cookie

Using the session cookie identified and still remaining logged into the application, we can n...
GET /images/english.gif

GET /contacts.php

POST /contacts.php?postcode=
...

Section 3: Vulnerabilities
This section cont...
Appendix A: STS-Scanner Report

** STS Web Application Scanner **
Target => http://onlinebusiness.com.au

** Crawling Targ...
ALERT: Verified database type blind: mysql => POST /contacts.php?
postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,...
ALERT: Enumerated data types => POST /products.php?
name=&description=1'%20UNION%20ALL%20select%20'b','b','b'%20from
%20in...
Company Details

About the Author
Jordan Del-Grande, Director and Principal Consultant at Security Technology Science, has...
Upcoming SlideShare
Loading in...5
×

sts-scanner_tutorial

320

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
320
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "sts-scanner_tutorial"

  1. 1. STS Scanner Tutorial By Jordan Del-Grande Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 1 of 13
  2. 2. Table of Contents STS Scanner Tutorial.....................................................................................................1 Preamble...................................................................................................................3 Introduction..............................................................................................................3 Installation................................................................................................................3 The Assessment........................................................................................................4 Reconnaissance ....................................................................................................4 Enumeration..........................................................................................................7 Testing..................................................................................................................7 Reviewing the Results...........................................................................................8 Future Improvements................................................................................................9 Appendix A: STS-Scanner Report...............................................................................10 Company Details..........................................................................................................13 About the Author....................................................................................................13 Contact Information................................................................................................13 Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 2 of 13
  3. 3. Preamble This paper is an how-to on the correct usage of the STS Scanner. The tool is freely available for download at http://www.securitytechscience.com/resources/. The information is made available to educate testers on how to discover these vulnerabilities and developers on how to prevent writing applications that contain these types of vulnerabilities. All techniques in this paper were performed within the confines of the Security Technology Science Testing Lab. Only test on applications that are either under your direct ownership or you have written legal authorisation to test. Introduction The STS Scanner is specifically a web application scanner. It is not designed to replace the penetration tester or the penetration test. It is a tool that should assist the penetration tester in performing a vulnerability assessment/penetration test and hence is only one step of many in the process. With that said, the paper is organised in much the same fashion as the high level steps in a penetration test. It should not be mistaken that this is the be all and end all of the penetration test. The other sections of a penetration test have been excluded in order to focus primarily on how to use the STS Scanner. For a comprehensive guide on performing a penetration test see OWASP http://www.owasp.org/index.php/Category:OWASP_Testing_Project. Installation Step 1: Install Ruby The STS Scanner has been completely written using the Ruby programming language. Information on how to download and install Ruby can be found at http://www.ruby- lang.org/en/downloads/. Step 2: Install RubyGems Note: For those using windows, you can skip this step if you used the Ruby One Click Installer. There is one RubyGems library which is needed and as such RubyGems is necessary. Information on how to download and install RubyGems can be found here http://rubygems.org/. Step 3: Install Hpricot Hpricot is a RubyGems library used for parsing html pages. Run the following from the command line as a privileged user... gem install hpricot ­­remote   Step 4: Run STS Scanner To test that the installation was a success, run the STS Scanner from the command line. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 3 of 13
  4. 4. Step 5: Check out the STS Scanner Options Run ruby sts-scanner.rb –help The Assessment Now that some background contextual information has been provided and you have installed the necessary components, let's begin by performing a web application scan on the Security Technology Science vulnerable web application, “OnlineBusiness”. There will in fact be 3 separate scans run in order to ensure that the majority of the applications attack surface area is completely discovered. The scans can be categorised as follows... 1. Reconnaissance Scan (Blind Scan) – Spider the site then scan 2. Unauthenticated Scan – Manually crawl the site then scan 3. Authenticated Scan – Manually crawl the site as an authenticated user then scan Reconnaissance As this is a black box assessment the only information provided to us is the URL of the application to be tested: http://onlinebusiness.com.au/. Browsing to the site we see the following page Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 4 of 13
  5. 5. Figure 1.0 – OnlineBusiness Home Page At present we have gathered enough information to perform a reconnaissance/blind scan. We have the URL and we can see that the application runs over http on port 80. We can kick off the sts-scanner to firstly spider the application and then perform the appropriate tests by running the following command.... ruby sts­scanner.rb http://onlinebusiness.com.au Starting the Web Crawler... . . Web Crawler Complete! Starting Application Scan => http://onlinebusiness.com.au h .. ALERT: Directory Listing Detected => GET /images/ ..... ALERT: Cross­Site Scripting Vulnerability Detected in Repsonse Body  => GET /contacts.php ..................... Application Scan Complete!  Compiling results...Done! Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 5 of 13
  6. 6. We will continue on with the reconnaissance to ensure that the majority of the applications attack surface area is completely recognised. After all, there are certain pages that the spider cannot yet recognise, such as certain JavaScript and Ajax code. As such, we will launch Burp Suite and begin manually crawling the application logging all requests to a local file. Firstly, configure your browser to proxy all request locally over port 8080. Figure 1.1 – Set up proxy Next, configure Burp Proxy to log all requests to a local file ‘onlinebusiness.burp’. Figure 1.2 – Logging all requests locally Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 6 of 13
  7. 7. Finally, test that a request is passed through the Burp Proxy and begin the crawl of the entire application. Figure 1.3 – Burp Proxy Request Enumeration After crawling the website, we notice there is a ‘Login’ page, so we can assume there is a section of this application that requires authentication and the appropriate levels of authorisation to be viewed. Leveraging the “Application Username Enumeration” Whitepaper techniques found here http://www.securitytechscience.com/resources/, we discover a user name of ‘10006’ and password of ‘password’ with the application using cookies to track user sessions. We now use these credentials to log into the application, we create a new Burp Log file called ‘onlinebusiness-authenticated.burp’ and perform the crawl again. Note: We are careful not to click on any logout or change password links. Testing We can now begin the unauthorised scan of the application. It’s a simple matter of providing the sts-scanner with the burp file location... ruby sts­scanner.rb ­­log onlinebusiness.burp http://onlinebusiness.com.au  Next we need to perform the authorised scan of the application. As we now know the application uses cookies to track user sessions, we need to use Burp Proxy in order to view the session cookie. Log into the application and then make sure the ‘intercept is on’ button is enabled within Burp Proxy. Click on any link or perform a refresh of the current page and look for the session cookie. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 7 of 13
  8. 8. Figure 1.4 – Session Cookie Using the session cookie identified and still remaining logged into the application, we can now perform the authorised scan... ruby sts­scanner.rb ­­log onlinebusiness­authenticated.burp ­­cookie     “sessionid=123456” http://onlinebusiness.com.au Reviewing the Results After every scan is complete, the sts-scanner produces several different files. They are... 1. spider.log – log of all the spiders requests and responses 2. scanner.log – log of all the scanners requests and responses 3. date-time-host.txt – text file of the attack surface area and the vulnerabilities discovered Note: For the sake of brevity we are only going to focus on the last file. The complete file is located in Appendix A. Section 1: Target This section contains the target host the scanner tested. That is, http://onlinebusiness.com.au ** STS Web Application Scanner ** Target => http://onlinebusiness.com.au Section 2: Crawl This section contains the surface area the spider was able to identify. ** Crawling Target Site ** GET / GET /images/glasses.jpg Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 8 of 13
  9. 9. GET /images/english.gif GET /contacts.php POST /contacts.php?postcode= ... Section 3: Vulnerabilities This section contains the identified vulnerabilities from the scan. Going from top to bottom there is a directory listing identified, two cross site scripting holes and one definite sql injection where the scanner identified the DBMS as MySQL and that there are 5 varchars columns in the table. ** Starting Application Scan ** ALERT: Directory Listing Detected => GET /images/ ALERT: Cross­Site Scripting Vulnerability Detected in Response Body =>  GET /contacts.php user­agent: "><script>alert('Vulnerable');</script> ALERT: Cross­Site Scripting Vulnerability Detected in Response Body =>  POST /contacts.php?postcode="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /contacts.php? postcode=te'st ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR %20'1'%3D'1'­­ ALERT: Enumerated column number blind: 5 => POST /contacts.php? postcode=1%20ORDER%20BY%206­­ ALERT: Verified database type blind: mysql => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM %20information_schema.TABLES­­ ALERT: Enumerated data types blind => POST /contacts.php?postcode=1%20UNION %20ALL%20SELECT%20'b','b','b','b','b'%20FROM%20information_schema.TABLES­­ ... Future Improvements The STS Scanner uses Mechanize and Hpricot to parse and spider html pages. These libraries are not able to parse and idenitify JavaScript and/or Ajax code. A separate version of the STS Scanner is to be developed where the internal core does not rely on these libraries and they shall become obsolete. The core shall act more like an everyday browser (i.e., IE, Firefox, etc) so it can hopefully branch out into other applications such as Flash and web services. The testing modules are currently limited to performing only 3 types of tests (i.e., sql injection, xss injection, directory indexing). These are to be expanded to incorporate mores injection tests such as CSRF, code execution, HTTP response splitting, etc. The reporting functionality is to be updated to produce pdf files containing clickable links, statistics and graphs. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 9 of 13
  10. 10. Appendix A: STS-Scanner Report ** STS Web Application Scanner ** Target => http://onlinebusiness.com.au ** Crawling Target Site ** GET / GET /images/glasses.jpg GET /images/english.gif GET /images/french.gif GET /images/russian.gif GET /contacts.php POST /contacts.php?postcode= GET /database/contacts.txt GET /login.php POST /login.php?login=&password= GET /login.php?msg='Username%20does%20not%20exist' POST /login.php?login=&password= GET /logininformation.php GET /products.php POST /products.php?name=&description=&type=Stock GET /index.php ** Crawling Complete ** ** Starting Application Scan ** ALERT: Directory Listing Detected => GET /images/ ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => GET /contacts.php user-agent: "><script>alert('Vulnerable');</script> ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => POST /contacts.php?postcode="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /contacts.php? postcode=te'st ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR %20'1'%3D'1'-- ALERT: Enumerated column number blind: 5 => POST /contacts.php? postcode=1%20ORDER%20BY%206-- Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 10 of 13
  11. 11. ALERT: Verified database type blind: mysql => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM %20information_schema.TABLES-- ALERT: Enumerated data types blind => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20'b','b','b','b','b'%20FROM %20information_schema.TABLES-- ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => POST /contacts.php?postcode= user-agent: "><script>alert('Vulnerable');</script> ALERT: Directory Listing Detected => GET /database/ ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => GET /login.php?msg="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /products.php? name=te'st&description=&type=Stock ALERT: Possible SQL Injection Exploit => POST /products.php?name=1'%20OR %20'1'%3D'1&description=&type=Stock ALERT: Verified Database Type: mysql => POST /products.php? name=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH%20where %20'1'%3D'1&description=&type=Stock ALERT: Column Enumeration Successful: 3 => POST /products.php? name=1'%20UNION%20ALL%20select%20null,null,null%20from %20information_schema.TABLES%20where %20'1'%3D'1&description=&type=Stock ALERT: Enumerated data types => POST /products.php?name=1'%20UNION %20ALL%20select%20'b','b','b'%20from%20information_schema.TABLES %20where%20'1'%3D'1&description=&type=Stock ALERT: MySQL Database Error Message Detected => POST /products.php? name=&description=te'st&type=Stock ALERT: Possible SQL Injection Exploit => POST /products.php? name=&description=1'%20OR%20'1'%3D'1&type=Stock ALERT: Verified Database Type: mysql => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH %20where%20'1'%3D'1&type=Stock ALERT: Column Enumeration Successful: 3 => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20null,null,null%20from %20information_schema.TABLES%20where%20'1'%3D'1&type=Stock Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 11 of 13
  12. 12. ALERT: Enumerated data types => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20'b','b','b'%20from %20information_schema.TABLES%20where%20'1'%3D'1&type=Stock ** Scan Finished ** ** Attack Surfaces ** == Parameter Attack Surface == = HTTP Client Header = cookie referer user-agent = GET/POST Parameter = GET /login.php+msg POST /contacts.php+postcode POST /login.php+login+password POST /products.php+name+description+type == Directory Attack Surface == GET / GET /database/ GET /images/ == File Attack Surface == GET /contacts.php GET /database/contacts.txt GET /index.php GET /login.php GET /logininformation.php GET /products.php ** End of Attack Surface ** Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 12 of 13
  13. 13. Company Details About the Author Jordan Del-Grande, Director and Principal Consultant at Security Technology Science, has several years of successful management and consulting experience performing Information Security and Risk Management services in predominantly financial organisations. Prior to Security Technology Science, he spent several years as a consultant with Ernst & Young and the Advanced Security Center. Contact Information Company Name: Security Technology Science Pty Ltd Email: info@securitytechscience.com Web Site: www.securitytechscience.com Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 13 of 13

×