Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

skipfish

6,579 views

Published on

Delivered on 10 November 2011

Previously delivered at OWASP Chapter Netherlands Chapter Meeting on 30 June 2010

Published in: Technology, Design

skipfish

  1. 1. skipfish10 November 2011Ernst & Young, Sydney AustraliaPreviously presented at:OWASP NL30 June 2010
  2. 2. OverviewNot an OWASP ProjectBy Michal ZalewskiMajor contributions to webappsec with Google RatProxy; Browser Security Handbook; “Rise of the Robots” i.e. The inspiration for the OWASP “Google Hacking” Project
  3. 3. OverviewFast webappsec scanner which“spiders” using word lists Could be used to test www DOS
  4. 4. OverviewFast webappsec scanner which“spiders” using word lists Similar to Burp Scanner, etc Does not satisfy WASC Security Scanner Evaluation Criteria I don’t think lcamtuf intends too either :)
  5. 5. Overview3.Fast webappsec scanner which“spiders” using word lists Similar to DirBuster maybe Nikto, etc “2007 entries resulting in about 42K HTTP Requests” Based on the recommended *minimal* Word List i.e. bigger wordlist = bigger number of HTTP Requests
  6. 6. Build/InstallFrom Source Code Doesn’t build on OpenBSD (issue noted) Dependency on libidn Builds on backtrack
  7. 7. Release Cyclelcamtuf rapidly updates via minor releases i.e. RatProxy followed same development Insert http:// vis.cs.ucdavis.edu/ ~ogawa/codeswarm/
  8. 8. Build/Installhttp://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html Not mantained with each release i.e. v1.29b No mention of support on code.google.com i.e. Use at your own risk
  9. 9. Spidering./skipfish -W /dev/null -LV ...
  10. 10. Word Listkeywords and extensionstype hits total_age last_age keyword
  11. 11. Supplied Word Lists1. Empty2. extensions-only.wl Must be used in conjunction with ./skipfish -Y
  12. 12. Word ListThe following all contain 1.7K keywords:
  13. 13. Word Listminimal.wl~50,000 HTTP Requestsmedium.wl~50,000 HTTP Requests x 2complete.wl~50,000 HTTP Requests x 3
  14. 14. Word List Insert sh script1.Select wordlist from ./dictionaries/2.Copy as ../skipfish.wl *copy* .wl as skipfish may append skipfish.wl may depends on cmd line i.e. ./skipfish -V ...
  15. 15. WordlistCustom Wordlist ./skipfish -W custom_wl ...Suppress Automatic Learning ./skipfish -L ...Suppress Amending Wordlist ./skipfish -V ...
  16. 16. Lightweight Brute Force~1,700 HTTP Requestscp ./dictionaries/complete.wl dictionary.wl./skipfish -W dictionary.wl -Y ...
  17. 17. Word ListLimit Keyword Guess Size Jar ./skipfish -G ...Drop Old Dictionary Entries ./skipfish -R ...Don’t fuzz $keyword.$extension ./skipfish -Y ...
  18. 18. Basic UsageOutput Directory ./skipfish -o output_dir URL ...Suppress Real-Time Statistics ./skipfish -u ...
  19. 19. Usage - SchedulingPercentage of links and directories ./skipfish -p percentage ...Repeat previous scan ./skipfish -q seed ...
  20. 20. Usage - AuthenticationHTTP Auth ./skipfish -A user:pass ...Cookie ./skipfish -C name=value ...Autocomplete Forms ./skipfish -T form_field=value ...
  21. 21. Usage - CookieCookie ./skipfish -C name=value ...Ignore new set-cookies from specific locationsi.e. prevent URIs from being fetched, such as logout.aspx ./skipfish -X ...Ignore new set-cookies from all locations ./skipfish -N ...
  22. 22. Usage - HTTP HeadersUser Agent ./skipfish -b ffox or ie or phone...Custom HTTP Header ./skipfish -H Header ...
  23. 23. Usage - ScopingSpider from ./skipfish -I URI ...Parameters not to Fuzz, such as SessionID ./skipfish -K SessionID_parameter ...Include Domain ./skipfish -D FQDN...Exclude URI ./skipfish -S URI or -X URI ...
  24. 24. Usage - ScopingLimit crawl depth to number of sub directories/folders ./skipfish -d number ...Limit the number of child directories per parent ./skipfish -c number ...Limit Total HTTP Requests ./skipfish -r number ...
  25. 25. Usage - ScopingNo parsing of Form ./skipfish -O ...No parsing of HTML ./skipfish -P ...
  26. 26. Usage - Low ImpactMixed TLS/SSLv3 and HTTP (i.e. Cleartext) ./skipfish -M ... Low severity i.e. images are out of scopeCaching Directives of HTTP 1.0 vs 1.1 ./skipfish -E ...Information Leakage i.e. E-mail Addresses and URL ./skipfish -U ...
  27. 27. Usage - ReportingSuppress reporting of duplicates hosts ./skipfish -Q ...Suppress warning of “trusted” domains ./skipfish -B ...Purge binary content without affecting report quality ./skipfish -e ...
  28. 28. Delta Reportingsfscandiff non-destructively annotated by adding red background to all new or changed nodes; and blue background to all new or changed issues found
  29. 29. IssuesWon’t detect common low risks, such as: cookie without HTTPonly or secure flags autocomplete enabled Forms
  30. 30. Issues (Credit ‘FX’)High Number of False Positives ASCII txt interpreted as JSON reply with XSSI Deviation between charset and MIME type Note ./skipfish -J ... No wordlist generation based on robots.txt
  31. 31. Issues (Credit ‘FX’) ResolvedDoes not write output while the tool is executingTotal Size of HTTP Request vs File System Image
  32. 32. IssuesDoes not support intercepting web proxy No supporting log entires that skipfish was used Use wireshark instead i.e. TCP/80 and TCP/443
  33. 33. Benefits (Credit ‘FX’)Will display the source of CGI scriptCan detect IPS HTTP 500 for ASP.NET HttpRequestValidationException
  34. 34. Performance TuningNumber of connections to all hosts ./skipfish -g ... Recommended to be < 50Per IP ./skipfish -m number ... 2 - 4 localhost 4 - 8 local network 10 - 20 external 30 - 50 hosts which lag or slow connections
  35. 35. Performance TuningI/O Timeout ./skipfish -w number ...Total Request Timeout ./skipfish -t number ...Number of HTTP Errors before Terminating ./skipfish -f number ...Truncate HTTP Response ./skipfish -s number ...
  36. 36. Q&AThanks Wouter - Ernst & YoungLatest slides available from http://slideshare.net/cmlh http://github.com/cmlh/skipfishhttp://cmlh.id.au/contact

×