Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Skyfall flisol-campinas-2013

560 views

Published on

Skyfall flisol-campinas-2013 - scanner de

Published in: Technology
  • Be the first to comment

Skyfall flisol-campinas-2013

  1. 1. Skyfallscanner de vulnerabilidades em webapplicationsfork skipfishMauro Risonho de Paula Assumpçãofirebitsmauro.risonho@gmail.comhttp://www.linkedin.com/profile/view?id=35593661&trk=tab_pro
  2. 2. ● Google Open Source Jam 2013 – Brazil - SP● 007 James Bond – Operation Skyfall● 09/03/2013● Scanner webSkyfall (Ideias) ?
  3. 3. Skyfall - repo
  4. 4. Skyfall – on demandSkyfall0132Ram(www.example.com)Skyfall0232Ram(www.tes1.com)Skyfall02332Ram(www.ext2.com)frontend32Ram(www.example.com)(www.tes1.com)(www.ext2.com)Skyfall0232Ram(www.tes1.com)Skyfall0232Ram(www.tes1.com)Skyfall0232Ram(www.tes1.com)REPORTSOFFONONDATABASE ->SSH
  5. 5. ● High performance:– 500+ requests per second againstresponsive Internet targets– 2000+ requests per second on LAN / MANnetworks– 7000+ requests against local instanceshave been observed, with a very modestCPU, network, and memory footprint.Skyfall - Features
  6. 6. ● This can be attributed to:– Multiplexing single-thread, fully asynchronous networkI/O and data processing model that eliminates memorymanagement, scheduling, and IPC inefficiencies presentin some multi-threaded clients.– Advanced HTTP/1.1 features such as range requests,content compression, and keep-alive connections, aswell as forced response size limiting, to keep network-level overhead in check.FeaturesSkyfall
  7. 7. ● This can be attributed to:– Smart response caching and advancedserver behavior heuristics are used tominimize unnecessary traffic.– Performance-oriented, pure Cimplementation, including a custom HTTPstack.FeaturesSkyfall
  8. 8. ● Ease of use: skyfall is highly adaptive andreliable. The scanner features:– Heuristic recognition of obscure path- and query-based parameter handling Schemes.– Graceful handling of multi-framework sites wherecertain paths obey completely different semantics,or are subject to different filtering rules.FeaturesSkyfall
  9. 9. ● Ease of use: skyfall is highly adaptive andreliable. The scanner features:– Automatic wordlist construction based on sitecontent analysis.– Probabilistic scanning features to allow periodic,time-bound assessments of arbitrarily complexsites.FeaturesSkyfall
  10. 10. ● Well-designed security checks: the tool ismeant to provide accurate and meaningfulresults:– Handcrafted dictionaries offer excellent coverageand permit thorough $keyword.$extension testingin a reasonable timeframe.– Three-step differential probes are preferred tosignature checks for detecting vulnerabilities.FeaturesSkyfall
  11. 11. ● Well-designed security checks: the tool ismeant to provide accurate and meaningfulresults:– Ratproxy-style logic is used to spot subtle securityproblems:– cross-site request forgery, cross-site scriptinclusion, mixed content, issues MIME- andcharset mismatches, incorrect caching directives,etc.FeaturesSkyfall
  12. 12. ● Well-designed security checks: the tool ismeant to provide accurate and meaningfulresults:– Bundled security checks are designed to handletricky scenarios:● stored XSS (path, parameters, headers), blind SQL orXML injection, or blind shell injection.FeaturesSkyfall
  13. 13. ● Well-designed security checks: the tool ismeant to provide accurate and meaningfulresults:– Snort style content signatures which will highlightserver errors, information leaks or potentiallydangerous web applications.– Report post-processing drastically reduces thenoise caused by any remaining false positives orserver gimmicks by identifying repetitivepatterns.FeaturesSkyfall
  14. 14. ● What specific tests are implemented?– High risk flaws (potentially leading to systemcompromise):● Server-side query injection (including blind vectors,numerical parameters).● Explicit SQL-like syntax in GET or POST parameters.FeaturesSkyfall
  15. 15. ● What specific tests are implemented?– High risk flaws (potentially leading to systemcompromise):● Server-side shell command injection (including blindvectors).● Server-side XML / XPath injection (including blindvectors).FeaturesSkyfall
  16. 16. ● What specific tests are implemented?– High risk flaws (potentially leading to systemcompromise):● Format string vulnerabilities.● Integer overflow vulnerabilities.● Locations accepting HTTP PUTFeaturesSkyfall
  17. 17. ● What specific tests are implemented?– Medium risk flaws (potentially leading to datacompromise):● Stored and reflected XSS vectors in document body(minimal JS XSS support).● Stored and reflected XSS vectors via HTTP redirects.● Stored and reflected XSS vectors via HTTP headersplitting.FeaturesSkyfall
  18. 18. ● What specific tests are implemented?– Medium risk flaws (potentially leading to datacompromise):● Directory traversal / LFI / RFI (including constrainedvectors).● Assorted file POIs (server-side sources, configs, etc).● Attacker-supplied script and CSS inclusion vectors(stored and reflected).FeaturesSkyfall
  19. 19. ● What specific tests are implemented?– Medium risk flaws (potentially leading to datacompromise):● External untrusted script and CSS inclusion vectors.● Mixed content problems on script and CSS resources(optional).● Password forms submitting from or to non-SSL pages(optional).FeaturesSkyfall
  20. 20. ● What specific tests are implemented?– Medium risk flaws (potentially leading to datacompromise):● Incorrect or missing MIME types on renderables.● Generic MIME types on renderables.● Incorrect or missing charsets on renderables.● Conflicting MIME / charset info on renderables.● Bad caching directives on cookie setting responses.FeaturesSkyfall
  21. 21. ● What specific tests are implemented?– Medium risk flaws (potentially leading to datacompromise):● Incorrect or missing MIME types on renderables.● Generic MIME types on renderables.● Incorrect or missing charsets on renderables.● Conflicting MIME / charset info on renderables.● Bad caching directives on cookie setting responses.FeaturesSkyfall
  22. 22. ● What specific tests are implemented?– Internal warnings:● Failed resource fetch attempts.● Exceeded crawl limits.● Failed 404 behavior checks.● IPS filtering detected.● Unexpected response variations.● Seemingly misclassified crawl nodes.FeaturesSkyfall
  23. 23. ● What specific tests are implemented?– Non-specific informational entries:● General SSL certificate information.● Significantly changing HTTP cookies.● Changing Server, Via, or X-... headers.● New 404 signatures.● Resources that cannot be accessed.● Resources requiring HTTP authentication.FeaturesSkyfall
  24. 24. ● What specific tests are implemented?– Non-specific informational entries:● Broken links.● Server errors.● All external links not classified otherwise (optional).● All external e-mails (optional).● All external URL redirectors (optional).● Links to unknown protocols.FeaturesSkyfall
  25. 25. ● What specific tests are implemented?– Non-specific informational entries:● Form fields that could not be autocompleted.● Password entry forms (for external brute-force).● File upload forms.● Other HTML forms (not classified otherwise).● Numerical file names (for external brute-force).● User-supplied links otherwise rendered on a page.FeaturesSkyfall
  26. 26. ● What specific tests are implemented?– Non-specific informational entries:● Incorrect or missing MIME type on less significant content.● Generic MIME type on less significant content.● Incorrect or missing charset on less significant content.● Conflicting MIME / charset information on less significantcontent.● OGNL-like parameter passing conventions..FeaturesSkyfall
  27. 27. DEMOSkyfallDEMO
  28. 28. DEMOSkyfallOS = 31 Mb RAM + Skyfall = 1MB
  29. 29. DEMOSkyfallOS = 31 Mb RAM + Skyfall = 1MB
  30. 30. ● Database SQLite3 in memory● Database SQLite3 in disk - HD● GUI QT/Frontend Web (ligthing web server +tags HTML)● Reports Html, PDF(libharu), DOCX, XML● + mime types● MultiScanning URLs● Scannig plugins joomla, wp, drupal● Brute-force CAPTCHAToDOSkyfall
  31. 31. ● skyfallsec– https://bitbucket.org/skyfallsec● skipfish– http://code.google.com/p/skipfish/● Gcc– http://gcc.gnu.org/● Clang– http://clang.llvm.org/● Archlinux● https://www.archlinux.org/ReferencesSkyfall
  32. 32. THANKS!ReferencesSkyfall

×