2. Overview
Not an OWASP Project
By Michal Zalewski
Major contributions to webappsec with Google
RatProxy;
Browser Security Handbook;
“Rise of the Robots” i.e. The inspiration for the OWASP
“Google Hacking” Project
4. Overview
Fast webappsec scanner which“spiders” using word lists
Similar to Burp Scanner, etc
Does not satisfy WASC Security Scanner Evaluation Criteria
I don’t think lcamtuf intends too either :)
5. Overview
3.Fast webappsec scanner which“spiders” using word lists
Similar to DirBuster maybe Nikto, etc
“2007 entries resulting in about 42K HTTP Requests”
Based on the recommended *minimal* Word List
i.e. bigger wordlist = bigger number of HTTP Requests
7. Release Cycle
lcamtuf rapidly updates via minor releases
i.e. RatProxy followed same development
Insert http://
vis.cs.ucdavis.edu/
~ogawa/codeswarm/
14. Word List
Insert sh script
1.Select wordlist from ./dictionaries/
2.Copy as ../skipfish.wl
*copy* .wl as skipfish may append skipfish.wl
may depends on cmd line i.e. ./skipfish -V ...
17. Word List
Limit Keyword Guess Size Jar
./skipfish -G ...
Drop Old Dictionary Entries
./skipfish -R ...
Don’t fuzz $keyword.$extension
./skipfish -Y ...
21. Usage - Cookie
Cookie
./skipfish -C name=value ...
Ignore new set-cookies from specific locations
i.e. prevent URIs from being fetched, such as logout.aspx
./skipfish -X ...
Ignore new set-cookies from all locations
./skipfish -N ...
22. Usage - HTTP Headers
User Agent
./skipfish -b ffox or ie or phone...
Custom HTTP Header
./skipfish -H Header ...
23. Usage - Scoping
Spider from
./skipfish -I URI ...
Parameters not to Fuzz, such as SessionID
./skipfish -K SessionID_parameter ...
Include Domain
./skipfish -D FQDN...
Exclude URI
./skipfish -S URI or -X URI ...
24. Usage - Scoping
Limit crawl depth to number of sub directories/folders
./skipfish -d number ...
Limit the number of child directories per parent
./skipfish -c number ...
Limit Total HTTP Requests
./skipfish -r number ...
25. Usage - Scoping
No parsing of Form
./skipfish -O ...
No parsing of HTML
./skipfish -P ...
26. Usage - Low Impact
Mixed TLS/SSLv3 and HTTP (i.e. Cleartext)
./skipfish -M ...
Low severity i.e. images are out of scope
Caching Directives of HTTP 1.0 vs 1.1
./skipfish -E ...
Information Leakage i.e. E-mail Addresses and URL
./skipfish -U ...
27. Usage - Reporting
Suppress reporting of duplicates hosts
./skipfish -Q ...
Suppress warning of “trusted” domains
./skipfish -B ...
Purge binary content without affecting report quality
./skipfish -e ...
28. Delta Reporting
sfscandiff
non-destructively annotated by adding red
background to all new or changed nodes; and blue
background to all new or changed issues found
29. Issues
Won’t detect common low risks, such as:
cookie without HTTPonly or secure flags
autocomplete enabled Forms
30. Issues (Credit ‘FX’)
High Number of False Positives
ASCII txt interpreted as JSON reply with XSSI
Deviation between charset and MIME type
Note ./skipfish -J ...
No wordlist generation based on robots.txt
31. Issues (Credit ‘FX’)
Resolved
Does not write output while the tool is executing
Total Size of HTTP Request vs File System Image
32. Issues
Does not support intercepting web proxy
No supporting log entires that skipfish was used
Use wireshark instead i.e. TCP/80 and TCP/443
33. Benefits (Credit ‘FX’)
Will display the source of CGI script
Can detect IPS
HTTP 500 for ASP.NET HttpRequestValidationException
34. Performance Tuning
Number of connections to all hosts
./skipfish -g ...
Recommended to be < 50
Per IP
./skipfish -m number ...
2 - 4 localhost
4 - 8 local network
10 - 20 external
30 - 50 hosts which lag or slow connections
35. Performance Tuning
I/O Timeout
./skipfish -w number ...
Total Request Timeout
./skipfish -t number ...
Number of HTTP Errors before Terminating
./skipfish -f number ...
Truncate HTTP Response
./skipfish -s number ...
36. Q&A
Thanks Wouter - Ernst & Young
Latest slides available from
http://slideshare.net/cmlh
http://github.com/cmlh/skipfish
http://cmlh.id.au/contact
Editor's Notes
\n
http://lcamtuf.coredump.cx/\nhttp://lcamtuf.blogspot.com/\n\nhttp://twitter.com/lcamtuf\n\nEmployed by Google\nImage Attribution http://www.knackery.net/hackers.php and http://lcamtuf.coredump.cx\n
webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&#x201D; quoted from Felix &#x201C;FX&#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&#x201D; quoted from Felix &#x201C;FX&#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
webappsec scanner e.g. Burp Scanner, IBM Rational AppScan, etc\nspider e.g. DirBuster, Nikto, etc\n\n&#x201C;2007 entries (recommended by lcamtuf) resulting in about 42K HTTP Requests&#x201D; quoted from Felix &#x201C;FX&#x201D; Linder article\n\nWASC applicable standard is Web Application Security Scanner Evaluation Criteria - quoted from lcamtuf documentation.\n\n
RatProxy had a similar release cycle\n\nhttps://gist.github.com/1321223\n
-C is cookie, can you curl to determine cookie\n\nhttp://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n
-H Custom HTTP Header\n\n
-I i.e. capital &#x201C;i&#x201D;\n-S or -X i.e. Exclude locations\n\n\n
-c Limits the number of child directories per parent - not clear in Google Code documentation\nNeed to read this -F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
-c Limits the number of child directories per parent - not clear in Google Code documentation\n-F Bypass the IP Address resolver - need to confirm that is the refer header or something else\n\n
\n
-B suppress warning of trusted domains i.e. Cross Domain Content Inclusion\n-Q Suppress the reporting of duplicate nodes i.e. might miss something in report\n-p Used to perform a percentage of the scan (i.e. periodic scanning) supplement with -q\n-e http://lcamtuf.blogspot.com/2010/11/understanding-and-using-skipfish.html\n\n\n
These low risk are quoted from the documentation hosted on Google Code\n
FX is Felix Lindner http://www.h-online.com/security/features/Testing-Google-s-Skipfish-1001315.html?view=print\n\n&#x201C;some regular ASCII text files were interpreted as JSON responses without XSSI (Cross Site Script Inclusion) protection&#x201D;\n\nskipfish -J was not mentioned by FX\n