SlideShare uma empresa Scribd logo

Skyfall flisol-campinas-2013

Mauro Risonho de Paula Assumpcao
Mauro Risonho de Paula Assumpcao

Skyfall flisol-campinas-2013 - scanner de

Tecnologia
1 de 33
Baixar para ler offline
Skyfall scanner de vulnerabilidades em web applications fork skipfish Mauro Risonho de Paula Assumpção firebits mauro.risonho@gmail.com http://www.linkedin.com/profile/view?id=35593661&trk=tab_pro
● Google Open Source Jam 2013 – Brazil - SP ● 007 James Bond – Operation Skyfall ● 09/03/2013 ● Scanner web Skyfall (Ideias) ?
Skyfall - repo
Skyfall – on demand Skyfall01 32Ram (www.example.com) Skyfall02 32Ram (www.tes1.com) Skyfall023 32Ram (www.ext2.com) frontend 32Ram (www.example.com) (www.tes1.com) (www.ext2.com) Skyfall02 32Ram (www.tes1.com) Skyfall02 32Ram (www.tes1.com) Skyfall02 32Ram (www.tes1.com) REPORTS OFF ON ON DATABASE ->SSH
● High performance: – 500+ requests per second against responsive Internet targets – 2000+ requests per second on LAN / MAN networks – 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint. Skyfall - Features
● This can be attributed to: – Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients. – Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network- level overhead in check. FeaturesSkyfall
● This can be attributed to: – Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic. – Performance-oriented, pure C implementation, including a custom HTTP stack. FeaturesSkyfall
● Ease of use: skyfall is highly adaptive and reliable. The scanner features: – Heuristic recognition of obscure path- and query- based parameter handling Schemes. – Graceful handling of multi-framework sites where certain paths obey completely different semantics, or are subject to different filtering rules. FeaturesSkyfall
● Ease of use: skyfall is highly adaptive and reliable. The scanner features: – Automatic wordlist construction based on site content analysis. – Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites. FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe. – Three-step differential probes are preferred to signature checks for detecting vulnerabilities. FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Ratproxy-style logic is used to spot subtle security problems: – cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc. FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Bundled security checks are designed to handle tricky scenarios: ● stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection. FeaturesSkyfall
● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Snort style content signatures which will highlight server errors, information leaks or potentially dangerous web applications. – Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns. FeaturesSkyfall
● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Server-side query injection (including blind vectors, numerical parameters). ● Explicit SQL-like syntax in GET or POST parameters. FeaturesSkyfall
● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Server-side shell command injection (including blind vectors). ● Server-side XML / XPath injection (including blind vectors). FeaturesSkyfall
● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Format string vulnerabilities. ● Integer overflow vulnerabilities. ● Locations accepting HTTP PUT FeaturesSkyfall
● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Stored and reflected XSS vectors in document body (minimal JS XSS support). ● Stored and reflected XSS vectors via HTTP redirects. ● Stored and reflected XSS vectors via HTTP header splitting. FeaturesSkyfall
● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Directory traversal / LFI / RFI (including constrained vectors). ● Assorted file POIs (server-side sources, configs, etc). ● Attacker-supplied script and CSS inclusion vectors (stored and reflected). FeaturesSkyfall
● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● External untrusted script and CSS inclusion vectors. ● Mixed content problems on script and CSS resources (optional). ● Password forms submitting from or to non-SSL pages (optional). FeaturesSkyfall
● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Incorrect or missing MIME types on renderables. ● Generic MIME types on renderables. ● Incorrect or missing charsets on renderables. ● Conflicting MIME / charset info on renderables. ● Bad caching directives on cookie setting responses. FeaturesSkyfall
● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Incorrect or missing MIME types on renderables. ● Generic MIME types on renderables. ● Incorrect or missing charsets on renderables. ● Conflicting MIME / charset info on renderables. ● Bad caching directives on cookie setting responses. FeaturesSkyfall
● What specific tests are implemented? – Internal warnings: ● Failed resource fetch attempts. ● Exceeded crawl limits. ● Failed 404 behavior checks. ● IPS filtering detected. ● Unexpected response variations. ● Seemingly misclassified crawl nodes. FeaturesSkyfall
● What specific tests are implemented? – Non-specific informational entries: ● General SSL certificate information. ● Significantly changing HTTP cookies. ● Changing Server, Via, or X-... headers. ● New 404 signatures. ● Resources that cannot be accessed. ● Resources requiring HTTP authentication. FeaturesSkyfall
● What specific tests are implemented? – Non-specific informational entries: ● Broken links. ● Server errors. ● All external links not classified otherwise (optional). ● All external e-mails (optional). ● All external URL redirectors (optional). ● Links to unknown protocols. FeaturesSkyfall
● What specific tests are implemented? – Non-specific informational entries: ● Form fields that could not be autocompleted. ● Password entry forms (for external brute-force). ● File upload forms. ● Other HTML forms (not classified otherwise). ● Numerical file names (for external brute-force). ● User-supplied links otherwise rendered on a page. FeaturesSkyfall
● What specific tests are implemented? – Non-specific informational entries: ● Incorrect or missing MIME type on less significant content. ● Generic MIME type on less significant content. ● Incorrect or missing charset on less significant content. ● Conflicting MIME / charset information on less significant content. ● OGNL-like parameter passing conventions.. FeaturesSkyfall
DEMOSkyfall DEMO
DEMOSkyfall OS = 31 Mb RAM + Skyfall = 1MB
DEMOSkyfall OS = 31 Mb RAM + Skyfall = 1MB
● Database SQLite3 in memory ● Database SQLite3 in disk - HD ● GUI QT/Frontend Web (ligthing web server + tags HTML) ● Reports Html, PDF(libharu), DOCX, XML ● + mime types ● MultiScanning URLs ● Scannig plugins joomla, wp, drupal ● Brute-force CAPTCHA ToDOSkyfall
● skyfallsec – https://bitbucket.org/skyfallsec ● skipfish – http://code.google.com/p/skipfish/ ● Gcc – http://gcc.gnu.org/ ● Clang – http://clang.llvm.org/ ● Archlinux ● https://www.archlinux.org/ ReferencesSkyfall
THANKS! ReferencesSkyfall

Recomendados

Report
ReportReport
ReportMartin Nwachukwu
 
API Upload Test
API Upload TestAPI Upload Test
API Upload Testdecatv
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteSajjad "JJ" Arshad
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Carta de princípios - LIGA
Carta de princípios - LIGACarta de princípios - LIGA
Carta de princípios - LIGAligarj
 
Modelo de referência e método de avaliação para
Modelo de referência e método de avaliação paraModelo de referência e método de avaliação para
Modelo de referência e método de avaliação paraqualityquality
 

Recomendados

Report
ReportReport
ReportMartin Nwachukwu
 
API Upload Test
API Upload TestAPI Upload Test
API Upload Testdecatv
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteSajjad "JJ" Arshad
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Carta de princípios - LIGA
Carta de princípios - LIGACarta de princípios - LIGA
Carta de princípios - LIGAligarj
 
Modelo de referência e método de avaliação para
Modelo de referência e método de avaliação paraModelo de referência e método de avaliação para
Modelo de referência e método de avaliação paraqualityquality
 
J E R U S A B U L L Y I N G
J E R U S A B U L L Y I N GJ E R U S A B U L L Y I N G
J E R U S A B U L L Y I N Gjerusa
 
Twitter Streaming API
Twitter Streaming APITwitter Streaming API
Twitter Streaming APIGareth Lloyd
 
Site blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisSite blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisMauro Risonho de Paula Assumpcao
 
Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Mauro Risonho de Paula Assumpcao
 
LAWDI - Rogue Linked Data
LAWDI - Rogue Linked DataLAWDI - Rogue Linked Data
LAWDI - Rogue Linked DataRyan Baumann
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTOMauro Risonho de Paula Assumpcao
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly BrokenThe Security of Things Forum
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final projectKaya Ota
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASPGrupo Gesfor I+D+i
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 

Mais conteúdo relacionado

Destaque

J E R U S A B U L L Y I N G
J E R U S A B U L L Y I N GJ E R U S A B U L L Y I N G
J E R U S A B U L L Y I N Gjerusa
 
Twitter Streaming API
Twitter Streaming APITwitter Streaming API
Twitter Streaming APIGareth Lloyd
 
Site blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisSite blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisMauro Risonho de Paula Assumpcao
 
LAWDI - Rogue Linked Data
LAWDI - Rogue Linked DataLAWDI - Rogue Linked Data
LAWDI - Rogue Linked DataRyan Baumann
 

Destaque (6)

J E R U S A B U L L Y I N G
J E R U S A B U L L Y I N GJ E R U S A B U L L Y I N G
J E R U S A B U L L Y I N G
 
Twitter Streaming API
Twitter Streaming APITwitter Streaming API
Twitter Streaming API
 
Site blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisSite blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender mais
 
Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013
 
LAWDI - Rogue Linked Data
LAWDI - Rogue Linked DataLAWDI - Rogue Linked Data
LAWDI - Rogue Linked Data
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
 

Semelhante a Skyfall flisol-campinas-2013

DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final projectKaya Ota
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSSBen Stock
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
API Upload Test
API Upload TestAPI Upload Test
API Upload Testdecatv
 
API Upload Test
API Upload TestAPI Upload Test
API Upload Testdecatv
 

Semelhante a Skyfall flisol-campinas-2013 (20)

DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final project
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
API Upload Test
API Upload TestAPI Upload Test
API Upload Test
 
API Upload Test
API Upload TestAPI Upload Test
API Upload Test
 

Mais de Mauro Risonho de Paula Assumpcao

BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando FreebsdBSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando FreebsdMauro Risonho de Paula Assumpcao
 
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTsTendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTsMauro Risonho de Paula Assumpcao
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Mauro Risonho de Paula Assumpcao
 
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebitsMauro Risonho de Paula Assumpcao
 
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)Mauro Risonho de Paula Assumpcao
 
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Mauro Risonho de Paula Assumpcao
 
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...Mauro Risonho de Paula Assumpcao
 
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHCOficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHCMauro Risonho de Paula Assumpcao
 

Mais de Mauro Risonho de Paula Assumpcao (20)

Árvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguroÁrvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguro
 
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando FreebsdBSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
 
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTsTendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
 
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
 
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
Owasp owtf the offensive (web) testing framework + ptes penetration testing e...
 
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
 
2013 - 4 Google Open Source Jam
2013 - 4 Google Open Source Jam2013 - 4 Google Open Source Jam
2013 - 4 Google Open Source Jam
 
Nessus Scanner Vulnerabilidades
Nessus Scanner VulnerabilidadesNessus Scanner Vulnerabilidades
Nessus Scanner Vulnerabilidades
 
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
 
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHCOficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
 
3 google open souce jam- a - hardening
3 google open souce jam- a - hardening3 google open souce jam- a - hardening
3 google open souce jam- a - hardening
 
Backtrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirimBacktrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirim
 
Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2
 
Backtrack 4 nessus
Backtrack 4 nessusBacktrack 4 nessus
Backtrack 4 nessus
 
Backtrack4 inguma
Backtrack4 ingumaBacktrack4 inguma
Backtrack4 inguma
 
Bt4 dradis
Bt4 dradisBt4 dradis
Bt4 dradis
 
Palestras Como Ele Achou Estas Falhas V.1.0
Palestras Como Ele Achou Estas Falhas V.1.0Palestras Como Ele Achou Estas Falhas V.1.0
Palestras Como Ele Achou Estas Falhas V.1.0
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Skyfall flisol-campinas-2013

  • 1. Skyfall scanner de vulnerabilidades em web applications fork skipfish Mauro Risonho de Paula Assumpção firebits mauro.risonho@gmail.com http://www.linkedin.com/profile/view?id=35593661&trk=tab_pro
  • 2. ● Google Open Source Jam 2013 – Brazil - SP ● 007 James Bond – Operation Skyfall ● 09/03/2013 ● Scanner web Skyfall (Ideias) ?
  • 4. Skyfall – on demand Skyfall01 32Ram (www.example.com) Skyfall02 32Ram (www.tes1.com) Skyfall023 32Ram (www.ext2.com) frontend 32Ram (www.example.com) (www.tes1.com) (www.ext2.com) Skyfall02 32Ram (www.tes1.com) Skyfall02 32Ram (www.tes1.com) Skyfall02 32Ram (www.tes1.com) REPORTS OFF ON ON DATABASE ->SSH
  • 5. ● High performance: – 500+ requests per second against responsive Internet targets – 2000+ requests per second on LAN / MAN networks – 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint. Skyfall - Features
  • 6.
  • 7. ● This can be attributed to: – Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients. – Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network- level overhead in check. FeaturesSkyfall
  • 8. ● This can be attributed to: – Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic. – Performance-oriented, pure C implementation, including a custom HTTP stack. FeaturesSkyfall
  • 9. ● Ease of use: skyfall is highly adaptive and reliable. The scanner features: – Heuristic recognition of obscure path- and query- based parameter handling Schemes. – Graceful handling of multi-framework sites where certain paths obey completely different semantics, or are subject to different filtering rules. FeaturesSkyfall
  • 10. ● Ease of use: skyfall is highly adaptive and reliable. The scanner features: – Automatic wordlist construction based on site content analysis. – Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites. FeaturesSkyfall
  • 11. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe. – Three-step differential probes are preferred to signature checks for detecting vulnerabilities. FeaturesSkyfall
  • 12. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Ratproxy-style logic is used to spot subtle security problems: – cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc. FeaturesSkyfall
  • 13. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Bundled security checks are designed to handle tricky scenarios: ● stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection. FeaturesSkyfall
  • 14. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Snort style content signatures which will highlight server errors, information leaks or potentially dangerous web applications. – Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns. FeaturesSkyfall
  • 15. ● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Server-side query injection (including blind vectors, numerical parameters). ● Explicit SQL-like syntax in GET or POST parameters. FeaturesSkyfall
  • 16. ● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Server-side shell command injection (including blind vectors). ● Server-side XML / XPath injection (including blind vectors). FeaturesSkyfall
  • 17. ● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Format string vulnerabilities. ● Integer overflow vulnerabilities. ● Locations accepting HTTP PUT FeaturesSkyfall
  • 18. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Stored and reflected XSS vectors in document body (minimal JS XSS support). ● Stored and reflected XSS vectors via HTTP redirects. ● Stored and reflected XSS vectors via HTTP header splitting. FeaturesSkyfall
  • 19. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Directory traversal / LFI / RFI (including constrained vectors). ● Assorted file POIs (server-side sources, configs, etc). ● Attacker-supplied script and CSS inclusion vectors (stored and reflected). FeaturesSkyfall
  • 20. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● External untrusted script and CSS inclusion vectors. ● Mixed content problems on script and CSS resources (optional). ● Password forms submitting from or to non-SSL pages (optional). FeaturesSkyfall
  • 21. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Incorrect or missing MIME types on renderables. ● Generic MIME types on renderables. ● Incorrect or missing charsets on renderables. ● Conflicting MIME / charset info on renderables. ● Bad caching directives on cookie setting responses. FeaturesSkyfall
  • 22. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Incorrect or missing MIME types on renderables. ● Generic MIME types on renderables. ● Incorrect or missing charsets on renderables. ● Conflicting MIME / charset info on renderables. ● Bad caching directives on cookie setting responses. FeaturesSkyfall
  • 23. ● What specific tests are implemented? – Internal warnings: ● Failed resource fetch attempts. ● Exceeded crawl limits. ● Failed 404 behavior checks. ● IPS filtering detected. ● Unexpected response variations. ● Seemingly misclassified crawl nodes. FeaturesSkyfall
  • 24. ● What specific tests are implemented? – Non-specific informational entries: ● General SSL certificate information. ● Significantly changing HTTP cookies. ● Changing Server, Via, or X-... headers. ● New 404 signatures. ● Resources that cannot be accessed. ● Resources requiring HTTP authentication. FeaturesSkyfall
  • 25. ● What specific tests are implemented? – Non-specific informational entries: ● Broken links. ● Server errors. ● All external links not classified otherwise (optional). ● All external e-mails (optional). ● All external URL redirectors (optional). ● Links to unknown protocols. FeaturesSkyfall
  • 26. ● What specific tests are implemented? – Non-specific informational entries: ● Form fields that could not be autocompleted. ● Password entry forms (for external brute-force). ● File upload forms. ● Other HTML forms (not classified otherwise). ● Numerical file names (for external brute-force). ● User-supplied links otherwise rendered on a page. FeaturesSkyfall
  • 27. ● What specific tests are implemented? – Non-specific informational entries: ● Incorrect or missing MIME type on less significant content. ● Generic MIME type on less significant content. ● Incorrect or missing charset on less significant content. ● Conflicting MIME / charset information on less significant content. ● OGNL-like parameter passing conventions.. FeaturesSkyfall
  • 29. DEMOSkyfall OS = 31 Mb RAM + Skyfall = 1MB
  • 30. DEMOSkyfall OS = 31 Mb RAM + Skyfall = 1MB
  • 31. ● Database SQLite3 in memory ● Database SQLite3 in disk - HD ● GUI QT/Frontend Web (ligthing web server + tags HTML) ● Reports Html, PDF(libharu), DOCX, XML ● + mime types ● MultiScanning URLs ● Scannig plugins joomla, wp, drupal ● Brute-force CAPTCHA ToDOSkyfall
  • 32. ● skyfallsec – https://bitbucket.org/skyfallsec ● skipfish – http://code.google.com/p/skipfish/ ● Gcc – http://gcc.gnu.org/ ● Clang – http://clang.llvm.org/ ● Archlinux ● https://www.archlinux.org/ ReferencesSkyfall