1. Skyfall
scanner de vulnerabilidades em web
applications
fork skipfish
Mauro Risonho de Paula Assumpção
firebits
mauro.risonho@gmail.com
http://www.linkedin.com/profile/view?id=35593661&trk=tab_pro
2. ● Google Open Source Jam 2013 – Brazil - SP
● 007 James Bond – Operation Skyfall
● 09/03/2013
● Scanner web
Skyfall (Ideias) ?
4. Skyfall – on demand
Skyfall01
32Ram
(www.example.com)
Skyfall02
32Ram
(www.tes1.com)
Skyfall023
32Ram
(www.ext2.com)
frontend
32Ram
(www.example.com)
(www.tes1.com)
(www.ext2.com)
Skyfall02
32Ram
(www.tes1.com)
Skyfall02
32Ram
(www.tes1.com)
Skyfall02
32Ram
(www.tes1.com)
REPORTS
OFF
ON
ON
DATABASE ->SSH
5. ● High performance:
– 500+ requests per second against
responsive Internet targets
– 2000+ requests per second on LAN / MAN
networks
– 7000+ requests against local instances
have been observed, with a very modest
CPU, network, and memory footprint.
Skyfall - Features
6.
7. ● This can be attributed to:
– Multiplexing single-thread, fully asynchronous network
I/O and data processing model that eliminates memory
management, scheduling, and IPC inefficiencies present
in some multi-threaded clients.
– Advanced HTTP/1.1 features such as range requests,
content compression, and keep-alive connections, as
well as forced response size limiting, to keep network-
level overhead in check.
FeaturesSkyfall
8. ● This can be attributed to:
– Smart response caching and advanced
server behavior heuristics are used to
minimize unnecessary traffic.
– Performance-oriented, pure C
implementation, including a custom HTTP
stack.
FeaturesSkyfall
9. ● Ease of use: skyfall is highly adaptive and
reliable. The scanner features:
– Heuristic recognition of obscure path- and query-
based parameter handling Schemes.
– Graceful handling of multi-framework sites where
certain paths obey completely different semantics,
or are subject to different filtering rules.
FeaturesSkyfall
10. ● Ease of use: skyfall is highly adaptive and
reliable. The scanner features:
– Automatic wordlist construction based on site
content analysis.
– Probabilistic scanning features to allow periodic,
time-bound assessments of arbitrarily complex
sites.
FeaturesSkyfall
11. ● Well-designed security checks: the tool is
meant to provide accurate and meaningful
results:
– Handcrafted dictionaries offer excellent coverage
and permit thorough $keyword.$extension testing
in a reasonable timeframe.
– Three-step differential probes are preferred to
signature checks for detecting vulnerabilities.
FeaturesSkyfall
12. ● Well-designed security checks: the tool is
meant to provide accurate and meaningful
results:
– Ratproxy-style logic is used to spot subtle security
problems:
– cross-site request forgery, cross-site script
inclusion, mixed content, issues MIME- and
charset mismatches, incorrect caching directives,
etc.
FeaturesSkyfall
13. ● Well-designed security checks: the tool is
meant to provide accurate and meaningful
results:
– Bundled security checks are designed to handle
tricky scenarios:
● stored XSS (path, parameters, headers), blind SQL or
XML injection, or blind shell injection.
FeaturesSkyfall
14. ● Well-designed security checks: the tool is
meant to provide accurate and meaningful
results:
– Snort style content signatures which will highlight
server errors, information leaks or potentially
dangerous web applications.
– Report post-processing drastically reduces the
noise caused by any remaining false positives or
server gimmicks by identifying repetitive
patterns.
FeaturesSkyfall
15. ● What specific tests are implemented?
– High risk flaws (potentially leading to system
compromise):
● Server-side query injection (including blind vectors,
numerical parameters).
● Explicit SQL-like syntax in GET or POST parameters.
FeaturesSkyfall
16. ● What specific tests are implemented?
– High risk flaws (potentially leading to system
compromise):
● Server-side shell command injection (including blind
vectors).
● Server-side XML / XPath injection (including blind
vectors).
FeaturesSkyfall
17. ● What specific tests are implemented?
– High risk flaws (potentially leading to system
compromise):
● Format string vulnerabilities.
● Integer overflow vulnerabilities.
● Locations accepting HTTP PUT
FeaturesSkyfall
18. ● What specific tests are implemented?
– Medium risk flaws (potentially leading to data
compromise):
● Stored and reflected XSS vectors in document body
(minimal JS XSS support).
● Stored and reflected XSS vectors via HTTP redirects.
● Stored and reflected XSS vectors via HTTP header
splitting.
FeaturesSkyfall
19. ● What specific tests are implemented?
– Medium risk flaws (potentially leading to data
compromise):
● Directory traversal / LFI / RFI (including constrained
vectors).
● Assorted file POIs (server-side sources, configs, etc).
● Attacker-supplied script and CSS inclusion vectors
(stored and reflected).
FeaturesSkyfall
20. ● What specific tests are implemented?
– Medium risk flaws (potentially leading to data
compromise):
● External untrusted script and CSS inclusion vectors.
● Mixed content problems on script and CSS resources
(optional).
● Password forms submitting from or to non-SSL pages
(optional).
FeaturesSkyfall
21. ● What specific tests are implemented?
– Medium risk flaws (potentially leading to data
compromise):
● Incorrect or missing MIME types on renderables.
● Generic MIME types on renderables.
● Incorrect or missing charsets on renderables.
● Conflicting MIME / charset info on renderables.
● Bad caching directives on cookie setting responses.
FeaturesSkyfall
22. ● What specific tests are implemented?
– Medium risk flaws (potentially leading to data
compromise):
● Incorrect or missing MIME types on renderables.
● Generic MIME types on renderables.
● Incorrect or missing charsets on renderables.
● Conflicting MIME / charset info on renderables.
● Bad caching directives on cookie setting responses.
FeaturesSkyfall
24. ● What specific tests are implemented?
– Non-specific informational entries:
● General SSL certificate information.
● Significantly changing HTTP cookies.
● Changing Server, Via, or X-... headers.
● New 404 signatures.
● Resources that cannot be accessed.
● Resources requiring HTTP authentication.
FeaturesSkyfall
25. ● What specific tests are implemented?
– Non-specific informational entries:
● Broken links.
● Server errors.
● All external links not classified otherwise (optional).
● All external e-mails (optional).
● All external URL redirectors (optional).
● Links to unknown protocols.
FeaturesSkyfall
26. ● What specific tests are implemented?
– Non-specific informational entries:
● Form fields that could not be autocompleted.
● Password entry forms (for external brute-force).
● File upload forms.
● Other HTML forms (not classified otherwise).
● Numerical file names (for external brute-force).
● User-supplied links otherwise rendered on a page.
FeaturesSkyfall
27. ● What specific tests are implemented?
– Non-specific informational entries:
● Incorrect or missing MIME type on less significant content.
● Generic MIME type on less significant content.
● Incorrect or missing charset on less significant content.
● Conflicting MIME / charset information on less significant
content.
● OGNL-like parameter passing conventions..
FeaturesSkyfall