SlideShare uma empresa Scribd logo

sts-scanner_tutorial

T
tutorialsruby
Tecnologia
1 de 13
Baixar para ler offline
STS Scanner Tutorial By Jordan Del-Grande Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 1 of 13
Table of Contents STS Scanner Tutorial.....................................................................................................1 Preamble...................................................................................................................3 Introduction..............................................................................................................3 Installation................................................................................................................3 The Assessment........................................................................................................4 Reconnaissance ....................................................................................................4 Enumeration..........................................................................................................7 Testing..................................................................................................................7 Reviewing the Results...........................................................................................8 Future Improvements................................................................................................9 Appendix A: STS-Scanner Report...............................................................................10 Company Details..........................................................................................................13 About the Author....................................................................................................13 Contact Information................................................................................................13 Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 2 of 13
Preamble This paper is an how-to on the correct usage of the STS Scanner. The tool is freely available for download at http://www.securitytechscience.com/resources/. The information is made available to educate testers on how to discover these vulnerabilities and developers on how to prevent writing applications that contain these types of vulnerabilities. All techniques in this paper were performed within the confines of the Security Technology Science Testing Lab. Only test on applications that are either under your direct ownership or you have written legal authorisation to test. Introduction The STS Scanner is specifically a web application scanner. It is not designed to replace the penetration tester or the penetration test. It is a tool that should assist the penetration tester in performing a vulnerability assessment/penetration test and hence is only one step of many in the process. With that said, the paper is organised in much the same fashion as the high level steps in a penetration test. It should not be mistaken that this is the be all and end all of the penetration test. The other sections of a penetration test have been excluded in order to focus primarily on how to use the STS Scanner. For a comprehensive guide on performing a penetration test see OWASP http://www.owasp.org/index.php/Category:OWASP_Testing_Project. Installation Step 1: Install Ruby The STS Scanner has been completely written using the Ruby programming language. Information on how to download and install Ruby can be found at http://www.ruby- lang.org/en/downloads/. Step 2: Install RubyGems Note: For those using windows, you can skip this step if you used the Ruby One Click Installer. There is one RubyGems library which is needed and as such RubyGems is necessary. Information on how to download and install RubyGems can be found here http://rubygems.org/. Step 3: Install Hpricot Hpricot is a RubyGems library used for parsing html pages. Run the following from the command line as a privileged user... gem install hpricot ­­remote   Step 4: Run STS Scanner To test that the installation was a success, run the STS Scanner from the command line. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 3 of 13
Step 5: Check out the STS Scanner Options Run ruby sts-scanner.rb –help The Assessment Now that some background contextual information has been provided and you have installed the necessary components, let's begin by performing a web application scan on the Security Technology Science vulnerable web application, “OnlineBusiness”. There will in fact be 3 separate scans run in order to ensure that the majority of the applications attack surface area is completely discovered. The scans can be categorised as follows... 1. Reconnaissance Scan (Blind Scan) – Spider the site then scan 2. Unauthenticated Scan – Manually crawl the site then scan 3. Authenticated Scan – Manually crawl the site as an authenticated user then scan Reconnaissance As this is a black box assessment the only information provided to us is the URL of the application to be tested: http://onlinebusiness.com.au/. Browsing to the site we see the following page Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 4 of 13
Figure 1.0 – OnlineBusiness Home Page At present we have gathered enough information to perform a reconnaissance/blind scan. We have the URL and we can see that the application runs over http on port 80. We can kick off the sts-scanner to firstly spider the application and then perform the appropriate tests by running the following command.... ruby sts­scanner.rb http://onlinebusiness.com.au Starting the Web Crawler... . . Web Crawler Complete! Starting Application Scan => http://onlinebusiness.com.au h .. ALERT: Directory Listing Detected => GET /images/ ..... ALERT: Cross­Site Scripting Vulnerability Detected in Repsonse Body  => GET /contacts.php ..................... Application Scan Complete!  Compiling results...Done! Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 5 of 13
We will continue on with the reconnaissance to ensure that the majority of the applications attack surface area is completely recognised. After all, there are certain pages that the spider cannot yet recognise, such as certain JavaScript and Ajax code. As such, we will launch Burp Suite and begin manually crawling the application logging all requests to a local file. Firstly, configure your browser to proxy all request locally over port 8080. Figure 1.1 – Set up proxy Next, configure Burp Proxy to log all requests to a local file ‘onlinebusiness.burp’. Figure 1.2 – Logging all requests locally Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 6 of 13
Finally, test that a request is passed through the Burp Proxy and begin the crawl of the entire application. Figure 1.3 – Burp Proxy Request Enumeration After crawling the website, we notice there is a ‘Login’ page, so we can assume there is a section of this application that requires authentication and the appropriate levels of authorisation to be viewed. Leveraging the “Application Username Enumeration” Whitepaper techniques found here http://www.securitytechscience.com/resources/, we discover a user name of ‘10006’ and password of ‘password’ with the application using cookies to track user sessions. We now use these credentials to log into the application, we create a new Burp Log file called ‘onlinebusiness-authenticated.burp’ and perform the crawl again. Note: We are careful not to click on any logout or change password links. Testing We can now begin the unauthorised scan of the application. It’s a simple matter of providing the sts-scanner with the burp file location... ruby sts­scanner.rb ­­log onlinebusiness.burp http://onlinebusiness.com.au  Next we need to perform the authorised scan of the application. As we now know the application uses cookies to track user sessions, we need to use Burp Proxy in order to view the session cookie. Log into the application and then make sure the ‘intercept is on’ button is enabled within Burp Proxy. Click on any link or perform a refresh of the current page and look for the session cookie. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 7 of 13
Figure 1.4 – Session Cookie Using the session cookie identified and still remaining logged into the application, we can now perform the authorised scan... ruby sts­scanner.rb ­­log onlinebusiness­authenticated.burp ­­cookie     “sessionid=123456” http://onlinebusiness.com.au Reviewing the Results After every scan is complete, the sts-scanner produces several different files. They are... 1. spider.log – log of all the spiders requests and responses 2. scanner.log – log of all the scanners requests and responses 3. date-time-host.txt – text file of the attack surface area and the vulnerabilities discovered Note: For the sake of brevity we are only going to focus on the last file. The complete file is located in Appendix A. Section 1: Target This section contains the target host the scanner tested. That is, http://onlinebusiness.com.au ** STS Web Application Scanner ** Target => http://onlinebusiness.com.au Section 2: Crawl This section contains the surface area the spider was able to identify. ** Crawling Target Site ** GET / GET /images/glasses.jpg Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 8 of 13
GET /images/english.gif GET /contacts.php POST /contacts.php?postcode= ... Section 3: Vulnerabilities This section contains the identified vulnerabilities from the scan. Going from top to bottom there is a directory listing identified, two cross site scripting holes and one definite sql injection where the scanner identified the DBMS as MySQL and that there are 5 varchars columns in the table. ** Starting Application Scan ** ALERT: Directory Listing Detected => GET /images/ ALERT: Cross­Site Scripting Vulnerability Detected in Response Body =>  GET /contacts.php user­agent: "><script>alert('Vulnerable');</script> ALERT: Cross­Site Scripting Vulnerability Detected in Response Body =>  POST /contacts.php?postcode="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /contacts.php? postcode=te'st ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR %20'1'%3D'1'­­ ALERT: Enumerated column number blind: 5 => POST /contacts.php? postcode=1%20ORDER%20BY%206­­ ALERT: Verified database type blind: mysql => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM %20information_schema.TABLES­­ ALERT: Enumerated data types blind => POST /contacts.php?postcode=1%20UNION %20ALL%20SELECT%20'b','b','b','b','b'%20FROM%20information_schema.TABLES­­ ... Future Improvements The STS Scanner uses Mechanize and Hpricot to parse and spider html pages. These libraries are not able to parse and idenitify JavaScript and/or Ajax code. A separate version of the STS Scanner is to be developed where the internal core does not rely on these libraries and they shall become obsolete. The core shall act more like an everyday browser (i.e., IE, Firefox, etc) so it can hopefully branch out into other applications such as Flash and web services. The testing modules are currently limited to performing only 3 types of tests (i.e., sql injection, xss injection, directory indexing). These are to be expanded to incorporate mores injection tests such as CSRF, code execution, HTTP response splitting, etc. The reporting functionality is to be updated to produce pdf files containing clickable links, statistics and graphs. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 9 of 13
Appendix A: STS-Scanner Report ** STS Web Application Scanner ** Target => http://onlinebusiness.com.au ** Crawling Target Site ** GET / GET /images/glasses.jpg GET /images/english.gif GET /images/french.gif GET /images/russian.gif GET /contacts.php POST /contacts.php?postcode= GET /database/contacts.txt GET /login.php POST /login.php?login=&password= GET /login.php?msg='Username%20does%20not%20exist' POST /login.php?login=&password= GET /logininformation.php GET /products.php POST /products.php?name=&description=&type=Stock GET /index.php ** Crawling Complete ** ** Starting Application Scan ** ALERT: Directory Listing Detected => GET /images/ ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => GET /contacts.php user-agent: "><script>alert('Vulnerable');</script> ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => POST /contacts.php?postcode="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /contacts.php? postcode=te'st ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR %20'1'%3D'1'-- ALERT: Enumerated column number blind: 5 => POST /contacts.php? postcode=1%20ORDER%20BY%206-- Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 10 of 13
ALERT: Verified database type blind: mysql => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM %20information_schema.TABLES-- ALERT: Enumerated data types blind => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20'b','b','b','b','b'%20FROM %20information_schema.TABLES-- ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => POST /contacts.php?postcode= user-agent: "><script>alert('Vulnerable');</script> ALERT: Directory Listing Detected => GET /database/ ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => GET /login.php?msg="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /products.php? name=te'st&description=&type=Stock ALERT: Possible SQL Injection Exploit => POST /products.php?name=1'%20OR %20'1'%3D'1&description=&type=Stock ALERT: Verified Database Type: mysql => POST /products.php? name=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH%20where %20'1'%3D'1&description=&type=Stock ALERT: Column Enumeration Successful: 3 => POST /products.php? name=1'%20UNION%20ALL%20select%20null,null,null%20from %20information_schema.TABLES%20where %20'1'%3D'1&description=&type=Stock ALERT: Enumerated data types => POST /products.php?name=1'%20UNION %20ALL%20select%20'b','b','b'%20from%20information_schema.TABLES %20where%20'1'%3D'1&description=&type=Stock ALERT: MySQL Database Error Message Detected => POST /products.php? name=&description=te'st&type=Stock ALERT: Possible SQL Injection Exploit => POST /products.php? name=&description=1'%20OR%20'1'%3D'1&type=Stock ALERT: Verified Database Type: mysql => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH %20where%20'1'%3D'1&type=Stock ALERT: Column Enumeration Successful: 3 => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20null,null,null%20from %20information_schema.TABLES%20where%20'1'%3D'1&type=Stock Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 11 of 13
ALERT: Enumerated data types => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20'b','b','b'%20from %20information_schema.TABLES%20where%20'1'%3D'1&type=Stock ** Scan Finished ** ** Attack Surfaces ** == Parameter Attack Surface == = HTTP Client Header = cookie referer user-agent = GET/POST Parameter = GET /login.php+msg POST /contacts.php+postcode POST /login.php+login+password POST /products.php+name+description+type == Directory Attack Surface == GET / GET /database/ GET /images/ == File Attack Surface == GET /contacts.php GET /database/contacts.txt GET /index.php GET /login.php GET /logininformation.php GET /products.php ** End of Attack Surface ** Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 12 of 13
Company Details About the Author Jordan Del-Grande, Director and Principal Consultant at Security Technology Science, has several years of successful management and consulting experience performing Information Security and Risk Management services in predominantly financial organisations. Prior to Security Technology Science, he spent several years as a consultant with Ernst & Young and the Advanced Security Center. Contact Information Company Name: Security Technology Science Pty Ltd Email: info@securitytechscience.com Web Site: www.securitytechscience.com Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 13 of 13

Recomendados

Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
Isao Takaesu
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 

Recomendados

Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
Isao Takaesu
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Siarhei Barysiuk
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
 
Security Function
Security FunctionSecurity Function
Security Function
Samuel Soon
 
nullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsnullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systems
n|u - The Open Security Community
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
Joe McCray
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
jikbal
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
Nutan Kumar Panda
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Web application security
Web application securityWeb application security
Web application security
Vikas Thange
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
jakobkorherr
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
I F E E L D O Y O U D R
I F E E L D O Y O U D RI F E E L D O Y O U D R
I F E E L D O Y O U D R
banothkishan
 
dr_3
dr_3dr_3
dr_3
tutorialsruby
 
2008 Airlines and Advocacy
2008 Airlines and Advocacy2008 Airlines and Advocacy
2008 Airlines and Advocacy
Brandon Murphy
 

Mais conteúdo relacionado

Mais procurados

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 

Mais procurados (19)

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Security Function
Security FunctionSecurity Function
Security Function
 
nullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsnullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systems
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Web application security
Web application securityWeb application security
Web application security
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 

Destaque

I F E E L D O Y O U D R
I F E E L D O Y O U D RI F E E L D O Y O U D R
I F E E L D O Y O U D R
banothkishan
 
1 8 Landscape Business Taxes & Licenses
1 8 Landscape Business Taxes & Licenses1 8 Landscape Business Taxes & Licenses
1 8 Landscape Business Taxes & Licenses
Fauquier Horticulture
 
How To Make A Fx Pedal
How To Make A Fx PedalHow To Make A Fx Pedal
How To Make A Fx Pedal
kirkbaby
 
Diabetes Ebook:GLUCOSE TOLERANCE
Diabetes Ebook:GLUCOSE TOLERANCEDiabetes Ebook:GLUCOSE TOLERANCE
Diabetes Ebook:GLUCOSE TOLERANCE
DiseaseSolution
 
R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...
R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...
R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...
banothkishan
 
Nia 230 Documentacion De Auditoria 2009 En Ingles
Nia 230 Documentacion De Auditoria 2009 En InglesNia 230 Documentacion De Auditoria 2009 En Ingles
Nia 230 Documentacion De Auditoria 2009 En Ingles
guest4a971d
 
PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...
PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...
PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...
ProfessorPrincipiante
 
W H A T I S N A M A S M A R A N D R
W H A T I S N A M A S M A R A N D RW H A T I S N A M A S M A R A N D R
W H A T I S N A M A S M A R A N D R
banothkishan
 
Reseña bibliografica, apartheid del siglo xxi
Reseña bibliografica, apartheid del siglo xxiReseña bibliografica, apartheid del siglo xxi
Reseña bibliografica, apartheid del siglo xxi
Zaibet Caceres
 

Destaque (17)

I F E E L D O Y O U D R
I F E E L D O Y O U D RI F E E L D O Y O U D R
I F E E L D O Y O U D R
 
dr_3
dr_3dr_3
dr_3
 
2008 Airlines and Advocacy
2008 Airlines and Advocacy2008 Airlines and Advocacy
2008 Airlines and Advocacy
 
1 8 Landscape Business Taxes & Licenses
1 8 Landscape Business Taxes & Licenses1 8 Landscape Business Taxes & Licenses
1 8 Landscape Business Taxes & Licenses
 
How To Make A Fx Pedal
How To Make A Fx PedalHow To Make A Fx Pedal
How To Make A Fx Pedal
 
Diabetes Ebook:GLUCOSE TOLERANCE
Diabetes Ebook:GLUCOSE TOLERANCEDiabetes Ebook:GLUCOSE TOLERANCE
Diabetes Ebook:GLUCOSE TOLERANCE
 
Social Media voor het MKB
Social Media voor het MKBSocial Media voor het MKB
Social Media voor het MKB
 
R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...
R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...
R E M E D I E S I F O U N D U S E F U L I N J O I N T P A I N S D R S...
 
Nia 230 Documentacion De Auditoria 2009 En Ingles
Nia 230 Documentacion De Auditoria 2009 En InglesNia 230 Documentacion De Auditoria 2009 En Ingles
Nia 230 Documentacion De Auditoria 2009 En Ingles
 
1 George
1 George1 George
1 George
 
Top 5 páginas de internet mas extrañas
Top 5 páginas de internet mas extrañasTop 5 páginas de internet mas extrañas
Top 5 páginas de internet mas extrañas
 
INLS890_ProjectPlan
INLS890_ProjectPlanINLS890_ProjectPlan
INLS890_ProjectPlan
 
Hermell Products Mini Product Catalog for Health and Wellness
Hermell Products Mini Product Catalog for Health and WellnessHermell Products Mini Product Catalog for Health and Wellness
Hermell Products Mini Product Catalog for Health and Wellness
 
cuidados del agua
cuidados del aguacuidados del agua
cuidados del agua
 
PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...
PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...
PROCESSOS DE ENSINO E DE APRENDIZAGEM: FORMANDO PROFESSORES EM UM PROGRAMA ES...
 
W H A T I S N A M A S M A R A N D R
W H A T I S N A M A S M A R A N D RW H A T I S N A M A S M A R A N D R
W H A T I S N A M A S M A R A N D R
 
Reseña bibliografica, apartheid del siglo xxi
Reseña bibliografica, apartheid del siglo xxiReseña bibliografica, apartheid del siglo xxi
Reseña bibliografica, apartheid del siglo xxi
 

Semelhante a sts-scanner_tutorial

OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
CiNPA Security SIG
 
POC-Netsparker
POC-NetsparkerPOC-Netsparker
POC-Netsparker
Raj Sawant
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Db Cooper
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applications
Supreme O
 

Semelhante a sts-scanner_tutorial (20)

Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Computer security
Computer securityComputer security
Computer security
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
POC-Netsparker
POC-NetsparkerPOC-Netsparker
POC-Netsparker
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
15minutesintroductiontoappdynamics1.pdf
15minutesintroductiontoappdynamics1.pdf15minutesintroductiontoappdynamics1.pdf
15minutesintroductiontoappdynamics1.pdf
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Iu report
Iu reportIu report
Iu report
 
Advanced security - Seccom Global
Advanced security - Seccom Global Advanced security - Seccom Global
Advanced security - Seccom Global
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Web Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and PreventionWeb Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and Prevention
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applications
 
2016 Guide to User Data Security
2016 Guide to User Data Security2016 Guide to User Data Security
2016 Guide to User Data Security
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 

Mais de tutorialsruby

&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
tutorialsruby
 
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
tutorialsruby
 
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
tutorialsruby
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
tutorialsruby
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
tutorialsruby
 
Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0
tutorialsruby
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
tutorialsruby
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
tutorialsruby
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008
tutorialsruby
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008
tutorialsruby
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheets
tutorialsruby
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheets
tutorialsruby
 

Mais de tutorialsruby (20)

&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
 
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
 
xhtml-documentation
xhtml-documentationxhtml-documentation
xhtml-documentation
 
xhtml-documentation
xhtml-documentationxhtml-documentation
xhtml-documentation
 
CSS
CSSCSS
CSS
 
CSS
CSSCSS
CSS
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
 
HowTo_CSS
HowTo_CSSHowTo_CSS
HowTo_CSS
 
HowTo_CSS
HowTo_CSSHowTo_CSS
HowTo_CSS
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheets
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheets
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

sts-scanner_tutorial

  • 1. STS Scanner Tutorial By Jordan Del-Grande Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 1 of 13
  • 2. Table of Contents STS Scanner Tutorial.....................................................................................................1 Preamble...................................................................................................................3 Introduction..............................................................................................................3 Installation................................................................................................................3 The Assessment........................................................................................................4 Reconnaissance ....................................................................................................4 Enumeration..........................................................................................................7 Testing..................................................................................................................7 Reviewing the Results...........................................................................................8 Future Improvements................................................................................................9 Appendix A: STS-Scanner Report...............................................................................10 Company Details..........................................................................................................13 About the Author....................................................................................................13 Contact Information................................................................................................13 Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 2 of 13
  • 3. Preamble This paper is an how-to on the correct usage of the STS Scanner. The tool is freely available for download at http://www.securitytechscience.com/resources/. The information is made available to educate testers on how to discover these vulnerabilities and developers on how to prevent writing applications that contain these types of vulnerabilities. All techniques in this paper were performed within the confines of the Security Technology Science Testing Lab. Only test on applications that are either under your direct ownership or you have written legal authorisation to test. Introduction The STS Scanner is specifically a web application scanner. It is not designed to replace the penetration tester or the penetration test. It is a tool that should assist the penetration tester in performing a vulnerability assessment/penetration test and hence is only one step of many in the process. With that said, the paper is organised in much the same fashion as the high level steps in a penetration test. It should not be mistaken that this is the be all and end all of the penetration test. The other sections of a penetration test have been excluded in order to focus primarily on how to use the STS Scanner. For a comprehensive guide on performing a penetration test see OWASP http://www.owasp.org/index.php/Category:OWASP_Testing_Project. Installation Step 1: Install Ruby The STS Scanner has been completely written using the Ruby programming language. Information on how to download and install Ruby can be found at http://www.ruby- lang.org/en/downloads/. Step 2: Install RubyGems Note: For those using windows, you can skip this step if you used the Ruby One Click Installer. There is one RubyGems library which is needed and as such RubyGems is necessary. Information on how to download and install RubyGems can be found here http://rubygems.org/. Step 3: Install Hpricot Hpricot is a RubyGems library used for parsing html pages. Run the following from the command line as a privileged user... gem install hpricot ­­remote   Step 4: Run STS Scanner To test that the installation was a success, run the STS Scanner from the command line. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 3 of 13
  • 4. Step 5: Check out the STS Scanner Options Run ruby sts-scanner.rb –help The Assessment Now that some background contextual information has been provided and you have installed the necessary components, let's begin by performing a web application scan on the Security Technology Science vulnerable web application, “OnlineBusiness”. There will in fact be 3 separate scans run in order to ensure that the majority of the applications attack surface area is completely discovered. The scans can be categorised as follows... 1. Reconnaissance Scan (Blind Scan) – Spider the site then scan 2. Unauthenticated Scan – Manually crawl the site then scan 3. Authenticated Scan – Manually crawl the site as an authenticated user then scan Reconnaissance As this is a black box assessment the only information provided to us is the URL of the application to be tested: http://onlinebusiness.com.au/. Browsing to the site we see the following page Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 4 of 13
  • 5. Figure 1.0 – OnlineBusiness Home Page At present we have gathered enough information to perform a reconnaissance/blind scan. We have the URL and we can see that the application runs over http on port 80. We can kick off the sts-scanner to firstly spider the application and then perform the appropriate tests by running the following command.... ruby sts­scanner.rb http://onlinebusiness.com.au Starting the Web Crawler... . . Web Crawler Complete! Starting Application Scan => http://onlinebusiness.com.au h .. ALERT: Directory Listing Detected => GET /images/ ..... ALERT: Cross­Site Scripting Vulnerability Detected in Repsonse Body  => GET /contacts.php ..................... Application Scan Complete!  Compiling results...Done! Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 5 of 13
  • 6. We will continue on with the reconnaissance to ensure that the majority of the applications attack surface area is completely recognised. After all, there are certain pages that the spider cannot yet recognise, such as certain JavaScript and Ajax code. As such, we will launch Burp Suite and begin manually crawling the application logging all requests to a local file. Firstly, configure your browser to proxy all request locally over port 8080. Figure 1.1 – Set up proxy Next, configure Burp Proxy to log all requests to a local file ‘onlinebusiness.burp’. Figure 1.2 – Logging all requests locally Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 6 of 13
  • 7. Finally, test that a request is passed through the Burp Proxy and begin the crawl of the entire application. Figure 1.3 – Burp Proxy Request Enumeration After crawling the website, we notice there is a ‘Login’ page, so we can assume there is a section of this application that requires authentication and the appropriate levels of authorisation to be viewed. Leveraging the “Application Username Enumeration” Whitepaper techniques found here http://www.securitytechscience.com/resources/, we discover a user name of ‘10006’ and password of ‘password’ with the application using cookies to track user sessions. We now use these credentials to log into the application, we create a new Burp Log file called ‘onlinebusiness-authenticated.burp’ and perform the crawl again. Note: We are careful not to click on any logout or change password links. Testing We can now begin the unauthorised scan of the application. It’s a simple matter of providing the sts-scanner with the burp file location... ruby sts­scanner.rb ­­log onlinebusiness.burp http://onlinebusiness.com.au  Next we need to perform the authorised scan of the application. As we now know the application uses cookies to track user sessions, we need to use Burp Proxy in order to view the session cookie. Log into the application and then make sure the ‘intercept is on’ button is enabled within Burp Proxy. Click on any link or perform a refresh of the current page and look for the session cookie. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 7 of 13
  • 8. Figure 1.4 – Session Cookie Using the session cookie identified and still remaining logged into the application, we can now perform the authorised scan... ruby sts­scanner.rb ­­log onlinebusiness­authenticated.burp ­­cookie     “sessionid=123456” http://onlinebusiness.com.au Reviewing the Results After every scan is complete, the sts-scanner produces several different files. They are... 1. spider.log – log of all the spiders requests and responses 2. scanner.log – log of all the scanners requests and responses 3. date-time-host.txt – text file of the attack surface area and the vulnerabilities discovered Note: For the sake of brevity we are only going to focus on the last file. The complete file is located in Appendix A. Section 1: Target This section contains the target host the scanner tested. That is, http://onlinebusiness.com.au ** STS Web Application Scanner ** Target => http://onlinebusiness.com.au Section 2: Crawl This section contains the surface area the spider was able to identify. ** Crawling Target Site ** GET / GET /images/glasses.jpg Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 8 of 13
  • 9. GET /images/english.gif GET /contacts.php POST /contacts.php?postcode= ... Section 3: Vulnerabilities This section contains the identified vulnerabilities from the scan. Going from top to bottom there is a directory listing identified, two cross site scripting holes and one definite sql injection where the scanner identified the DBMS as MySQL and that there are 5 varchars columns in the table. ** Starting Application Scan ** ALERT: Directory Listing Detected => GET /images/ ALERT: Cross­Site Scripting Vulnerability Detected in Response Body =>  GET /contacts.php user­agent: "><script>alert('Vulnerable');</script> ALERT: Cross­Site Scripting Vulnerability Detected in Response Body =>  POST /contacts.php?postcode="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /contacts.php? postcode=te'st ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR %20'1'%3D'1'­­ ALERT: Enumerated column number blind: 5 => POST /contacts.php? postcode=1%20ORDER%20BY%206­­ ALERT: Verified database type blind: mysql => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM %20information_schema.TABLES­­ ALERT: Enumerated data types blind => POST /contacts.php?postcode=1%20UNION %20ALL%20SELECT%20'b','b','b','b','b'%20FROM%20information_schema.TABLES­­ ... Future Improvements The STS Scanner uses Mechanize and Hpricot to parse and spider html pages. These libraries are not able to parse and idenitify JavaScript and/or Ajax code. A separate version of the STS Scanner is to be developed where the internal core does not rely on these libraries and they shall become obsolete. The core shall act more like an everyday browser (i.e., IE, Firefox, etc) so it can hopefully branch out into other applications such as Flash and web services. The testing modules are currently limited to performing only 3 types of tests (i.e., sql injection, xss injection, directory indexing). These are to be expanded to incorporate mores injection tests such as CSRF, code execution, HTTP response splitting, etc. The reporting functionality is to be updated to produce pdf files containing clickable links, statistics and graphs. Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 9 of 13
  • 10. Appendix A: STS-Scanner Report ** STS Web Application Scanner ** Target => http://onlinebusiness.com.au ** Crawling Target Site ** GET / GET /images/glasses.jpg GET /images/english.gif GET /images/french.gif GET /images/russian.gif GET /contacts.php POST /contacts.php?postcode= GET /database/contacts.txt GET /login.php POST /login.php?login=&password= GET /login.php?msg='Username%20does%20not%20exist' POST /login.php?login=&password= GET /logininformation.php GET /products.php POST /products.php?name=&description=&type=Stock GET /index.php ** Crawling Complete ** ** Starting Application Scan ** ALERT: Directory Listing Detected => GET /images/ ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => GET /contacts.php user-agent: "><script>alert('Vulnerable');</script> ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => POST /contacts.php?postcode="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /contacts.php? postcode=te'st ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR %20'1'%3D'1'-- ALERT: Enumerated column number blind: 5 => POST /contacts.php? postcode=1%20ORDER%20BY%206-- Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 10 of 13
  • 11. ALERT: Verified database type blind: mysql => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM %20information_schema.TABLES-- ALERT: Enumerated data types blind => POST /contacts.php? postcode=1%20UNION%20ALL%20SELECT%20'b','b','b','b','b'%20FROM %20information_schema.TABLES-- ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => POST /contacts.php?postcode= user-agent: "><script>alert('Vulnerable');</script> ALERT: Directory Listing Detected => GET /database/ ALERT: Cross-Site Scripting Vulnerability Detected in Response Body => GET /login.php?msg="><script>alert('Vulnerable');</script> ALERT: MySQL Database Error Message Detected => POST /products.php? name=te'st&description=&type=Stock ALERT: Possible SQL Injection Exploit => POST /products.php?name=1'%20OR %20'1'%3D'1&description=&type=Stock ALERT: Verified Database Type: mysql => POST /products.php? name=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH%20where %20'1'%3D'1&description=&type=Stock ALERT: Column Enumeration Successful: 3 => POST /products.php? name=1'%20UNION%20ALL%20select%20null,null,null%20from %20information_schema.TABLES%20where %20'1'%3D'1&description=&type=Stock ALERT: Enumerated data types => POST /products.php?name=1'%20UNION %20ALL%20select%20'b','b','b'%20from%20information_schema.TABLES %20where%20'1'%3D'1&description=&type=Stock ALERT: MySQL Database Error Message Detected => POST /products.php? name=&description=te'st&type=Stock ALERT: Possible SQL Injection Exploit => POST /products.php? name=&description=1'%20OR%20'1'%3D'1&type=Stock ALERT: Verified Database Type: mysql => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH %20where%20'1'%3D'1&type=Stock ALERT: Column Enumeration Successful: 3 => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20null,null,null%20from %20information_schema.TABLES%20where%20'1'%3D'1&type=Stock Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 11 of 13
  • 12. ALERT: Enumerated data types => POST /products.php? name=&description=1'%20UNION%20ALL%20select%20'b','b','b'%20from %20information_schema.TABLES%20where%20'1'%3D'1&type=Stock ** Scan Finished ** ** Attack Surfaces ** == Parameter Attack Surface == = HTTP Client Header = cookie referer user-agent = GET/POST Parameter = GET /login.php+msg POST /contacts.php+postcode POST /login.php+login+password POST /products.php+name+description+type == Directory Attack Surface == GET / GET /database/ GET /images/ == File Attack Surface == GET /contacts.php GET /database/contacts.txt GET /index.php GET /login.php GET /logininformation.php GET /products.php ** End of Attack Surface ** Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 12 of 13
  • 13. Company Details About the Author Jordan Del-Grande, Director and Principal Consultant at Security Technology Science, has several years of successful management and consulting experience performing Information Security and Risk Management services in predominantly financial organisations. Prior to Security Technology Science, he spent several years as a consultant with Ernst & Young and the Advanced Security Center. Contact Information Company Name: Security Technology Science Pty Ltd Email: info@securitytechscience.com Web Site: www.securitytechscience.com Copyright © 2008 by Security Technology Science Pty Ltd www.securitytechscience.com Page 13 of 13