Mais conteúdo relacionado
Semelhante a sts-scanner_tutorial (20)
Mais de tutorialsruby (20)
sts-scanner_tutorial
- 1. STS Scanner Tutorial
By Jordan Del-Grande
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 1 of 13
- 2. Table of Contents
STS Scanner Tutorial.....................................................................................................1
Preamble...................................................................................................................3
Introduction..............................................................................................................3
Installation................................................................................................................3
The Assessment........................................................................................................4
Reconnaissance ....................................................................................................4
Enumeration..........................................................................................................7
Testing..................................................................................................................7
Reviewing the Results...........................................................................................8
Future Improvements................................................................................................9
Appendix A: STS-Scanner Report...............................................................................10
Company Details..........................................................................................................13
About the Author....................................................................................................13
Contact Information................................................................................................13
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 2 of 13
- 3. Preamble
This paper is an how-to on the correct usage of the STS Scanner. The tool is freely available
for download at http://www.securitytechscience.com/resources/. The information is made
available to educate testers on how to discover these vulnerabilities and developers on how
to prevent writing applications that contain these types of vulnerabilities.
All techniques in this paper were performed within the confines of the Security Technology
Science Testing Lab. Only test on applications that are either under your direct ownership or
you have written legal authorisation to test.
Introduction
The STS Scanner is specifically a web application scanner. It is not designed to replace the
penetration tester or the penetration test. It is a tool that should assist the penetration tester in
performing a vulnerability assessment/penetration test and hence is only one step of many in
the process.
With that said, the paper is organised in much the same fashion as the high level steps in a
penetration test. It should not be mistaken that this is the be all and end all of the penetration
test. The other sections of a penetration test have been excluded in order to focus primarily
on how to use the STS Scanner. For a comprehensive guide on performing a penetration test
see OWASP http://www.owasp.org/index.php/Category:OWASP_Testing_Project.
Installation
Step 1: Install Ruby
The STS Scanner has been completely written using the Ruby programming language.
Information on how to download and install Ruby can be found at http://www.ruby-
lang.org/en/downloads/.
Step 2: Install RubyGems
Note: For those using windows, you can skip this step if you used the Ruby One Click
Installer.
There is one RubyGems library which is needed and as such RubyGems is necessary.
Information on how to download and install RubyGems can be found here
http://rubygems.org/.
Step 3: Install Hpricot
Hpricot is a RubyGems library used for parsing html pages. Run the following from the
command line as a privileged user...
gem install hpricot remote
Step 4: Run STS Scanner
To test that the installation was a success, run the STS Scanner from the command line.
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 3 of 13
- 4. Step 5: Check out the STS Scanner Options
Run ruby sts-scanner.rb –help
The Assessment
Now that some background contextual information has been provided and you have installed
the necessary components, let's begin by performing a web application scan on the Security
Technology Science vulnerable web application, “OnlineBusiness”.
There will in fact be 3 separate scans run in order to ensure that the majority of the
applications attack surface area is completely discovered. The scans can be categorised as
follows...
1. Reconnaissance Scan (Blind Scan) – Spider the site then scan
2. Unauthenticated Scan – Manually crawl the site then scan
3. Authenticated Scan – Manually crawl the site as an authenticated user then scan
Reconnaissance
As this is a black box assessment the only information provided to us is the URL of the
application to be tested: http://onlinebusiness.com.au/. Browsing to the site we see the
following page
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 4 of 13
- 5. Figure 1.0 – OnlineBusiness Home Page
At present we have gathered enough information to perform a reconnaissance/blind scan. We
have the URL and we can see that the application runs over http on port 80.
We can kick off the sts-scanner to firstly spider the application and then perform the
appropriate tests by running the following command....
ruby stsscanner.rb http://onlinebusiness.com.au
Starting the Web Crawler...
.
.
Web Crawler Complete!
Starting Application Scan => http://onlinebusiness.com.au
h
..
ALERT: Directory Listing Detected => GET /images/
.....
ALERT: CrossSite Scripting Vulnerability Detected in Repsonse Body
=> GET /contacts.php
.....................
Application Scan Complete!
Compiling results...Done!
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 5 of 13
- 6. We will continue on with the reconnaissance to ensure that the majority of the applications
attack surface area is completely recognised. After all, there are certain pages that the spider
cannot yet recognise, such as certain JavaScript and Ajax code. As such, we will launch Burp
Suite and begin manually crawling the application logging all requests to a local file.
Firstly, configure your browser to proxy all request locally over port 8080.
Figure 1.1 – Set up proxy
Next, configure Burp Proxy to log all requests to a local file ‘onlinebusiness.burp’.
Figure 1.2 – Logging all requests locally
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 6 of 13
- 7. Finally, test that a request is passed through the Burp Proxy and begin the crawl of the entire
application.
Figure 1.3 – Burp Proxy Request
Enumeration
After crawling the website, we notice there is a ‘Login’ page, so we can assume there is a
section of this application that requires authentication and the appropriate levels of
authorisation to be viewed. Leveraging the “Application Username Enumeration” Whitepaper
techniques found here http://www.securitytechscience.com/resources/, we discover a user
name of ‘10006’ and password of ‘password’ with the application using cookies to track user
sessions.
We now use these credentials to log into the application, we create a new Burp Log file called
‘onlinebusiness-authenticated.burp’ and perform the crawl again. Note: We are careful not to
click on any logout or change password links.
Testing
We can now begin the unauthorised scan of the application. It’s a simple matter of providing
the sts-scanner with the burp file location...
ruby stsscanner.rb log onlinebusiness.burp http://onlinebusiness.com.au
Next we need to perform the authorised scan of the application. As we now know the
application uses cookies to track user sessions, we need to use Burp Proxy in order to view
the session cookie. Log into the application and then make sure the ‘intercept is on’ button is
enabled within Burp Proxy. Click on any link or perform a refresh of the current page and look
for the session cookie.
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 7 of 13
- 8. Figure 1.4 – Session Cookie
Using the session cookie identified and still remaining logged into the application, we can now
perform the authorised scan...
ruby stsscanner.rb log onlinebusinessauthenticated.burp cookie
“sessionid=123456” http://onlinebusiness.com.au
Reviewing the Results
After every scan is complete, the sts-scanner produces several different files. They are...
1. spider.log – log of all the spiders requests and responses
2. scanner.log – log of all the scanners requests and responses
3. date-time-host.txt – text file of the attack surface area and the vulnerabilities
discovered
Note: For the sake of brevity we are only going to focus on the last file. The complete file is
located in Appendix A.
Section 1: Target
This section contains the target host the scanner tested. That is, http://onlinebusiness.com.au
** STS Web Application Scanner **
Target => http://onlinebusiness.com.au
Section 2: Crawl
This section contains the surface area the spider was able to identify.
** Crawling Target Site **
GET /
GET /images/glasses.jpg
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 8 of 13
- 9. GET /images/english.gif
GET /contacts.php
POST /contacts.php?postcode=
...
Section 3: Vulnerabilities
This section contains the identified vulnerabilities from the scan. Going from top to bottom
there is a directory listing identified, two cross site scripting holes and one definite sql injection
where the scanner identified the DBMS as MySQL and that there are 5 varchars columns in
the table.
** Starting Application Scan **
ALERT: Directory Listing Detected => GET /images/
ALERT: CrossSite Scripting Vulnerability Detected in Response Body =>
GET /contacts.php
useragent: "><script>alert('Vulnerable');</script>
ALERT: CrossSite Scripting Vulnerability Detected in Response Body =>
POST /contacts.php?postcode="><script>alert('Vulnerable');</script>
ALERT: MySQL Database Error Message Detected => POST /contacts.php?
postcode=te'st
ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR
%20'1'%3D'1'
ALERT: Enumerated column number blind: 5 => POST /contacts.php?
postcode=1%20ORDER%20BY%206
ALERT: Verified database type blind: mysql => POST /contacts.php?
postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM
%20information_schema.TABLES
ALERT: Enumerated data types blind => POST /contacts.php?postcode=1%20UNION
%20ALL%20SELECT%20'b','b','b','b','b'%20FROM%20information_schema.TABLES
...
Future Improvements
The STS Scanner uses Mechanize and Hpricot to parse and spider html pages. These
libraries are not able to parse and idenitify JavaScript and/or Ajax code. A separate version of
the STS Scanner is to be developed where the internal core does not rely on these libraries
and they shall become obsolete. The core shall act more like an everyday browser (i.e., IE,
Firefox, etc) so it can hopefully branch out into other applications such as Flash and web
services.
The testing modules are currently limited to performing only 3 types of tests (i.e., sql injection,
xss injection, directory indexing). These are to be expanded to incorporate mores injection
tests such as CSRF, code execution, HTTP response splitting, etc.
The reporting functionality is to be updated to produce pdf files containing clickable links,
statistics and graphs.
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 9 of 13
- 10. Appendix A: STS-Scanner Report
** STS Web Application Scanner **
Target => http://onlinebusiness.com.au
** Crawling Target Site **
GET /
GET /images/glasses.jpg
GET /images/english.gif
GET /images/french.gif
GET /images/russian.gif
GET /contacts.php
POST /contacts.php?postcode=
GET /database/contacts.txt
GET /login.php
POST /login.php?login=&password=
GET /login.php?msg='Username%20does%20not%20exist'
POST /login.php?login=&password=
GET /logininformation.php
GET /products.php
POST /products.php?name=&description=&type=Stock
GET /index.php
** Crawling Complete **
** Starting Application Scan **
ALERT: Directory Listing Detected => GET /images/
ALERT: Cross-Site Scripting Vulnerability Detected in Response Body =>
GET /contacts.php
user-agent: "><script>alert('Vulnerable');</script>
ALERT: Cross-Site Scripting Vulnerability Detected in Response Body =>
POST /contacts.php?postcode="><script>alert('Vulnerable');</script>
ALERT: MySQL Database Error Message Detected => POST /contacts.php?
postcode=te'st
ALERT: Possible SQL Injection Exploit => POST /contacts.php?postcode=1%20OR
%20'1'%3D'1'--
ALERT: Enumerated column number blind: 5 => POST /contacts.php?
postcode=1%20ORDER%20BY%206--
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 10 of 13
- 11. ALERT: Verified database type blind: mysql => POST /contacts.php?
postcode=1%20UNION%20ALL%20SELECT%20null,null,null,null,null%20FROM
%20information_schema.TABLES--
ALERT: Enumerated data types blind => POST /contacts.php?
postcode=1%20UNION%20ALL%20SELECT%20'b','b','b','b','b'%20FROM
%20information_schema.TABLES--
ALERT: Cross-Site Scripting Vulnerability Detected in Response Body =>
POST /contacts.php?postcode=
user-agent: "><script>alert('Vulnerable');</script>
ALERT: Directory Listing Detected => GET /database/
ALERT: Cross-Site Scripting Vulnerability Detected in Response Body =>
GET /login.php?msg="><script>alert('Vulnerable');</script>
ALERT: MySQL Database Error Message Detected => POST /products.php?
name=te'st&description=&type=Stock
ALERT: Possible SQL Injection Exploit => POST /products.php?name=1'%20OR
%20'1'%3D'1&description=&type=Stock
ALERT: Verified Database Type: mysql => POST /products.php?
name=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH%20where
%20'1'%3D'1&description=&type=Stock
ALERT: Column Enumeration Successful: 3 => POST /products.php?
name=1'%20UNION%20ALL%20select%20null,null,null%20from
%20information_schema.TABLES%20where
%20'1'%3D'1&description=&type=Stock
ALERT: Enumerated data types => POST /products.php?name=1'%20UNION
%20ALL%20select%20'b','b','b'%20from%20information_schema.TABLES
%20where%20'1'%3D'1&description=&type=Stock
ALERT: MySQL Database Error Message Detected => POST /products.php?
name=&description=te'st&type=Stock
ALERT: Possible SQL Injection Exploit => POST /products.php?
name=&description=1'%20OR%20'1'%3D'1&type=Stock
ALERT: Verified Database Type: mysql => POST /products.php?
name=&description=1'%20UNION%20ALL%20select%20FOO%20from%20BLAH
%20where%20'1'%3D'1&type=Stock
ALERT: Column Enumeration Successful: 3 => POST /products.php?
name=&description=1'%20UNION%20ALL%20select%20null,null,null%20from
%20information_schema.TABLES%20where%20'1'%3D'1&type=Stock
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 11 of 13
- 12. ALERT: Enumerated data types => POST /products.php?
name=&description=1'%20UNION%20ALL%20select%20'b','b','b'%20from
%20information_schema.TABLES%20where%20'1'%3D'1&type=Stock
** Scan Finished **
** Attack Surfaces **
== Parameter Attack Surface ==
= HTTP Client Header =
cookie
referer
user-agent
= GET/POST Parameter =
GET /login.php+msg
POST /contacts.php+postcode
POST /login.php+login+password
POST /products.php+name+description+type
== Directory Attack Surface ==
GET /
GET /database/
GET /images/
== File Attack Surface ==
GET /contacts.php
GET /database/contacts.txt
GET /index.php
GET /login.php
GET /logininformation.php
GET /products.php
** End of Attack Surface **
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 12 of 13
- 13. Company Details
About the Author
Jordan Del-Grande, Director and Principal Consultant at Security Technology Science, has
several years of successful management and consulting experience performing Information
Security and Risk Management services in predominantly financial organisations. Prior to
Security Technology Science, he spent several years as a consultant with Ernst & Young and
the Advanced Security Center.
Contact Information
Company Name: Security Technology Science Pty Ltd
Email: info@securitytechscience.com
Web Site: www.securitytechscience.com
Copyright © 2008 by Security Technology Science Pty Ltd
www.securitytechscience.com
Page 13 of 13