Senin, 16 April 2007

Wapiti and proxmon

I was posting on Rsnake's forum about web penetration testing tools that most web application pentesters used. For me, i only use webscarab, XSS cheatsheet from Rsnake, wikto and firefox addons like tamper data and live http headers for my testings. These tools are good enough for me to get the job done most of the time. Sometimes, it depends how much i want to actually break into systems during a test. If the application has a lot of vulnerabilities during a simple scan, it is nuff said, please patch your system. Else if the application is robust enough, i am very determine to actually dig in further to uncover flaws.

The other night, jeremiah posted a topic on "Vulnerability Assessment, When do we stop looking? " and i commented that if the application is vulnerable to simple scans, then it is not worth to dig in further, else if the application is robust, it is worth every single effort to explore more flaws. And when do we stop? It all depends on how much you think the application has serious vulnerabilities. As i was commenting on his blog, i was thinking of a tool that can simplify my process of auditing and i happen to read on jungsonn comments. He recommended a very useful tool that i am going to test it once i finished my project over here. Yes its hectic here and sorry for the lack of updates guys. Here is a short excerpt.

Wapiti:
* File Handling Errors (Local and remote include/require, fopen, readfile…)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()…)
* CRLF Injection (HTTP Response Splitting, session fixation…)

I managed to test it a little and it seems to be a good tool to use and the best of all, its open source which means it is free!! You will need python to use this tool. More can be found here: http://wapiti.sourceforge.net

As i was playing around his tool, i was thinking about blackhat. I want to see what is the latest exploits that security researchers found and i stumble across another web application pentesting tool. Its proxmon. It was written by Jonathan Wilkins and he presented in Blackhat Europe 2007, so i guess it wouldn't be a bad tool to use. A sample of the tool output is shown as below:

[*] starting ProxMon v1.0.15 (http://www.isecpartners.com)
[*] Copyright (C) 2007, Jonathan Wilkins, iSEC Partners Inc.
[*] Proxmon comes with ABSOLUTELY NO WARRANTY;
[*] This is free software, and you are welcome to redistribute it
[*] under certain conditions; see accompanying file LICENSE for
[*] details on warranty and redistribution details.
[*] Loading support for: WebScarab
[*] Loading Checks ...
- Find interesting comments
- Find cookie values that also are sent on the query string
- Find HTTP Basic or Digest Authentication usage
- Identify frameworks and scripts in use by server
- Find dangerous functions in JavaScript code
- Find offsite redirects
- Find cookies with the secure flag that also get sent cleartext
- Find values set over SSL that later go cleartext
- Find values sent to other domains
- Find common undesirable directories
- Find files that indicate common vulnerabilities
- Find directories that allow directory listing
- Find SSL server configuration issues
- Find directories writable via PUT
[*] 14 checks loaded
[*] Finding available sessions ...
[*] Processing session test/webscarab in test
[*] Running in monitor mode
[*] Monitoring test/webscarab
[*] Parsing existing conversations ...
[*] Interesting comment: XXX in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: bug in http://www.bitland.net:80/ (TIDs: 532)
[*] Interesting comment: TODO in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: ??? in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: !!! in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Cookie value seen on QS: secret1 (Secure, SSL) (TIDs: 16)
[*] Cookie value seen on QS: secret2 (Secure, SSL) (TIDs: 9)
[*] Digest auth seen: Authorization: Digest username='jwilkins', realm='scratchdigest', [snip ...] (TIDs: 34)
[*] Basic auth seen: Authorization: Basic andpbGtpbnM6YXNkZmFzZGY= (TIDs: 31, 32)
[*] IDed framework: scratch.bitland.net:80 is using PHP/5.2.1 (http://www.php.net) (TIDs: 35)
[*] IDed framework: www.isecpartners.com:80 is using YUI/1.2.3 (http://developer.yahoo.com/yui) (TIDs: 16)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:15 (TIDs: 35)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:16 (TIDs: 35)
[*] Secure cookie value sent clear: secret2 (TIDs: 7, 9)
[*] Secure cookie value sent clear: secret1 (TIDs: 16, 36)
[*] Value set over SSL sent clear: secret2 as secure2 (TIDs: 7)
[*] Value set over SSL sent clear: secret2 as bar (TIDs: 9)
[*] Value set over SSL sent clear: secret1 as foobar (TIDs: 16)
[*] Value set over SSL sent clear: secret1 as asdf (TIDs: 36)
[*] Value (secret1) sent to multiple domains: bitland.net (TIDs: 5, 6, 36)
[*] Value (secret1) sent to multiple domains: isecpartners.com (TIDs: 16)
[*] Bad directory found: /backup/ on scratch.bitland.net:80 (TIDs: 0)
[*] Bad file found: /environ.pl on scratch.bitland.net:80 (TIDs: 0)
[*] Listing of /listable/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: aNULL null cipher (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: 40 bit Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Low strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: SSLv2 protocol (TIDs: 0)
[*] Upload to /put/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] Parsed 38 existing conversations
[*] Session is not active, no point in monitoring

0 komentar:

Posting Komentar