Hi All

Since I began this blog I always wanted to keep the original theme of my website instead of flicking over to the Word Press default theme when the user clicked on "Blog". Well, as you can see I’ve finally done it!

So if you ever wanted to know how to keep the same theme with your blog and your site’s css then read this blog

http://max.limpag.com/2006/09/01/how-to-convert-any-web-template-into-a-wordpress-theme/

All you need is:

• Style sheet – styles.css
• Index page – index.html
• Images directory – /images
• A screen shot of your home page

Have fun!

After a few minor adjustments to the scanner and some additional tweaks to the web crawler, it is time to release the very first version of STS Scanner. All the information about the scanner and where to download is available online here

Requirements:

1. Ruby Interpreter and Ruby Gems
2. Hpricot Ruby Gem

Bugs:

Send all bugs to bugs [at ] securitytechscience [dot] com

Please test responsibly…

Before the release of the sts-scanner, I plan to add on some crawling capabilities as the strategy is to take the tool to a level where there is minimal human interaction (i.e., no manual crawling of the web application). Note: I am a big fan of the manual crawl, as it is possibly the best assurance you have that every link of a web application has been clicked and all forms have been correctly submitted. So the idea of building a crawler that can do perform like or even better than a human sounds like a nice challenge…

Firstly, some the obvious problems with basic crawlers are things like malformed html, frames, forms, javascript, ajax, web services, web 2.0, etc to name a few breaking the crawling algorithm. Some crawlers simply fall apart when faced with these challenges and as a result, you end up with a minimal or in extreme cases no attack surface area to test.

This blog is about how I plan to overcome some of these challenges and implement them within the sts-scanner. I will only focus on web 1.0 for now as I will concentrate on web services, web 2.0, ajax and javascript at a later date.

Read the rest of this entry »

This post follows on from Simple Scanner Released

After porting the Perl code over to Ruby in a line by line fashion from the book I noticed that the code was although functional, it was also ugly. Before progressing on to the Extended Scanner I thought it a good idea to try and clean up what was written using some fundamental coding guidelines. Well, I guess they’re guidelines (and fundamental) as they are intuitively off the top of my head…

1. Remove all procedural code into objects

Problem: The main piece of code ’simplescanner.rb’, is one long procedural statement separated by a few functions: testSQL, testXSS, testDir, etc. One of the challenges I noticed was that once within a functions scope you could not access variables within the file scope. As such, the functions have a large number of parameters [e.g., xssTest(file_name, request, status, response, proxy, proxy_port, cookie) ] in order to pass on the values submitted by the end-user. Also, I had to order my functions from top to bottom, because if I called a function that was defined below, to Ruby it was out of scope and would cause an error.

The real cause of this problem is that I decided to use Ruby’s GetOptLong class in order to accept input from the end-user via the command line. This inturn meant I had to use a procedural layout and ran into the problems listed above.

Solution: In order to remove the reliance on GetOptLong, I instead focused on Ruby’s OptParse class. As the API states, “OptionParser is a class for command-line option analysis. It is much more advanced, yet also easier to use, than GetoptLong, and is a more Ruby-oriented solution“. By doing this I was able to capture the command line arguments into one instance.

I then created a ExtendedScanner class so as to capture all the functions listed above (testSQL, testXSS, testDir) and placed this variable as an instance of the class and hence within the classes global scope. By default this reduced all the necessity to pass the parameters, so the function calls looked slightly more elegant [e.g., xssTest(request, status, response) ]. Also, I didn’t have the problem of where I defined my functions as they were also now in class scope.

2. Why create an instance of a class when you can just call a static method of the class

Problem: I was creating an instance of BurpParser in order to call one function…parse(). This meant that I was using unnecessary memory and additional lines of code for no additional benefit. The code could look like the folowing if I wanted to save memory:

bp = Parser::BurpParser.new(ARGV[0])
request_array = bp.requests
bp = nil

Solution: Recode the BurpParser so that it has a static method (self key word) with no defined initialize() method…

class BurpParser
def self.parse(file_name)
...
end

Now I can shorten the above 3 lines of code to 1…

request_array = Parser::BurpParser.parse(ARGV[0])

3. Repetative functions can be moved into other classes with a parent to join them

Problem: The sqlTest, XSSTest, and DirTest functions all appear to take the same arguments as well as return a similar result (i.e., vulnerable to exploit, not vulnerable to exploit). If I had many developers working on this code then everytime there was a new exploit they would have to update the ExtendedScanner class. Not only causing sharing conflicts (ok, cvs can help, but also causing an update in the code for the unit and regression test.

Solution: Move the functions out to their own classes and group all common features into a parent class that these child classes inherit from.

Note: Haven’t done this step yet but will complete this at a later date once the scanner becomes more mature. But in 3 short steps I have cleaned up the code to look almost ready for the OSS community to at least not laugh at.

SimpleScanner is a Ruby port of the Perl version of SimpleScanner presented in Ch 8 of Network Security Tools by Justin Clarke et al. Refer to www.oreilly.com/catalog/networkst/ for the sample chapter and Perl source code – You can use the chapter to follow along with the source code. You may also want to buy the book as I recommend it to any serious security professional.

Note: This project is more useful as a learning tool and providing insight into the fundamentals of web application testing. But in saying that, it would be better to run this tool on one of your applications then to run nothing at all

I decided to re-write the code in Ruby to pay homage to a friend of mine (Brian Holyfield), who was the original author of the code. There is nothing cutting edge about the scanner today as it only checks for 3 types of vulnerabilities:

1. SQL Injection

2. Cross Site Scripting

3. Directory Listing

Realistically it was just nice to put the Browser::WebGet library I wrote to use in order to show what it could be used for.

You can view the API documentation here.

To download click here.

Things to come…

As I own a copy of the book, it is really the next chapter (9) that is of most interest as it delves into intelligent exploitation algorithms. Using the above code as a baseline, I will extend the current functions in order to build the ExtendedScanner. Along the way I am planning on employing more advanced Ruby libraries and Object Oriented schemas to improve the overall extendability of the code.

Formerly known as WebGet, the Python libraries have been ported over to Ruby. Think of this package as a front-end wrapper to the net/http library acting as a lite weight browser capable of handling session management.

You can view the API documentation here.

To download click here.

Around this time last year I decided to switch languages and regress back to Python.  I guess the main reason was all the add-ons that were being discussed and I wanted to double check I wasn’t missing out on anything since I had left a year or two earlier. At the time I had no real inspiration to write anything in particular, so I focused on writing a wrapper for the Pyton urllib libraries. The idea was to make an object that acted much the same as a lite browser. Basically you could load it up with a URL and any authentication necesary (basic auth, ntlm, cookies, etc) and feed it file paths – The browser should just handle the rest.

The high level plan was to write a wrapper that handled HTTP requests and then place a front-end on it (command line and later a GUI). I drew most of my inspiration from mechanize to build the wrapper and noticed the front-end was just another (albeit smaller) version of cURL. In the end I decided to drop the project due to the rejection of PEP 268 - Due to Python’s design, it is impossible to tunnel anything over a proxy and keep the the same level of authentication and/or SSL.

FYI, I called the project WebGet and the only conceivable use for it is code re-use in other projects. It is licensed under GPL and you can find it here.

Anyway, enough about the past…

This long weekend I decided to take a couple of hours out and based on the above design I ported WebGet over to Ruby. Once it has passed unit testing I will release it in the resources section of the web site.   

The first packaged release of WebGet is now available for download here. Briefly, WebGet is a Python Package interfacing urllib2 and handlers, cookielib, http and ntlm modules to provide for quick-turnaround applications.

To install just run “python setup.py install” using an administrative account.

To use just type import WebGet from your Python Interpreter or script. Here is a quick example:

import WebGet, os

# create a WebGet cookie
c = WebGet.WebGetCookie()
c.browsertype = WebGet.MOZILLA
c.path = os.path.join(os.environ["HOME"], "/.netscape/cookies.txt")

# create a WebGet instance
wg = WebGet.WebGet('http', 'www.securitytechscience.com', 80, c)

# set some variables
wg.add_header('Country','Australia')
wg.set_proxy('http', "127.0.0.1', 8080)

# request the page -> sets both a wg.request and wg.response value
wg.open('/')
print wg

As of Python 2.5 Guido has included client side cookie handling. The code is directly taken from the mechanize project written by John J. Lee. The Python 2.5 module is called cookielib and should not be confused with the Cookie module which has been in python since 1.x.

To clarify, the cookielib module is used when coding clients, such as browsers that need to recognise and handle these newly assigned cookies. Instead the Cookie module is used when you are using server side scripting, such as python cgi scripts that need to set client cookies.

Let’s firstly look at the example code and then I will explain:

import urllib2, cookielib
# create the cookie
cookiejar = cookielib.CookieJar()
# build an opener and add the cookie handler
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
# install opener globally so it can be used with urllib2.
urllib2.install_opener(opener)
# request the page
request = urllib2.Request('http://www.google.com.au/')
response = opener.open(request) # No cookie in request
# hander would have managed the Set-Cookie header
response = opener.open(request) # Cookie: PREF=ID=d2de0.. in header

Notice that the initial request does not contain any “Cookie:” header as it has not been set by the client and no request has been made to the server.

After the first request the HTTPCookieProcessor will handle the “Set-cookie:” in the server header and assign the request header accordingly for the next call to the server. Hence on the second request to google you should see the “Cookie: PREF=ID=d2de0..” in the header.

UPDATE: Recently using this code for the WebGet module I discovered a bug where if you submit a request URL that contains a port (e.g., http:///www.google.com.au:80/) the handler will never recognise the “Set-cookie:” value from the server and will not work! Submitted this to Sourforge Python Bug Track under Reference id 1647037.
There is also some other cool functionality where you can load Mozilla and LWP cookies from file. I have added this and IE cookie handling to WebGet as it is not available in the IE is not available in the module just yet. In addition, for the more RFC focused, you can use the cookiepolicy class to only allow strict cookies.

UPDATE: This turns out not to be a bug but a quirk with www.google.com.au. It sets a different cookie when a ‘:80′ is submitted in the URL…go figure. So the issue is closed and the sts-requester is looking good once again!

The first version of sts-requester was released today. Nothing flashy about this tool, if anything it is just a trimmed down version of Curl written in Python. The reason wasn’t to release a copy of Curl but to build a command line interface to the Webget module that comes with the tool – Webget is a pure Python library written by me interfacing the Python urllib2 module from the Python library. By releasing this tool as open source, hopefully it gets more of an audience who will eventually test it on different applications and report back on bugs, if any .

You can find out more information and download the tool here.

Here is some quick code on how to use the Webget module that comes with sts-requester for those Python coders out there:

# import Webget
from Webget import *

# create a cookie
c = webget.WebGetCookie()
c.browsertype = MOZILLA
c.path = os.path.join(os.environ["HOME"], "/.netscape/cookies.txt")

# create a webget instance
wg = webget.WebGet('http', 'www.securitytechscience.com', 80, c)

# set some variables
wg.add_header('Country','Australia')
wg.set_proxy('http', "127.0.0.1', 8080)

# request the page -> sets both a wg.request and wg.response value
wg.open_url('/')

print wg

That’s it! In the coming weeks I will test and at the ntlm components. After that maybe Webdav and digital certificates with open ssl.