Comprehensive Web App
Vulnerability Analysis with
Grendel-Scan
David Byrne
Trustwave
Eric Duprey
Dish Network
Features
Miscellaneous
Written in Java
Windows, Linux & OS X ports
Manual testing
Internal intercepting / testing proxy
HTTP request fuzzer
Manual requests
Selected Test Modules
Spider
HTML tag requester
Form baseline
Search engine recon
File enumeration
Session management
Session ID strength
URL session IDs
Session fixation
Authentication enforcement - experimental
Cross-site scripting (XSS)
Selected Test Modules
SQL injection
Error-based
SQL tautologies - experimental
Miscellaneous tests
CRLF injection
Directory traversal – experimental
Generic fuzzing
Information Leakage
Platform error messages
Robots.txt
Comment lister
Selected Test Modules
Web server configuration
Cross-site tracing (XST)
Proxy detection
Application architecture
Input / output flows
Offline website mirror
Nikto
New Features
X509 Certificate Authority
Reverse Proxy
Advanced Response Comparison
AMF
GUI Changes
Integrated X509 Certificate Authority
CA / root cert generated on first start of proxy
Persisted until deleted or requested to regenerate
On client CONNECT request, a new X509 certificate is
generated for hostname (signed by CA key)
Server certificates kept in memory only (not persisted on
close)
Minimal performance impact
Towards “valid” MITM certificates: Wildcard?
"There is always an easy solution to every complex problem—neat,
plausible, and wrong.”
--H. L. Mencken
Tried a static root cert and server cert for “*”
Firefox accepts this, Internet Explorer not so much
Variations on this theme:
“*.” accepted in FireFox for https://victim.com.
Still not acceptable in IE
Nothing in RFC suggests IE's implementation, but it is more
secure in practice.
Other browsers not tested (area for further research)
Reverse Proxy
Uses integrated certificate authority
Maps a single local port to a single remote port
Future versions will support more intelligent routing
No rewriting currently supported (local and remote ports must
be the same number)
Response Comparison
Logical file-not-found detection
SQL tautologies
Directory traversal
Logged-out detection
Grendel’s Comparison Techniques
Tracks actual score & maximum possible score
HTTP response code
MIME type
Set-Cookie name – 100
Skewed Levenshtein distance of HTTP location headers - 100
Levenshtein distance of normalized HTML text nodes - 50
HTML tag count ratios (min count / max count)
APPLET - 50
OBJECT - 50
EMBED - 50
TABLE - 30
TR - 15
A - 10
LINK - 10
IMG - 10
Fuzzing
AMF Overview
Action Message Format
ActionScript / JavaScript
Flash pile: Flex, Air, Shockwave, etc
AMF0 released in 2001 with Flash Player 6
AMF3 released with Flash Player 9
In theory, an open standard
Loosely based on SOAP; rides on HTTP, but binary
format
AMF Overview
Data transfer
Primitive data (numbers, Boolean, etc.)
Collections (Arrays & maps)
Serialized objects
Remote procedure call
Pass data by reference, only within the same request
Stateless; no built-in session handling
BlazeDS
Java-based Remoting/Messaging server
Supports communication via AMF rather than traditional
XML/SOAP methods\
Messaging component allows for publisher/subscribe
communication
Remoting component allows Flex applications to invoke
methods on server-side objects
OpenSource / GPL!
AMF 0 Constants
int kNumberType = 0;
int kBooleanType = 1;
int kStringType = 2;
int kObjectType = 3;
int kMovieClipType = 4;
int kNullType = 5;
int kUndefinedType = 6;
int kReferenceType = 7;
int kECMAArrayType = 8;
int kObjectEndType = 9;
int kStrictArrayType = 10;
int kDateType = 11;
int kLongStringType = 12;
int kUnsupportedType = 13;
int kRecordsetType = 14;
int kXMLObjectType = 15;
int kTypedObjectType = 16;
int kAvmPlusObjectType = 17;
AMF 3 Constants
int a3UndefinedType = 0;
int a3NullType = 1;
int a3FalseType = 2;
int a3TrueType = 3;
int a3IntegerType = 4;
int a3DoubleType = 5;
int a3StringType = 6;
int a3XMLType = 7;
int a3DateType = 8;
int a3ArrayType = 9;
int a3ObjectType = 10;
int a3AvmPlusXmlType = 11;
int a3ByteArrayType = 12;
AMF Example
Rants
“What Works in Penetration Testing?”
Not automated scanners… er… at least they don’t work well
Discuss testing plan with client
Ever-changing Threats
Everyone knows about SQL Injection, XSS, etc
OWASP Top Ten was never intended as a complete list
Simple vulnerabilities are easy to exploit, easy to find, and
easy to fix
Absence of simple vulnerabilities is not sufficient protection
Criminals can improve their skills too
What Automated Solutions Miss
Theoretical
Logic flaws (business and application)
Design flaws
The Stupid
Practical
Difficulty interacting with Rich Internet Applications (RIA)
Complex variants of common attacks (SQL Injection, XSS,
etc)
Cross-Site Request Forgery (CSRF)
Uncommon or custom infrastructure
Authorization enforcement
Abstract information leakage
Real World Automation Results
The Stupid: Defense In-Depth
'2007-11-27 If single quote is at the start of
the
'search string, replace it with an empty string
'refer to scanner report
If uQuery.IndexOf("'") = 0 Then
uQuery = uQuery.Substring(1, uQuery.Length 1)
End If
The Very Stupid: Awesome Exploit
POST https://secure.example.com:443/Coupon.aspx HTTP/1.1
Host: secure.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://secure.example.com/CartSummary.aspx
Cookie: FDCX=RVLAXGDGJSQX634; [email protected]
Content-Type: application/x-www-form-urlencoded
Content-length: 69
FreePurchase=yes
FreePurchase=yes&Command=usecoupon&CouponNumber=11111111111111111111
Misc
Web recon
Future of Grendel
Selfish
XML web services
www.grendel-scan.com
David Byrne
[email protected]
Eric Duprey
[email protected]