Skyfall flisol-campinas-2013
1 like636 views
This document describes Skyfall, a web vulnerability scanner based on Skipfish. Skyfall is designed for high performance and ease of use. It implements a variety of security checks including tests for SQL injection, XSS vulnerabilities, file inclusion issues, and more. The scanner can perform over 500 requests per second and has a small memory footprint. Features include adaptive crawling, automatic wordlist generation, and filtering of false positives in reports. The document provides details on Skyfall's implemented tests and demonstrates its scanning capabilities.
Skyfall flisol-campinas-2013
- 1. Skyfall scanner de vulnerabilidades em web applications fork skipfish Mauro Risonho de Paula Assumpção firebits mauro.risonho@gmail.com http://www.linkedin.com/profile/view?id=35593661&trk=tab_pro
- 2. ● Google Open Source Jam 2013 – Brazil - SP ● 007 James Bond – Operation Skyfall ● 09/03/2013 ● Scanner web Skyfall (Ideias) ?
- 4. Skyfall – on demand Skyfall01 32Ram (www.example.com) Skyfall02 32Ram (www.tes1.com) Skyfall023 32Ram (www.ext2.com) frontend 32Ram (www.example.com) (www.tes1.com) (www.ext2.com) Skyfall02 32Ram (www.tes1.com) Skyfall02 32Ram (www.tes1.com) Skyfall02 32Ram (www.tes1.com) REPORTS OFF ON ON DATABASE ->SSH
- 5. ● High performance: – 500+ requests per second against responsive Internet targets – 2000+ requests per second on LAN / MAN networks – 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint. Skyfall - Features
- 7. ● This can be attributed to: – Multiplexing single-thread, fully asynchronous network I/O and data processing model that eliminates memory management, scheduling, and IPC inefficiencies present in some multi-threaded clients. – Advanced HTTP/1.1 features such as range requests, content compression, and keep-alive connections, as well as forced response size limiting, to keep network- level overhead in check. FeaturesSkyfall
- 8. ● This can be attributed to: – Smart response caching and advanced server behavior heuristics are used to minimize unnecessary traffic. – Performance-oriented, pure C implementation, including a custom HTTP stack. FeaturesSkyfall
- 9. ● Ease of use: skyfall is highly adaptive and reliable. The scanner features: – Heuristic recognition of obscure path- and query- based parameter handling Schemes. – Graceful handling of multi-framework sites where certain paths obey completely different semantics, or are subject to different filtering rules. FeaturesSkyfall
- 10. ● Ease of use: skyfall is highly adaptive and reliable. The scanner features: – Automatic wordlist construction based on site content analysis. – Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites. FeaturesSkyfall
- 11. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe. – Three-step differential probes are preferred to signature checks for detecting vulnerabilities. FeaturesSkyfall
- 12. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Ratproxy-style logic is used to spot subtle security problems: – cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc. FeaturesSkyfall
- 13. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Bundled security checks are designed to handle tricky scenarios: ● stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection. FeaturesSkyfall
- 14. ● Well-designed security checks: the tool is meant to provide accurate and meaningful results: – Snort style content signatures which will highlight server errors, information leaks or potentially dangerous web applications. – Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns. FeaturesSkyfall
- 15. ● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Server-side query injection (including blind vectors, numerical parameters). ● Explicit SQL-like syntax in GET or POST parameters. FeaturesSkyfall
- 16. ● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Server-side shell command injection (including blind vectors). ● Server-side XML / XPath injection (including blind vectors). FeaturesSkyfall
- 17. ● What specific tests are implemented? – High risk flaws (potentially leading to system compromise): ● Format string vulnerabilities. ● Integer overflow vulnerabilities. ● Locations accepting HTTP PUT FeaturesSkyfall
- 18. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Stored and reflected XSS vectors in document body (minimal JS XSS support). ● Stored and reflected XSS vectors via HTTP redirects. ● Stored and reflected XSS vectors via HTTP header splitting. FeaturesSkyfall
- 19. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Directory traversal / LFI / RFI (including constrained vectors). ● Assorted file POIs (server-side sources, configs, etc). ● Attacker-supplied script and CSS inclusion vectors (stored and reflected). FeaturesSkyfall
- 20. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● External untrusted script and CSS inclusion vectors. ● Mixed content problems on script and CSS resources (optional). ● Password forms submitting from or to non-SSL pages (optional). FeaturesSkyfall
- 21. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Incorrect or missing MIME types on renderables. ● Generic MIME types on renderables. ● Incorrect or missing charsets on renderables. ● Conflicting MIME / charset info on renderables. ● Bad caching directives on cookie setting responses. FeaturesSkyfall
- 22. ● What specific tests are implemented? – Medium risk flaws (potentially leading to data compromise): ● Incorrect or missing MIME types on renderables. ● Generic MIME types on renderables. ● Incorrect or missing charsets on renderables. ● Conflicting MIME / charset info on renderables. ● Bad caching directives on cookie setting responses. FeaturesSkyfall
- 23. ● What specific tests are implemented? – Internal warnings: ● Failed resource fetch attempts. ● Exceeded crawl limits. ● Failed 404 behavior checks. ● IPS filtering detected. ● Unexpected response variations. ● Seemingly misclassified crawl nodes. FeaturesSkyfall
- 24. ● What specific tests are implemented? – Non-specific informational entries: ● General SSL certificate information. ● Significantly changing HTTP cookies. ● Changing Server, Via, or X-... headers. ● New 404 signatures. ● Resources that cannot be accessed. ● Resources requiring HTTP authentication. FeaturesSkyfall
- 25. ● What specific tests are implemented? – Non-specific informational entries: ● Broken links. ● Server errors. ● All external links not classified otherwise (optional). ● All external e-mails (optional). ● All external URL redirectors (optional). ● Links to unknown protocols. FeaturesSkyfall
- 26. ● What specific tests are implemented? – Non-specific informational entries: ● Form fields that could not be autocompleted. ● Password entry forms (for external brute-force). ● File upload forms. ● Other HTML forms (not classified otherwise). ● Numerical file names (for external brute-force). ● User-supplied links otherwise rendered on a page. FeaturesSkyfall
- 27. ● What specific tests are implemented? – Non-specific informational entries: ● Incorrect or missing MIME type on less significant content. ● Generic MIME type on less significant content. ● Incorrect or missing charset on less significant content. ● Conflicting MIME / charset information on less significant content. ● OGNL-like parameter passing conventions.. FeaturesSkyfall
- 28. DEMOSkyfall DEMO
- 29. DEMOSkyfall OS = 31 Mb RAM + Skyfall = 1MB
- 30. DEMOSkyfall OS = 31 Mb RAM + Skyfall = 1MB
- 31. ● Database SQLite3 in memory ● Database SQLite3 in disk - HD ● GUI QT/Frontend Web (ligthing web server + tags HTML) ● Reports Html, PDF(libharu), DOCX, XML ● + mime types ● MultiScanning URLs ● Scannig plugins joomla, wp, drupal ● Brute-force CAPTCHA ToDOSkyfall
- 32. ● skyfallsec – https://bitbucket.org/skyfallsec ● skipfish – http://code.google.com/p/skipfish/ ● Gcc – http://gcc.gnu.org/ ● Clang – http://clang.llvm.org/ ● Archlinux ● https://www.archlinux.org/ ReferencesSkyfall