find maximum bugs in limited time

Bugs -> maxTime <= T

Omar Ganiev11/10/2015

Hi!• I’m Beched

• I do application security assessment and penetration testing at IncSecurity

• Also I compete as RDot.Org independent team member

Contents

• Intro• Technical view• Algorithmic view• Whitebox• Outro

The problemCommon situations where the problem of rapid testing of web application arises:• Pentesting a huge scope full of web apps. You have a

couple of weeks to analyse and pwn them• The similar case – bug bounty. You want to collect (low)

hanging fruits faster than others• Customer asks about the costs of your work. You want to

estimate the cost by looking at web app for 5 minutes• Competition (Capture The Flag). You want to pwn the

tasks quickly to focus on others and to get extra points

The solution• Prioritizing• Parallelizing• Automation• Guessing• Heuristics• ???• PROFIT• That’s it?

Manual testing

• Tons of articles and books are written about testing methodology (including OWASP Testing Guide)

• Manual testing includes application logic analysis along with fuzzing

• Manual testing is more careful (no or 1=1 in DROP-queries, etc)

Manual testing

• You can capture low hanging fruits in <= T time manually, but not in N applications

• Generally automated scanning surely sucks• But anyway we’ll focus on improving tools

rather than hands =)

Semi-automated testing

• NMap, Burp Suite, Recon-NG, CMSMap, RAFT, etc…

• The tools are cool and save time, but still, you need to do a lot by hands, and the combination of such tools is poorly scalable

Automated testing• Most of pentesters write their own specialized

tools for automated pentesting• Generally It is rather complex task with a bit of

rocket science• There’re a lot of problems like rich application

crawling or natural language processing (your program actually needs to read human language to understand the application)

Automated testing

• There’re two main variables for measuring complexity (speed) of the testing methodology: time (depends on CPU & memory usage) and number of network requests

• They correlate, and time can be decreased by technical measures

• This is coverage vs requests count trade-off• Bugs -> max; time <= T; requests <= Q• We’ll mainly focus on the second parameter

Automated testing

• Let’s take a look at some tips’n’tricks useful for pentesting toolkit

• We’ll observe technical and algorithmic ways to decrease testing time and number of network requests

Contents

• Intro• Technical view• Algorithmic view• Whitebox• Outro

Technical view• Well-known things first• HTTP speed-up: Keep-Alive & HEAD• HEAD method can be used for directory listing and

any other checks, which only need response headers (length- or time-based payloads, response splitting, etc)

• Keep-Alive is always useful, decreases number of connections and hanshakes and hence the server load

Technical view• Trivial paths first• Why crawling the whole site, if there’re

sitemap.xml, robots.txt and Google dorks?• Why scanning the whole site, when you can

detect a CMS and version and check for vulns in database?

• Why fuzzing a login form a lot, when you can hit top passwords?

Technical view• Scaling• Threading and horizontal scaling increase the

speed very much, hence they can provide better covering (if we limit time, but not requests)

• Recent example of distributed scanning platform is https://github.com/yahoo/gryffin/ written in Go

Contents

• Intro• Technical view• Algorithmic view• Whitebox• Outro

Algorithmic view

• Algorithmic view is quite interesting. How can we increase the number of fuzzed points and checked vulnerabilities without increasing requests count?

• Let’s remember the problems we face while conducting (semi-)manual testing

Algorithmic view

• Ever seen such?• How do you process it manually?• URL patterns, similar pages

Algorithmic view

• Already mentiond Gryffin project by Yahoo uses quite a handy algorithm – Simhash

• Take a look: http://www.wwwconference.org/www2007/papers/paper215.pdf

• If we build a Simhash-index of pages, we can skip duplicates, saving a lot of time

• Possibly it’s better to take into account not only response body, but response status, headers, parameters, etc

Algorithmic view

• How to gather input points (GET, POST, Cookie, headers, …)?

• Classical way: automate browser (PhantomJS) and crawl the website, process each request

• Quick way:• Parse forms, parse links with query strings,

parse XHR parameters from JS

Algorithmic view

• How to gather unknown input points?• Brute force• Quick: Iterative binary search• Collect a list of common parameter names, hit

them all in query string at once and check page for changes, then perform dichotomy

Algorithmic view

• How to fuzz input points?• Long way: take a big list of fuzzing strings and

fuzz each parameter• Quick way: construct polyglot payloads and

check for a bunch of vulns at once• Take a look:

http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra

Algorithmic view

• Polyglot payloads can be constructed because of ignored contexts (such as comments) in different languages

• Example of polyglot string: <tagxss>%0dresponse:splitting'"attributexss\

• Null-byte or backslash should be placed last• Time-based for (Postgre|My)SQL-injection: '/*!

+sleep(10)*/+\n1#(select 2 from (select pg_sleep(10))x)\n+'

Algorithmic view

• Ok, what do we actually do, when we look at web app by eyes?

• We estimate “hackableness” of app or page and then think how can we hack it

• Why not automate thinking? %)

Algorithmic view• The thinking flow is like this:“Hm… It’s enterprise .NET site with a single login form.

Probably not that hackable…Hm… It’s default WordPress installation without plugins and

custom themes. Probably not hackable…Hm… It’s shitty custom PHP engine with a lot of forms and

input parameters. Instantly hackable! 8)“

Algorithmic view

• What makes us think one or another way? Let’s point out some of features:

Platform (PHP, ASP, Ruby, …)Server (Apache, Nginx, IIS, …)Engine (WordPress, Django, RoR, …)Queries (count parameters in links on main page)Scripts (number of script tags on main page)Inputs (number of input tags on main page)SSL (if the site works with HTTPS or not)

Algorithmic view

• The simpliest vulnerable-vs-secure classifier ever:

if PHP:vulnerable = True

else:vulnerable = False

• Ok, just kidding =)

Algorithmic view

Machine learning FTW!

Algorithmic view

Algorithmic view• Today before the talk I scanned about a thousand

sites and built this decision tree on obtained data• Actual classifier is a bit bigger than simpliest, but

yet the common sense is preserved %)• If the main page is PHP-script, there’re at least 4

GET-parameters in the links on it, and there’s at least one script tag, then site is probably vulnerable =)

Algorithmic view

• Ok, this is about cost estimation, but how can this help us to scan the site?

• Ever seen this?

Algorithmic view

• Let’s calculate more features for each page and build priority queue during scan

• If you do it right, /favicon.ico will be scanned last, and /admin.php will be scanned first

Algorithmic view

• Which features can we calculate?• Dynamic/static page: detected platform

(dynamic language vs none), content-type (html vs static), extension

• Response status: OK vs Forbidden vs Redirect vs Not Found vs …

• A bit of NLP: if the path contains important words like admin, password, login, etc

Algorithmic view

Algorithmic view

• Lower priority() – higher priority:

Contents

• Intro• Technical view• Algorithmic view• Whitebox• Outro

Whitebox

• Static code analysis is a lot more rocket science thing, than blackbox testing

• Modern enterprise static code analysis systems are big and still not enough good (some of them still not better than grep)

• They may have nice ads with samples, but ads-samples can probably be constructed by hand ;)

Whitebox

• Most pentesters have their own dirty hacks and regexps for finding the vulns

• I also use a simple grep wrapper, which allows to spot out security bottlenecks and obvious bugs in no time

• Especially useful during CTF, when the source code is not that big

• If integrated with IDE, can be rather cool semi-manual analyser

Whitebox

• Collect a list of dangerous sinks for various languages

• Take a pattern for variable (like \$.* in PHP)• Take a list of securing functions• Generate regexps with negative lookahead,

which will search for patterns like this:danger_func(…not_a_securing_func(…$var

Whitebox

• Get the result like this

• Parse it into any IDE and analyse traces

Contents

• Intro• Technical view• Algorithmic view• Whitebox• Outro

Summary• Application testing can be made faster in many

ways• Some of ways are achievable during manual

assessment, some of them are not• We can build fast and scalable web application

scanner for this• It will traverse pwning paths graph in an efficient

way and halt after hitting the requests limit

Results

• Some of reviewed techniques are already implemented in reps on my GitHub (libpywebhack repository not updated for years): https://github.com/beched

• It will be updated as soon as I finish debugging PoC scripts

Questions?beched@incsecurity.ru