Latest Entries »

Arachni: New modules, refactored and almost ready for beta version.

Filed Under: Arachni, Projects, Security, Web Application by Zapotek — Leave a comment
31/08/2010

Hello good people,

I thought I’d give you an update regarding Arachni’s development.
Lately I’ve been working towards adding modules to the system and most importantly I’ve split the modules into 2 categories: Recon and Audit.

As of today the following modules are available:

Recon

  • backup_files.rb
  • common_directories.rb
  • common_files.rb

Audit

  • blind_sqli.rb
  • eval.rb
  • path_traversal.rb
  • response_splitting.rb
  • simple_cmd_exec.rb
  • simple_rfi.rb
  • sqli.rb
  • xss_path.rb
  • xss.rb
  • xss_uri.rb

I guess that many of them need further optimization and bugfixing but there’s plenty of time for that.
The important thing is that the basic modules are there.

Sure the list may seem short compared to other systems but I don’t see the need to duplicate functionality.
For example, many scanners have separate modules/plug-ins for path traversal and local file inclusion when in essence it’s the same thing.

So I trust the users to be smart and see through that. :)

Of course test cases, feature and module requests are very welcomed and I will do my best to accommodate them.

With that said, the system looks stable both functionality and design wise so I think it’s time I up it to Beta.
So I’ll, once again, test the hell out of it, fix whatever needs fixing and give it to the world to beta test.
Then I’ll start writing some decent documentation for module/report development and user guides.

After all Arachni’s biggest strength is its extendability, so documentation is essential to make people see how easy it is to develop their own modules and generally contribute.

That’s all for now, time to watch the Greece vs Turkey basketball game.

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , , , ,
Comment

Pleasantly surprised by Git and GitHub

Filed Under: Arachni, Projects by Zapotek — Leave a comment
25/08/2010

I just finished the migration and I have to say that I like the Git/GitHub way.

Also, Eclipse nicely integrates with GitHub’s issue tracking system via the Mylyn – GitHub connector.

Furthermore, I cannot help but bow to the awesomeness of Git, it has somehow managed to be powerful and light.
Although it takes some getting used to, I think I’m going to stick with it for a long time.
Distributed SCMs give you a feeling of security, you have a full clone of the repos on your fingertips.
The remote repos may crash and burn and you can afford not to care. :P

And GitHub makes working with a bunch of people/projects (and watching their progress) extremely easy.

Arachni depends on a number of 3rd party libs to do it’s job, so being able to keep tabs on them is going to be a life saver down the line.

Anyways, enough talking, here’s what you need to know:
Arachni on GitHub: http://github.com/zapotek/arachni
Documentation: http://zapotek.github.com/arachni/
Issue tracker: http://github.com/Zapotek/arachni/issues

The SourceForge/Trac/SVN facilities will be left unmaintained and after a while I’ll shut them down altogether.
So…get on the GitHub wagon. ;)

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , ,
Comment

To Git or not to Git?

Filed Under: Arachni, Projects by Zapotek — Leave a comment
25/08/2010

I’m thinking of moving Arachni to Github, it’d be easier that way for other devs to submit code and work on the project with me.
I’ve been loyal to SourceForge for 4 years (it may not sound like a lot to you but it’s 1/5 of my lifetime ;) ) but Github seems like it’s worth it.

And since I’m doing a lot of work in Ruby nowadays, all the libs I use are on Github so it’d be easer to work on those libs as well and submit feedback.

So f’ it, why not give it a shot?

I’ll let you know as soon as I’m done with it. :)

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , ,
Comment

Arachni is ready! I think…

Filed Under: Arachni, Projects, Security, Web Application by Zapotek — Leave a comment
18/08/2010

Update
If you want to see the state of the framework you can take a look here:
http://arachni.sourceforge.net/file.DIAGRAMS.html
Right click -> View image to see it full-sized.
————

Finally I’ve run out of ideas and features to implement.
Every time I thought that the framework was good to go a new idea poped up in my head and I just had to implement it.
But I think that it’s time I start writing modules.

I’ve tested, I’ve bugfixed, I’ve optimized, I’ve added paradigm shifting behavior (the trainer[1]), I don’t think there’s anything more to add.
Well, there probably is and users will have feature requests but you know what I mean…

Of course I’ll back-off for a couple of days to clear my head and if I nothing else comes to me then I’ll start developing the modules.

It’s weird…I keep staring at the Ohloh badge, on your right, and I can’t believe that the framework only took 4K lines of code.
I really like that though, small codebase, easy to maintain, simple code… that’s what I wanna see. :D

Huh, I just took a look at: http://www.ohloh.net/p/arachni/analyses/latest
The whole project is closer to 7K LOCs if you take the comments into account, that’s why it feels bigger to me.
But hey, you’ve got to document your code. ;)

That’s all for now.

[1] The Trainer sub-system of the Arachni Framework analyses every HTTP response during the recon and audit stages and enables Arachni to learn about changes to the webpage under audit.
So if a new form or link or cookie dynamically appears as a result of the audit, Arachni is immediately aware of it and adds it to the queue of elements to be audited.
So it’s an expert-system kind of deal, it imitates human awareness and behavior (it sounds fancy, I know, but it’s really simple actually).
You’re probably thinking “Well, duh!”; however there’s a good chance that Arachni is the first system to implement this.
(If the last statement is wrong please let me know. :) )

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , , , , ,
Comment

Ruby: Queue with thread-safe “each” method

Filed Under: Programming, Ruby, Temple of Knowledge by Zapotek — Leave a comment
17/08/2010

Ruby has blessed us with many a feature and cool ways to use them, one of them being the Queue.
However, you can’t iterate a Queue, you need to pop it and get one element at a time, which has been the de facto way of doing things for a long time.

You see, Queues are especially useful with threads.
They are thread-safe so they take care of synchronization themselves.

But what if you want to take advantage of that while keeping their elements in them?
You can’t do that with “pop”; sure you can fill the Queue after pop’ing all its elements but that’s not thread safe.

Well, in all actuality that’s the main reason you want to use a Queue, put a number of tasks in them and let the threads remove each task and take care it if.

When your thread has been emptied out this means that you’re work is done.

However, wouldn’t it be great if Queue had a thread-safe “each” method?
So I figured what the hell, let’s see if I can remedy that.
Keep in mind that this is kind of a rape of the queue data structure, I’m not sure that you can call it a queue anymore.
View full article »

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , , ,
Read More & Comment

raw2vmdk v0.1.3.1 released

Filed Under: Projects, Virtualization, raw2vmdk by Zapotek — 2 Comments
14/08/2010

After a feature request, support for all available VMDK disk types has been added.
Which isn’t as much work as it sounds. Heh…

Get it from here:
http://sourceforge.net/projects/raw2vmdk/files/

CHANGELOG

$Id: CHANGELOG 30 2010-08-14 06:39:14Z Zapotek $

Version 0.1.3.1
    * segfault/raw2vmdk/Raw2VMDK.java (main):
        fixed misleading example usage of the -Dtype parameter

Version 0.1.3
    * segfault/raw2vmdk/Raw2VMDK.java (main):
        added support for all available VMDK disk types

Version 0.1.2
        * segfault/raw2vmdk/Raw2VMDK.java (main):
            replaced "\n" characters with System.getProperty( "line.separator" )

Version 0.1.1
    * segfault/raw2vmdk/VMDKTemplate.java (VMDTemplate):
        now throws exception if template file is not found

    * segfault/raw2vmdk/Raw2VMDK.java (main):
        handles exception thrown by VMDKTemplate.java

Version 0.1
    * First version.
SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , ,
Comment

Are the WebInspect developers naughty..naughty boys?

Filed Under: Security, Web Application by Zapotek — 5 Comments
07/08/2010

UPDATE
I run the most recent trial version of WebInspect again its test site and I noticed an option specifically related to it.
The option was to login to the site with certain credentials.
It was separated from the “Web Form Editor”, which holds values to be automatically passed to forms during the crawl, so I hadn’t noticed it at first.

This led me to believe that WebInspect used hard-coded values to gain access to vulnerable pages that other scanners couldn’t.
After checking again I noticed that this specific option was enabled by default.

I guess there was something similar going on with the older versions as well that’s why WebInspect did a lot better on its test site than the other 2 scanners.

——————————–

This story begins like so:
I just implemented the expert-system/trainer for Arachni and like any other time that I make changes I tested it against the test sites of the big boys.

As I’ve said before my usual baseline is the Anantasec report: http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html

Do me a favor and download the PDf file. Now scroll to page 23.
Doesn’t something look suspicious?
Like how WebInspect completely annihilates the competition?
These are the 2 URLs where WebInspect kicks ass:

The first one has a couple of curveballs, the form is not closed properly and the submit button is actually using JS.
Analyzing the broken form is kiddy stuff and you don’t even need JS to post it since you have the form action and method.

The second one looks like it should be an “action” attribute to some form nowhere to be found.

Thing is, the other scanner couldn’t find the vulnerabilities because there’s no path that leads to these pages from the web app’s index.
Arachni’s spider couldn’t find it, I couldn’t find it manually and the other scanners missed them too.

So I thought I’d get a trial version of WebInspect and see for myself and that’s when I noticed that the trial version only allows you to run WebInspect against its own test site.

Could it be that WebInspect has these hidden pages hard-coded to look good?
Image the following scenario:
You’ve got your hands on an number of trial versions of web scanners.
The other scanners impose some restrictions but allow you to run them against any site.
WebInspect only allows you to test it against its own test site.
So you end up running all of them against WebIspect’s test site to have the same baseline.
And WebInspect scores amazingly high while the others crash and burn.

Of course, some of my assumptions may be wrong.
Anantasec’s report may be outdated and the test site may have changed since then, the scanners may have changed etc etc…
And if that is that case I do apologize, however you’ve got to admit that this whole thing looks kind of sketchy.

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , , , , , ,
Comment

Scratch the last post…

Filed Under: Arachni, Projects by Zapotek — Leave a comment
07/08/2010

The fever and the migraines are throwing my off my game…

Probing was a half-smart idea but half-smart is also half-stupid, thus unacceptable.
Why probe things when the modules will do that anyway during the audit?

I’m all for keeping things simple and elegant and then it came to me, why not throw a little AI in there?
You know…enable Arachni to learn, expert system style.

Training Arachni using the the server responses during the audit will eliminate any extra overhead and keep the HTTP requests to a minimum.
Plus “expert system” sounds cool. 8)

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Comment

Arachni: Probe

Filed Under: Arachni, Projects, Security, Web Application by Zapotek — Leave a comment
07/08/2010

Hello good people, I thought I’d give you an update on Arachni’s development.

I’m now working on a Probe class which does exactly as the name suggest.
It probes all auditable elements of a given page, links, forms, cookies, headers…the whole shabang.

This way the analyzer can provide the modules with a full range of paths through the cyclomatic complexity of a web app based on every available input.

Normally this wouldn’t be a big deal for a regular application, you just hammer it with as many input combinations as possible.
You know..the regular black box way….

But with web apps you’ve got to do things the smart way since you’ve got to deal with network latency.
And if that wasn’t enough you’ve got a lot of vectors to test and each one of them can affect the others.
View full article »

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , , , , , , , , ,
Read More & Comment

Arachni’s test run against the big boys…

Filed Under: Arachni, Projects, Security, Web Application by Zapotek — Leave a comment
05/08/2010

I just tested Arachni against these:

I used Anantasec‘s report as a baseline for how each of the aforementioned commercial vulnerability scanners performed against each other’s test sites.

I’m happy to report than in several situations Arachni found vulnerabilities that even these scanners couldn’t find in their own test sites.
Other times Arachni did better than some of the above and on other cases it of courses did worse.

I’ve added some items on my TODO list and as soon as I implement them I’ll run the tests again and post the full reports so you an compare the results yourselves.

However this is wonderfully delightful, especially when taking into account that the modules that Arachni has right now are merely placeholders for me to test the framework core.

I mean…how cool is that?

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon
Tags: , , , , , , , ,
Comment
Powered by WordPress | Theme: Motion by 85ideas.