どーも。ばぁどです。 脆弱性診断を仕事としています。元Webアプリエンジニアです。 開発もできる脆弱性診断士を目指しています。

今回はやられ用のWebサイトであるBadStoreに、自動脆弱性診断ツールであるOWASP ZAPで動的に検査してみました。

OWASP ZAPの結果を貼り付けただけの雑記事です。

BadStore とは

やられ用のWebサイトです。 筆者はローカルプロキシツールであるBurpSuiteの拡張として入れました。

github.com

OWASP ZAP

脆弱性診断ツール。

www.zaproxy.org

感想

OWASP ZAPのレポートが非常に長いので、先に感想を。

自動脆弱性診断ツールは非常に便利。手動診断と比べても早く、網羅的に、人手を使わずにある程度の脆弱性を見つけてくれています。ツールごとに得意・不得意があったり、逆に手動診断でないと見つけることができない部分はあるはずなので、そういった理解を深めていきたい。

ZAP Scanning Report

Summary of Alerts

Risk Level	Number of Alerts
High	6
Medium	3
Low	6
Informational	0

Alert Detail

Cross Site Scripting (Reflected)

High (Medium)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: comments

  • Attack: </b><script>alert(1);</script><b>

  • Evidence: </b><script>alert(1);</script><b>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supupload

  • Method: POST

  • Parameter: viewfilename

  • Attack: <script>alert(1);</script>

  • Evidence: <script>alert(1);</script>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: fullname

  • Attack: <script>alert(1);</script>

  • Evidence: <script>alert(1);</script>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: name

  • Attack: </b><script>alert(1);</script><b>

  • Evidence: </b><script>alert(1);</script><b>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: newemail

  • Attack: </p><script>alert(1);</script><p>

  • Evidence: </p><script>alert(1);</script><p>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: email

  • Attack: </b><script>alert(1);</script><b>

  • Evidence: </b><script>alert(1);</script><b>

Instances: 6

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

• http://projects.webappsec.org/Cross-Site-Scripting
• http://cwe.mitre.org/data/definitions/79.html

CWE Id : 79

WASC Id : 8

Source ID : 1

SQL Injection - SQLite

High (Medium)

Description

SQL injection may be possible.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: newemail

  • Attack: '

  • Evidence: near "test": syntax error

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: fullname

  • Attack: '

  • Evidence: near "test": syntax error

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

  • Parameter: pwdhint

  • Attack: '

  • Evidence: near "ZAP": syntax error

Instances: 3

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Other information

RDBMS [SQLite] likely, given error message regular expression [near ".+": syntax error] matched by the HTML results.

The vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised

Reference

• https://www.owasp.org/index.php/Top_10_2010-A1
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id : 89

WASC Id : 19

Source ID : 1

SQL Injection - Authentication Bypass

High (Medium)

Description

SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

  • Parameter: pwdhint

  • Attack: '

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: newemail

  • Attack: '

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: fullname

  • Attack: '

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierportal

  • Method: POST

  • Parameter: email

  • Attack: ZAP' AND '1'='1' --

Instances: 4

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Reference

• https://www.owasp.org/index.php/Top_10_2010-A1
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id : 89

WASC Id : 19

Source ID : 1

Path Traversal

High (Medium)

Description

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.

The most basic Path Traversal attack uses the "../" special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the "../" sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding ("..%u2216" or "..%c0%af") of the forward slash character, backslash characters ("..\") on Windows-based servers, URL encoded characters "%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash character.

Even if the web server properly restricts Path Traversal attempts in the URL path, a web application itself may still be vulnerable due to improper handling of user-supplied input. This is a common problem of web applications that use template mechanisms or load static text from files. In variations of the attack, the original URL parameter value is substituted with the file name of one of the web application's dynamic scripts. Consequently, the results can reveal source code because the file is interpreted as text instead of an executable script. These techniques often employ additional special characters such as the dot (".") to reveal the listing of the current working directory, or "%00" NULL characters in order to bypass rudimentary file extension checks.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supupload

  • Method: POST

  • Parameter: viewfilename

  • Attack: ../../../../../../../../../../../../../../../../etc/passwd

  • Evidence: root:*:0:0

Instances: 1

Solution

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses, and exclude directory separators such as "/". Use a whitelist of allowable file extensions.

Warning: if you attempt to cleanse your data, then do so that the end result is not in the form that can be dangerous. A sanitizing mechanism can remove characters such as '.' and ';' which may be required for some exploits. An attacker can try to fool the sanitizing mechanism into "cleaning" data into a dangerous form. Suppose the attacker injects a '.' inside a filename (e.g. "sensi.tiveFile") and the sanitizing mechanism removes the character resulting in the valid filename, "sensitiveFile". If the input data are now assumed to be safe, then the file may be compromised.

Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked.

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links.

Run your code using the lowest privileges that are required to accomplish the necessary tasks. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations.

This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.

Reference

• http://projects.webappsec.org/Path-Traversal
• http://cwe.mitre.org/data/definitions/22.html

CWE Id : 22

WASC Id : 33

Source ID : 1

Cross Site Scripting (Persistent)

High (Medium)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: comments

  • Attack: </b><script>alert(1);</script><b>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: name

  • Attack: </b><script>alert(1);</script><b>

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: email

  • Attack: </b><script>alert(1);</script><b>

Instances: 3

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Other information

Source URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

Reference

• http://projects.webappsec.org/Cross-Site-Scripting
• http://cwe.mitre.org/data/definitions/79.html

CWE Id : 79

WASC Id : 8

Source ID : 1

SQL Injection

High (Medium)

Description

SQL injection may be possible.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierportal

  • Method: POST

  • Parameter: email

  • Attack: ZAP' AND '1'='1' --

Instances: 1

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Other information

The page results were successfully manipulated using the boolean conditions [ZAP' AND '1'='1' -- ] and [ZAP' AND '1'='2' -- ]

The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison

Data was returned for the original parameter.

The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Reference

• https://www.owasp.org/index.php/Top_10_2010-A1
• https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id : 89

WASC Id : 19

Source ID : 1

X-Frame-Options Header Not Set

Medium (Medium)

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=loginregister&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=myaccount&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=myaccount

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=whatsnew&cartitems=1003

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=guestbook

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=supplierportal&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=register&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierlogin

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=login

  • Method: POST

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierportal

  • Method: POST

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=guestbook&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supupload

  • Method: POST

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=login

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/scanbot/scanbot.html

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=viewprevious

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: GET

  • Parameter: X-Frame-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=supplierlogin&searchquery=ZAP

  • Method: GET

  • Parameter: X-Frame-Options

Instances: 39

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

• http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id : 16

WASC Id : 15

Source ID : 3

Application Error Disclosure

Medium (Medium)

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

  • Evidence: HTTP/1.1 500 Internal Server Error

Instances: 1

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id : 200

WASC Id : 13

Source ID : 3

X-Frame-Options Header Not Set

Medium (Medium)

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

• URL: http://detectportal.firefox.com/canonical.html

  • Method: GET

  • Parameter: X-Frame-Options

Instances: 1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

• http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id : 16

WASC Id : 15

Source ID : 3

X-Content-Type-Options Header Missing

Low (Medium)

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=admin

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/xml.gif

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/BadStore.jpg

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=whatsnew&searchquery=ZAP

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/frmvrfy.js

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/1012.jpg

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/1014.jpg

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/1011.jpg

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=viewprevious&searchquery=ZAP

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=supupload&searchquery=ZAP

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/1000.jpg

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=doguestbook

  • Method: POST

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/images/1009.jpg

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=login

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=viewprevious

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=whatsnew&cartitems=1003&searchquery=ZAP

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/scanbot/scanbot.html

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierportal

  • Method: POST

  • Parameter: X-Content-Type-Options

Instances: 61

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

• http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
• https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id : 16

WASC Id : 15

Source ID : 3

Cookie No HttpOnly Flag

Low (Medium)

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=login

  • Method: POST

  • Parameter: SSOid

  • Evidence: Set-Cookie: SSOid

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

  • Parameter: SSOid

  • Evidence: Set-Cookie: SSOid

Instances: 2

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

• http://www.owasp.org/index.php/HttpOnly

CWE Id : 16

WASC Id : 13

Source ID : 3

Web Browser XSS Protection Not Enabled

Low (Medium)

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=whatsnew

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=aboutus

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierlogin

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=guestbook&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=cartview

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=login&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=moduser

  • Method: POST

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=supplierportal

  • Method: POST

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=login

  • Method: POST

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/bsheader.cgi

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=loginregister&action=qsearch&searchquery=ZAP

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=myaccount

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=loginregister

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=viewprevious

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=viewprevious&searchquery=ZAP

  • Method: GET

  • Parameter: X-XSS-Protection

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=qsearch&action=supplierlogin&searchquery=ZAP

  • Method: GET

  • Parameter: X-XSS-Protection

Instances: 39

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

• https://www.owasp.org/index.php/XSS(Cross_Site_Scripting)Prevention_Cheat_Sheet
• https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id : 933

WASC Id : 14

Source ID : 3

Content-Type Header Missing

Low (Medium)

Description

The Content-Type header was either missing or empty.

• URL: http://127.0.0.1:8528/backup

  • Method: GET

• URL: http://127.0.0.1:8528/sitemap.xml

  • Method: GET

• URL: http://127.0.0.1:8528/cgi-bin

  • Method: GET

• URL: http://127.0.0.1:8528/upload

  • Method: GET

• URL: http://127.0.0.1:8528/cgi-bin/badstore.cgi?action=register

  • Method: POST

Instances: 5

Solution

Ensure each page is setting the specific and appropriate content-type value for the content being delivered.

Reference

• http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

CWE Id : 345

WASC Id : 12

Source ID : 3

X-Content-Type-Options Header Missing

Low (Medium)

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

• URL: http://detectportal.firefox.com/canonical.html

  • Method: GET

  • Parameter: X-Content-Type-Options

• URL: http://detectportal.firefox.com/success.txt?ipv4

  • Method: GET

  • Parameter: X-Content-Type-Options

Instances: 2

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

• http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
• https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id : 16

WASC Id : 15

Source ID : 3

Web Browser XSS Protection Not Enabled

Low (Medium)

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

• URL: http://detectportal.firefox.com/canonical.html

  • Method: GET

  • Parameter: X-XSS-Protection

Instances: 1

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

• https://www.owasp.org/index.php/XSS(Cross_Site_Scripting)Prevention_Cheat_Sheet
• https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id : 933

WASC Id : 14

Source ID : 3

どーも、ばぁどです。 BurpSuiteの拡張機能をPythonで書いてみました。

なぜやろうと思ったのか

BurpSuiteと仲良くなりたかったのことをよく知りたかったからです。

脆弱性診断にジョブチェンしてBurpSuiteというローカルプロキシツールに出会いました。 今までWebアプリケーション開発を生業にしていた筆者からしたら、あまり絡むことのなかったツールであり、要領を掴むのが大変でした。 とある日、会社のメンバーがPythonでButpSuiteの拡張機能を書いていることを知り、プログラマとしての経験を活かしながらBurpSuiteを知ることができると思い、拡張機能を書いてみた次第です。

実行結果

下図のように、BurpSuiteを中継してサーバーに飛ぶリクエストにオリジナルのヘッダーをつけることができます。

下記のオリジナルのヘッダーが付与されていることがわかりますか？（赤枠部分）

X-Original-Header: UltraBird

リクエストにオリジナルヘッダーが付くイメージは下記のようなイメージです。 今回のオリジナルヘッダーを確認するためには、BurpSuiteを二つ立ち上げる必要があります。

このサンプルを拡張機能として作ったからといって、何ができるかというと、別に何も影響はないのですが苦笑。今回のサンプルを用いながら、今後診断業務が便利になるコードを書いていきたい。

書いたコード

from burp import IBurpExtender
from burp import IHttpListener

class BurpExtender(IBurpExtender, IHttpListener):
    def __init__(self):
        self.new_header = "X-Original-Header: UltraBird"

    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        callbacks.setExtensionName("My Original Extension")
        callbacks.registerHttpListener(self)
        return

    def processHttpMessage(self, tool_flag, is_message_request, current_request):
        if not is_message_request:
            return

        request_info = self.get_request_info(current_request)

        header_list = self.get_header_from_current_request(request_info)
        body_info = self.get_body_from_current_request(current_request, request_info)

        new_request = self.create_new_request(header_list, body_info)
        current_request.setRequest(new_request)

        return

    def get_request_info(self, current_request):
        return self._helpers.analyzeRequest(current_request)

    def get_header_from_current_request(self, request_info):
        return list(request_info.getHeaders())

    def get_body_from_current_request(self, current_request, request_info):
        body_bytes = current_request.getRequest()[request_info.getBodyOffset():]
        return self._helpers.bytesToString(body_bytes)

    def create_new_request(self, header_list, body_info):
        header_list.append(self.new_header)
        return self._helpers.buildHttpMessage(header_list, body_info)

コードはBurpSuiteの公式リファレンスを参考にしつつ、インターネット上のものを参考にしながら作成させていただきました。 ユニットテストもそのうち追加したい。

portswigger.net

備忘録：BurpSuiteでPythonの拡張コードを読み込ませる方法

BurpSuiteは基本的にJavaで動いています。 BurpSuiteを動かすときにjarを利用することがあれば、拡張機能も大部分がjarで配布されており、jarファイルを読み込むことで拡張機能を使用することができます。

今回はPythonで拡張機能を書いたため、BurpSuiteでPythonを読み込めるようにする必要があります。

手順1. Jython ファイルを入手する

最初にJavaで動いているBurpSuiteにPythonを読み込ませるためのjarファイルをjythonの公式サイトから用意します。

www.jython.org

[Extender]→[Options]→[Python Environment]→[select File...]から、ダウンロードしたjarファイルを読み込ませます。

対象ファイルを選択して[Open]をクリックするとjarファイルが読み込まれます。

手順2. Pyhonを読み込む拡張機能を追加する

Python Scripter という拡張機能を読み込ませます。

github.com

[Extender]→[B App Store] →(検索ボックスで)[python scripter]と検索し、インストール。

手順3. 作成したPythonコードを拡張機能として読み込ませる

[Extender]→[Extentions]→[Add]

[Java]を[Python]に変更し、[Select file...]をクリック。

作成したPython ファイルを選択する。

手順4. 読み込まれたことを確認して終了

もしPythonコードにエラーがあれば、この時点でエラーだとわかります。

エラーが出なければ完了です。お疲れ様でした。

まとめ

まだBurpSuiteを触りきれていないので、どういったツール、拡張機能があれば便利なのかはわかっていないです。しかし今後脆弱性診断を続けて行くにつれて、そういった視野が開けて行くことに期待しております。

最近、仕事でNiktoを使うようになっているので、Niktoに対しての備忘録。

• Niktoとは？
  • 概要①(英語)
  • 概要①(日本語訳(基本はGoogle翻訳))
  • 概要①の要約
  • 概要②(英語)
  • 概要②(基本はGoogle翻訳))
  • 概要②の要約
  • Niktoのゴール(英語)
  • Niktoのゴール(基本はGoogle翻訳))
  • Niktoのゴールの要約
• 基本的なオプション
• 実際にやってみる
  • コマンド
  • 実行結果(ターミナル)
  • 【おまけ】実行結果(サーバー側)
• まとめ

Niktoとは？

github.com

概要①(英語)

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

概要①(日本語訳(基本はGoogle翻訳))

Niktoはオープンソース（GPL）ライセンスで作成されている、Webサーバースキャナーであり、6700を超える潜在的に危険なファイル/プログラムを含む複数のアイテムについて、Webサーバーに対して包括的なテストを実行し、1250を超えるサーバーの古いバージョンをチェックし、270を超えるサーバーでバージョン固有の問題をチェックします。また、複数のインデックスファイルの存在、HTTPサーバーオプションなどのサーバー構成項目をチェックし、インストールされているWebサーバーとソフトウェアの識別を試みます。スキャンアイテムとプラグインは頻繁に更新され、自動的に更新できます。

概要①の要約

要約すると、Niktoは一言で言うとWebサーバースキャナー。 オープンソース(GPL)ライセンスで作成されているOSS。 6700を超える危険なファイル、プログラムなどのアイテムを知っており、それらの知見をもとにWebサーバーに対して、それらの危険なファイル、プログラムが存在しないかの包括的なテストを実行することができます。

6700というのは、危険なファイルの定義は定かではないが、他のものとして多種多様なWebサーバー(Apache, Nginx)、プログラム言語(PHP、Java・・・)、Webフレームワーク(lalavel, Struts)、CMS(WordPress、Drupal)などのデフォルトの公開設定しているファイルが公開状態になっていないかの検査パターンが用意されているという認識でいいだろう。

概要②(英語)

Not every check is a security problem. There are some items that are "info only" type checks that look for things that may not have a security flaw, but Pentester may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files. Not every check is a security problem. There are some items that are "info only" type checks that look for things that may not have a security flaw, but Pentester may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

概要②(基本はGoogle翻訳))

Niktoはステルスツールとして設計されていません。可能な限り迅速にWebサーバーをテストし、ログファイルまたはIPS / IDSで明らかになります。ただし、試してみたい（またはIDSシステムをテストしたい）場合に備えて、LibWhiskerのアンチIDSメソッドがサポートされています。 すべてのチェックがセキュリティの問題であるとは限りません。セキュリティ上の欠陥がない可能性のあるものを探す「情報のみ」のタイプのチェックである項目がいくつかありますが、Pentesterはサーバーに存在することを知らない可能性があります。これらのアイテムは通常、印刷される情報に適切にマークされています。ログファイルでスキャンされた不明なアイテムのチェックもいくつかあります。

概要②の要約

Niktoはステルスツールではない。なので、サーバーを監視している人に気づかれないように扱うようなツールではない。以前、SOC研修を受けた時、SIEMでサーバーへのリクエスト量を計測していたら、急激にリクエスト数が跳ね上がって監視役の人があたふたしたのを思い出した。確か、サーバーへ大量アクセスするときの手法としてNiktoを使ったって講師の人言っていたなぁ。。。 その時はスモークスクリーンとして使用されていて、Niktoのアクセスで監視役があたふたしているときに、本当にやりたい攻撃(XSSやSQLi)などを入れ込んでいた記憶。

Niktoのゴール(英語)

The goal of the project is to examine a web server to find potential problems and security vulnerabilities, including: ・Server and software misconfigurations ・Default files and programs ・Insecure files and programs ・Outdated servers and programs ・Pointers to lead a human tester to better manual testing Nikto is built on LibWhisker2 (by Rain Forest Puppy) and can run on any platform which has a Perl environment. It supports SSL, proxies, host authentication, attack encoding and more.

Niktoのゴール(基本はGoogle翻訳))

Niktoの目標は、Webサーバーを調べて、次のような潜在的な問題とセキュリティの脆弱性を見つけることです。 ・サーバーとソフトウェアの構成ミス ・デフォルトのファイルとプログラム ・安全でないファイルとプログラム ・古いサーバーとプログラム 人間のテスターをより良い手動テストに導くためのポインター Niktoは（Rain Forest Puppyによる）LibWhisker2上に構築されており、Perl環境を持つ任意のプラットフォームで実行できます。 SSL、プロキシ、ホスト認証、攻撃エンコーディングなどをサポートします。

Niktoのゴールの要約

引用形式では箇条書きが崩れてしまっているが、箇条書きの部分は下記。

• サーバーとソフトウェアの構成ミス
• デフォルトのファイルとプログラム
• 安全でないファイルとプログラム
• 古いサーバーとプログラム

人間のミスによる意図せず公開してしまっているファイルやディレクトリを見つけることや、安全ではないプログラムなどを見つけることができる。また、Perl環境で動いているので、Niktoを動かす際にPerl環境が必要な場合が存在する。

基本的なオプション

   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes--treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
              + requires a value

実際にやってみる

コマンド

$ perl nikto.pl -h 127.0.0.1 -p 8000 -nolookup -Format txt -o 

なんかPerlが既に入っていたのでPerlコマンドで実行。

ローカルにDjangoで簡易的なWebアプリを作成し試行しました。なので、portも通常のhttp/https通信で使われる80や443ではなく、Webアプリを立ち上げているportを指定。フォーマットとしては、txt形式で出力されるように指定しました。

実行結果(ターミナル)

$ perl nikto.pl -h 127.0.0.1 -p 8000 -nolookup -Format txt -o test_2021_0717_valtan_text.txt
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    127.0.0.1
+ Target Port:        8000
---------------------------------------------------------------------------
+ SSL Info:        Subject:  
                   Ciphers:  
                   Issuer:   
+ Start Time:         2021-07-18 15:50:01 (GMT9)
---------------------------------------------------------------------------
+ Server: WSGIServer/0.2 CPython/3.7.2
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname '127.0.0.1' does not match certificate's names: 
+ OSVDB-17113: /SilverStream: SilverStream allows directory listing
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ Server banner changed from 'WSGIServer/0.2 CPython/3.7.2' to 'WSGIServer/0.2 Python/3.7.2'
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8078 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2021-07-18 15:51:13 (GMT9) (72 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

フィイルとしてアウトプットされたのも上記と同じ内容が出力されていた。

内容を見てみると、ヘッダーにStrict-Transport-Securityがついていないとの指摘が。ローカルの開発なので勘弁・・・

気になるのが、Djangoのプロジェクトなのにwordpressに関連するwp-includesやwordpressなどが検知されていること。ローカル環境、変な汚れ方しているのかな・・・わからん。

【おまけ】実行結果(サーバー側)

当たり前のようだが、Niktoから大量のリクエストを受け付けていることを確認。

一部抜粋。nginxのファイルや、Docker、GitHubのReadmeなど考えられるありとあらゆる公開されていると思われるファイルへのリクエストを投げて404が返ってくる(ファイルが存在しない)ことを確認している。

[18/Jul/2021 06:51:13] "GET /nginx_status HTTP/1.1" 404 2089
Not Found: /Dockerfile
[18/Jul/2021 06:51:13] "GET /Dockerfile HTTP/1.1" 404 2083
Not Found: /cdn-cgi/trace
[18/Jul/2021 06:51:13] "GET /cdn-cgi/trace HTTP/1.1" 404 2092
Not Found: /v1/tasks
[18/Jul/2021 06:51:13] "GET /v1/tasks HTTP/1.1" 404 2077
Not Found: /v2/tasks
[18/Jul/2021 06:51:13] "GET /v2/tasks HTTP/1.1" 404 2077
Not Found: /v3/tasks
[18/Jul/2021 06:51:13] "GET /v3/tasks HTTP/1.1" 404 2077
Not Found: /v4/tasks
[18/Jul/2021 06:51:13] "GET /v4/tasks HTTP/1.1" 404 2077
Not Found: /.dockerignore
[18/Jul/2021 06:51:13] "GET /.dockerignore HTTP/1.1" 404 2092
Not Found: /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp
[18/Jul/2021 06:51:13] "GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts HTTP/1.1" 404 2237
Not Found: /
[18/Jul/2021 06:51:13] "GET / HTTP/1.1" 404 2035
Not Found: /var/
[18/Jul/2021 06:51:13] "GET /var/ HTTP/1.1" 404 2065
Not Found: /var/log/
[18/Jul/2021 06:51:13] "GET /var/log/ HTTP/1.1" 404 2077
Not Found: /etc/
[18/Jul/2021 06:51:13] "GET /etc/ HTTP/1.1" 404 2065
Not Found: /.ftpconfig
[18/Jul/2021 06:51:13] "GET /.ftpconfig HTTP/1.1" 404 2083
Not Found: /.remote-sync.json
[18/Jul/2021 06:51:13] "GET /.remote-sync.json HTTP/1.1" 404 2104
Not Found: /.vscode/ftp-sync.json
[18/Jul/2021 06:51:13] "GET /.vscode/ftp-sync.json HTTP/1.1" 404 2116
Not Found: /.vscode/sftp.json
[18/Jul/2021 06:51:13] "GET /.vscode/sftp.json HTTP/1.1" 404 2104
Not Found: /deployment-config.json
[18/Jul/2021 06:51:13] "GET /deployment-config.json HTTP/1.1" 404 2119
Not Found: /ftpsync.settings
[18/Jul/2021 06:51:13] "GET /ftpsync.settings HTTP/1.1" 404 2101
Not Found: /sftp-config.json
[18/Jul/2021 06:51:13] "GET /sftp-config.json HTTP/1.1" 404 2101

まとめ

• NiktoはWebサーバーのスキャナー
• 大量の多種多様な検査パターンのリクエストを投げて、意図しないファイルが公開されていないかを確認できる
• 案外使ってみて楽だった

ドキュメントが公式で非常によくまとまっており、とても分かりやすかった。これを経たとして、Niktoマスターになったわけではないが、もう少し業務で扱えるようになりたいなぁ・・・