at least i decided to take this blog out of magazine releases news fashion, and pulled one of ideas out of my head, implement it, and write a little about it here.
anyway,let's get on the subject.
Certainly you have experience in working by WEB Application Vulnerability Scanners.They are all going to be improved and this is a big threat to all of web applications.both commercial and non-commercial web apps.
although there is many false positive in their results but most of them make the way of attacking luminous to us.It's great that you can find most of hidden directory in the web sites, check for SQL injection, Cross Site Scripting, Cross Site Request Forgery and so on.
This is great for pen-tester and a threat for security managers !
umm, the question that i asked myself many times was: how to scape from these web app scanners?
I scanned a Content management system(CMS) a few web application vulnerability scanners many many times.then sniffed the requests and the responses.after all i've founded that there is an unique USER-AGENT for each of these web app vuln scanners.in some of them you can change the USER-AGENT value,but in some this options is not implemented.and of course many users of these softwares that allow you to change, do not change the default value of USER-AGENT. So this is a good way to identify the web app vuln scanner softwares. however this can not fool elite users of these softwares.
It was still a possibility, not a fact. So i decided to examine this.
I fired up IBM Rational AppScan. Then check the request that AppScan Sent to remote http server. It was "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" .
Also you can grab this USER-AGENT value by a short PHP code such as:
It will write down the USER-AGENT value of anything(browser, web app scanner and so on...) that request this page in data.txt besid itself.
Well,this is a good idea to foolish these scanners. So we fake a 404 error page for them.ha?!
ok let's write the code..
then i've scanned this page by AppScan automatically and it just detected the 404 error. then found out Manual test in Scan menu.I send a query and again 404 !
after all i saw AppScan Browser.I opend the page with it,and yes welcome message :-(
I checked it and found out that it use a different USER-AGENT, So i grab it and added in IF condition after an OR Logical Operator.then refreshed the page and finally 404 error :-)
finaly the code goes something like this:
be careful about what USER-AGENT you are fil*ter*ing in your code.if you fil*ter a usual USER-AGENT , so many of blameless visitors of your web site see 404 error page!!
well,may be it's not the best way and writing a secure program is better, but always there is something that you forget,and there is someone else that [ab]use it to smash your web app ! so this can be a guard between you and the Artificial Intelligence of these Web App vuln scanners.though you can not foolish an elite user with these kind of tricks.;)
that was all..
P.s. : this post is old! more or less for 7 months ago, I took this in draft for some skit reasons but now decided to publish it.
comments are welcomed ;-)
6 comments:
Jaleb boood.. :) :D
Cool topic, but as you mentioned in the post filtering user-agent is not a good workaround for this .
What really fool automated tools is not how application response to a specific action . Modern web-applications are getting more and more dynamic and modern automated tools for them too !
Checking internals of top tools of marked you`ll find that relaying on 200/404/500 error codes is no more the way they crawl and generate alerts.
Most of them now relay on behavior of the target , not looking for known hard-coded responses . 404 case of example is well covered in Webinspect for example , by implementing methods to detect custom 404 errors.
IMO , the best solution for this problem is to design/config web-application & web-server in a way that they generate less obvious behaviors against automated eyes. Assume a web-app/web-server that generate exactly same result for all kind of errors , from 404 to what ever you say . The easiest way to implement it is to redirect all errors to index page . Check it with automated tools again and you`ll be impressed by the result :)
After all , there`s no single solution . Mixing multiple tricks like the one you mentioned, the one I exampled , and other solutions like URL rewriting , burst detection , web-app firewalls , ... will help admins defeating such tools much more effectively .
& pity about upcoming snoop-mag, I had no free time to finish any of my half-written articles and contents :)
Hamid, thanks for your comment.
Yes, it's not an stable and good way at all. there is a bunch of difficulties on the way of this technique, such as it may conflict with normal user browsers' user-agent and block them from browsing web-site, or some proxy servers that change the user-agent on-fly and may make trouble.
And on the other hand the techniques that you mentioned, and currently web app vuln scanners using to break these kind of defends.
As you read, I've drove all the post on "AppScan" and it worked(btw, I have no idea on degree of intelligent on AppScan and comparison between AppScan and other scanners on this degree). I hadn't Webinspect to test out this issue at the time.
But I admit that this is not a good protection at all and for a favorable security on web-apps developer should use the mixed techniques that you mentioned in your comment especially coordinating the web-app/web-server on bouncing back similar error code to bypass these kind of intelligency .
uh, I hope you get time to finish them for next issue.
thanks for the comment :-)
Just to note, AppScan let you customize user-agent too . And , In real world, we should consider that most of those who have paid something between 10 to 40k USD for such tools , will try to get the best out of possibilities they provide , not just using default scan policies.
After all , this is a long story and hard to fit in a single post or comment :)
yes, I'm completely agree on this with you ;)
Hi, you have a good blog, hope to see you in my blog, if you want I can put you in my link's section .
Post a Comment