at least i decided to take this blog out of magazine releases news fashion, and pulled one of ideas out of my head, implement it, and write a little about it here.
anyway,let's get on the subject.
Certainly you have experience in working by WEB Application Vulnerability Scanners.They are all going to be improved and this is a big threat to all of web applications.both commercial and non-commercial web apps.
although there is many false positive in their results but most of them make the way of attacking luminous to us.It's great that you can find most of hidden directory in the web sites, check for SQL injection, Cross Site Scripting, Cross Site Request Forgery and so on.
This is great for pen-tester and a threat for security managers !
umm, the question that i asked myself many times was: how to scape from these web app scanners?
I scanned a Content management system(CMS) a few web application vulnerability scanners many many times.then sniffed the requests and the responses.after all i've founded that there is an unique USER-AGENT for each of these web app vuln scanners.in some of them you can change the USER-AGENT value,but in some this options is not implemented.and of course many users of these softwares that allow you to change, do not change the default value of USER-AGENT. So this is a good way to identify the web app vuln scanner softwares. however this can not fool elite users of these softwares.
It was still a possibility, not a fact. So i decided to examine this.
I fired up IBM Rational AppScan. Then check the request that AppScan Sent to remote http server. It was "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" .
Also you can grab this USER-AGENT value by a short PHP code such as:
It will write down the USER-AGENT value of anything(browser, web app scanner and so on...) that request this page in data.txt besid itself.
Well,this is a good idea to foolish these scanners. So we fake a 404 error page for them.ha?!
ok let's write the code..
then i've scanned this page by AppScan automatically and it just detected the 404 error. then found out Manual test in Scan menu.I send a query and again 404 !
after all i saw AppScan Browser.I opend the page with it,and yes welcome message :-(
I checked it and found out that it use a different USER-AGENT, So i grab it and added in IF condition after an OR Logical Operator.then refreshed the page and finally 404 error :-)
finaly the code goes something like this:
be careful about what USER-AGENT you are fil*ter*ing in your code.if you fil*ter a usual USER-AGENT , so many of blameless visitors of your web site see 404 error page!!
well,may be it's not the best way and writing a secure program is better, but always there is something that you forget,and there is someone else that [ab]use it to smash your web app ! so this can be a guard between you and the Artificial Intelligence of these Web App vuln scanners.though you can not foolish an elite user with these kind of tricks.;)
that was all..
P.s. : this post is old! more or less for 7 months ago, I took this in draft for some skit reasons but now decided to publish it.
comments are welcomed ;-)
Posts
