|
Tuesday, 12 January 2010 21:33 |
WebApp Scanning Throwdown!Revised: 1/19/2010
Important Follow-up!
I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal. Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there's not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however. I feel the most important conclusions that can be drawn from this comparison are: - You can't rely on one tool to find all your issues
- You need to make sure your tools are properly configured for maximum results
- No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely
The SetupI used three different computers, one for each scanning product. These were identical NC6715b HP laptop computers, AMD 64-bit processors with 4GB of RAM. Core Impact ran under Windows XP Pro with SP3, while Nexpose and Nessus ran under RedHat Enterprise Linux 5.4. I chose the fake banking website Altoro Mutual as the target for this throwdown due to its independence from the three products being used, and of course we did not want to attack any real targets. For Nexpose, I used the built-in Web Audit scanning template, and merely configured a site with the target host. In Core Impact, I simply used the Rapid Penetration Testing scan and attacks under the Web assessment section. For Nessus, I had to create my own scanning policy by enabling just those plugins related to WebApp scanning. I used this Nessus Document and this discussion on Tenable Security's website as a source to determine what plugins to enable. Core Impact is proxy-aware and had no problem performing its attacks through an internal proxy to the Internet. In contrast, both Nexpose and Nessus are proxy-ignorant and had to be directly connected to the evil, festering Internet in order to perform their scans. The ResultsAll three scanners correctly identified the SQL injection vulnerability in the "login.aspx" URL of the demo.testfire.net website. Additionally, all three were able to find Cross-Site Scripting (XSS) vulnerabilities in "login.aspx", "search.aspx" and "comment.aspx".
However, Core Impact did not identify any other WebApp vulnerabilities in the target. Both Nessus and Nexpose found additional issues, such as browsable directories, lack of encryption, and weak authentication.
Nexpose flagged the "/bank/" directory as browsable. Nessus found the same directory, but didn't explicitly list it as browsable. Nessus found additional directories ("/Admin/", "/admin/" and "/images") but they are not browsable.
Nessus provided the most results, with additional finds that Nexpose and Core Impact didn't catch, including: - A possible SQL injection vulnerability in "customize.aspx"
- The website uses plain text authentication (i.e. no HTTPS)
- Auto-Complete is not disabled on the login form (a feature that tells browsers to not allow the end-user to store their password in their browser for later user)
The UpshotFirst off, let's be clear that Core Impact is a penetration testing tool, not a vulnerability assessment tool. It only checks for vulns that it could potentially exploit to install agents. There are many potential vulnerabilities it will not flag (such as unencrypted webpages) which are still quite significant for web application security. Anyone who is using Core Impact for vulnerability assessments has failed to read the documentation. Core Impact is a great tool used in conjunction with actual vulnerability scanners Both Nessus and Nexpose worked great, but Nessus had to be configured to do WebApp scanning. It is possible the configurations used in this Throwdown were not optimal. In the end, both Nessus and Nexpose caught the most serious problems (SQL Injection and XSS). And both scanners have a "free" version available. It's tough to call a real winner here. We may have to perform a tie-braker!
You may download the reports generated from this Throwdown, as well as the session files for Nessus and Core Impact.
|
|
|
Thursday, 07 January 2010 13:20 |
|
In the Science Fiction novel "The Puppet Masters" by Robert A. Heinlein, alien creatures with the ability to connect to humans nervous systems invade the Earth. This novel was made into a terrible, horrible movie so if you have seen the movie but not read the book, please go read the book. And burn any copies of the movie you can get to. But back to the book. It's a pretty typical "alien possession" novel by current standards, but it was actually a significant publication in 1951. The aliens themselves are relatively small things with limited mobility (they are dubbed slugs), but can attach themselves to a victims neck and hang down the back. The "slug" can then control the human and tap into their memories, while remaining hidden under the clothing. As the novel progresses, the protagonists (Sam and Mary, who both work for a secret intelligence agency of the US) withdraw to the mountains. After being attacked by an alien slug, they return to the city to discover a law has been passed requiring full nudity. Correct, the only way to tell if a human was possessed was to require full nudity. Heinlein established that even a naked woman carrying a purse was suspect because she kept her hand in her purse which allowed her to remain connected to the slug. Now, part of the reason Heinlein wrote this solution into his novel is because he was a big fan of nakedness (hardly any of his novels don't mention it). But also because it's the obvious, simple solution to the question "How do I know if you are really you?". The slugs were too big to not be visible and obvious when attached to a victim. Now, the $1.69 question: Is this a reactive security measure, or a proactive one? Thanks to Richard Reid, we now have to take our shoes off at many airports. And most likely, we'll have much more invasive body scans to look for hidden explosives (even though there's no evidence such a scan would have caught Nigerian Abdulmutallab's hidden explosives). These are reactive security measures. Why? Because even looking at a person stark naked, you cannot tell if he or she is a terrorist. "The Puppet Masters" has a specific threat that can be visually identified and is known to be hostile to humanity. So the nudity solution is actually rational, if socially awkward. No such test exists for humans that intend harm to other humans. This does not stop the TSA and law enforcement to follow profiling methodologies, unfortunately. Many innocent citizens are taken aside because of their religious beliefs, skin color or "atitude". Timothy McVeighs', Richard Reids' and Umar Farouk Abdumutallab's lesson have not stuck: Terrorism is an action, not a kind of person, a belief system or a clothing style. Most of the security measures taken in airports and on airplanes since 9/11/2001 have been reactive, "security theatre" then actually proactively useful. So what proactive security measures should be taken in the wake of the failed Christmas Bombing? Move security screening back to boarding gates. Improve the intelligence gathering and sharing community. Train more air marshals and put them on more flights. And most importantly, stop wasting resources on reactive measures. |
|
Friday, 25 September 2009 19:26 |
|
Almost a year after I first wrote about my idea for DeepMac, I can finally show something actually functional for the world to point and stare at! DeepMac ALPHA is available at http://deepmac.jedimercer.com/ and includes the full MySQL dump of the database contents.I'm licensing the database under the Open Database License. At this point, there's only a few hundred OUI's tied to a device of some sort. This is because I've had to focus on developing the skeletal framework to actually store the information, and have not yet put together tools for automating any part of the process of submitting data. Still, there's a good breakdown of virtual computers, network-attached cameras, the major Smartphone models and a few videogame systems. For DeepMac to become truely useful though, it needs a lot more raw data, and not just the easy pickings. That means there needs to be better ways to get data into DeepMac. A primitive search interface is just a baby-step. Ideally, we need to have a standard format for submitting new DeepMac data for analysis and inclusion. Mostly this is about sitting down and figuring out what would work best. The other thing DeepMac needs to be useful is of course a real-world application that everyone can benefit from. I'd love to see DeepMac data integrated with great security tools like Wireshark, nMap, Kismet and others. There's also a ton of commercial security software that could benefit from DeepMac such as SIMs, asset management tools and anything else that does network discovery. Alas, I don't see that happening anytime soon. A side-project of mine is developing a tool for tracking IP<->MAC pairings for network surveillance. I'll be integrating DeepMac data into that tool, and hopefully releasing it as an Open Source project sometime next year. In the meantime, I'm still very much interested in feedback about the DeepMac project! What I've gotten so far has been small but very useful and greatly appreciated. And if you have any intelligence to offer the DeepMac project (as in OUI Device mapping), please e-mail me! |
|
|
Wednesday, 02 December 2009 14:33 |
|
The DeepMac database has been updated with the most recent date information as of December 2nd, 2009. I also updated the MySQL dump of the database. I haven't had time to add further fingerprints to DeepMac, nor expand on tools for searching and updating. But please do not hesitate to submit ideas, suggestions or comments! (Also, I like cookies) |
|
Wednesday, 08 July 2009 22:06 |
|
It's been almost exactly one month since my last entry on DeepMac's goals and I'm happy to say significant progress has been made! The biggest achievement is getting the project finally organized, with clear goals, usable data and a skeletal framework. But that's kind of broad, so let's breakdown what has been achieved: - Historical creation dates for OUIs have been documented going back to 1998, thanks mostly to archive.org and the magic of Google. Thus the creation of the DeepMac knowledgebase!
- An automatic archiving of the IEEE OUI listing in text format has been established, running on a daily basis.
- Simple perl scripts have been written to convert the IEEE OUI file (oui.txt) into a tab-delimited format, one OUI per line, and to add OUI creation dates from the DeepMac knowledgebase.
- An actual MySQL database has been created and another perl script used to load some of the knowledgebase data into the MySQL database.
- A horribly primitive PHP interface has been written to allow very basic searching of the DeepMac database.
There is still an enormous amount to accomplish with this project. I've been thinking about where the focus should be and while I really want to evangelize the project and get input from the big boys in networking, it seems to me that it will never be managable until the project is fully organized and has the tools it needs. So the push for now is going to be on continuing to refine the MySQL database for DeepMac in terms of structure, and lots of work on a web-based front-end. Ideally, it should be possible to not only fully search DeepMac on-line but also submit information, and for administrators to update the contents including approving submissions for inclusion. That's a tall order, so the first sub-goal here will be to whip the search inteface into shape and allow full searching on multiple fields with varying levels of output detail. |
|
|
|
|
Page 1 of 2 |
