Recent Posts


« | Main | »

Skipfish fuzzing scanner & mod_security

By Dale Reagan | February 6, 2011

My first skipfish test (on a local server) ended almost as soon as it was started (probably less than a minute.)

My first test on a live, Internet resident server lasted about 2+ hours…   Big diff!

From the Skipfish Readme:  Normal dictionary fuzzing. In this mode, every ${filename}.${extension} pair will be attempted. This mode is significantly slower, but offers superior coverage, and should be your starting point. The complete scan uses an all-inclusive dictionary with over 150,000 requests – which is what I used.  The test generated ~2 million entries across Apache and mod_security log files…


For the results below, the 9 high impact issues were most likely non-issues since access to the URI is limited (and was only allowed due to the special settings put in place for the IP address of the scanner.)  The software in question has since been removed (legacy software, with no public access, an no real reason/need.)   Some stats based on Apache logs – noting that your status codes may have different meanings on your server(s), i.e. ‘412’ is a custom code for this server:

Code | Count
 200 |      107 (HTTP_OK)
 206 |    39737 (HTTP_PARTIAL_CONTENT)
 301 |        1 (HTTP_MOVED_PERMANENTLY)
 302 |       21 (HTTP_MOVED_TEMPORARILY)
 304 |       18 (HTTP_NOT_MODIFIED)
 400 |      618 (HTTP_BAD_REQUEST)
 403 |      455 (HTTP_FORBIDDEN)
 404 |   518017 (HTTP_NOT_FOUND)
 405 |        4 (HTTP_METHOD_NOT_ALLOWED)
 412 |   129691 (blocked by mod_security)

Quick summary:  ~500K bad/missing files; ~130k requests blocked by mod_security; my only items of real concern – the ‘200’ codes…  I weed them down by excluding all image/graphic files and wind up with:

  1. GET /Problem_Software/create/ HTTP/1.1
  2. GET /Problem_Software/subscribe HTTP/1.1
  3. GET /Problem_Software/create/PUT-sfi9876 HTTP/1.1
  4. GET /Problem_Software/create/burst.asmx/PUT-sfi9876 HTTP/1.1
  5. GET /Problem_Software/options HTTP/1.1
  6. GET /Problem_Software/admin HTTP/1.1
  7. GET /Problem_Software/create HTTP/1.1

For the above Problem_Software, the ‘fix’ is to remove/replace the software…

Terminal Output below from a Skipfish scan

skipfish version 1.84b by <tool-author's-email>                                                                                                                                                       

 - scanned-domain.TLD -                                                                                                                                                                                     

Scan statistics:                                                                                                                                                                                     

 Scan time : 2:13:21.0016 
 HTTP requests : 688758 (86.1/s), 719831 kB in, 126817 kB out (105.8 kB/s)
 Compression : 0 kB in, 0 kB out (0.0% gain)
 HTTP faults : 121 net errors, 0 proto errors, 11 retried, 567245 drops
 TCP handshakes : 129625 total (5.3 req/conn)
 TCP faults : 0 failures, 0 timeouts, 9 purged
 External links : 42 skipped
 Reqs pending : 0                                                                                                                                                                                  

Database statistics:                                                                                                                                                                                 

 Pivots : 335 total, 335 done (100.00%)
 In progress : 0 pending, 0 init, 0 attacks, 0 dict
 Missing nodes : 1 spotted
 Node types : 1 serv, 7 dir, 312 file, 4 pinfo, 0 unkn, 11 par, 0 val
 Issues found : 341 info, 39 warn, 9 low, 0 medium, 9 high impact
 Dict size : 2095 words (4 new), 102 extensions, 256 candidates                                                                                                                                 

[+] Wordlist 'skipfish.wl' updated (4 new words added).
[+] Copying static resources...
[+] Sorting and annotating crawl nodes: 335
[+] Looking for duplicate entries: 335
[+] Counting unique nodes: 69
[+] Writing scan description...
[+] Writing crawl tree: 335
[+] Generating summary views...
[+] Report saved to '/path-to-output/skipfish/scan.0005/index.html' [0xba65e815].
[+] This was a great day for science!

The tool generates a folder full of HTML files with detailed statistics.  This is an experimental tool – from the skipfish docs/notes:

First and foremost, please do not be evil. Use skipfish only against services you own, or have a permission to test.

Keep in mind that all types of security testing can be disruptive. Although the scanner is designed not to carry out malicious attacks, it may accidentally interfere with the operations of the site. You must accept the risk, and plan accordingly. Run the scanner against test instances where feasible, and be prepared to deal with the consequences if things go wrong.

Also note that the tool is meant to be used by security professionals, and is experimental in nature. It may return false positives or miss obvious security problems – and even when it operates perfectly, it is simply not meant to be a point-and-click application. Do not take its output at face value.

Running the tool against vendor-supplied demo sites is not a good way to evaluate it, as they usually approximate vulnerabilities very imperfectly; we made no effort to accommodate these cases.

Lastly, the scanner is simply not designed for dealing with rogue and misbehaving HTTP servers – and offers no guarantees of safe (or sane) behavior there.

Summary – a potentially useful tool for testing web based (software prior to release…)  🙂

Additional Notes based on comments:

Why did you use a ‘production server’?

During testing, a non-production system should be used. For implementation/production the only way to measure real impacts is to use a production system.  It certainly is wonderful if you never have to restore a backup; the reality, however, is that unless you restore a production system from a backup you will never know if your backups are working… (Of course, you can ‘restore’ to a new server and then flip the new/old without negatively affecting your original server – but this is not always possible…) In this case I wanted a real production test (but it was pre-ceded with a test-test…) I also configured the server to allow a trusted level of access from the IP address used for testing (a third party attempt with this tool would have been blocked at a much higher percentage along with triggering alerts, etc.)

Also, keep in mind that using tools like skipfish is only one type of system test that can/should be used as part of managing/securing networks and servers.  Always follow best practices and always review your server & network logs (you need to know what is ‘normal’ and what is not normal. Whenever possible, automate and follow up manually for the cases where automation is not sufficient – i.e. IP addresses are automatically blocked when any known IP-badness is noted [ this can lead to false-positives hence part of the need for manual review… ]

What did you have configured to block skipfish?

During the test the configuration was not using skipfish specific rules (however, based on an analysis of log data it would/should be possible to create some rules/filters that ‘catch’ un-altered use of the tool, i.e. based on the default ‘user-agent’, like “Mozilla/5.0 SF/1.84b” – noting that the tool may also ‘fuzz’ the UA so such a rule would not be foolproof.)

A typical, default mod_security rule will block access for ‘unsafe file extensions’ (which is one of the fuzzing methods/types used by the tool) i.e.:

# the list of file extensions below are virtually always considered unsafe
# and not in use in any valid program. If your application uses one of
# these extensions, you may want to create a modified rule instead of removing/disabling the rule.
# [ note text below is not a complete 'rule'... ]
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|cku

Some sample REGEX (regular expression) expansions/matches (i.e. some_file + ‘.’ + extension below):

Some ‘real’ skipfish, fuzzed requests that would trigger a REGEX like the above (spaces added before and after periods):

GET /00 . mdb HTTP/1.1          #[/00(dot)mdb]
GET /tar . bz2 . inc HTTP/1.1
GET /tar . bz2 . log HTTP/1.1
GET /tar . bz2 . sql HTTP/1.1
GET /00 . cfg HTTP/1.1
GET /tar . bz2 . com HTTP/1.1
GET /00 . config HTTP/1.1
GET /tar . bz2 . ini HTTP/1.1
GET /00 . old HTTP/1.1
GET /00 . conf HTTP/1.1

BTW – mod_security provides a score-based triggering method which could be used to block such scanning attempts.  You simply set a threshold (i.e. 10 requests of  a specific type), which, when reached, blocks any additional access attempts.

Topics: Computer Technology, Problem Solving, System and Network Security, Unix-Linux-Os, Web Problem Solving, Web Technologies | Comments Off on Skipfish fuzzing scanner & mod_security

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business