DVGM: Using Arachni.
This commit is contained in:
parent
965c74706b
commit
7115e257f3
|
|
@ -0,0 +1,111 @@
|
|||
# Dynamic Analysis: Arachni
|
||||
|
||||
Arachni is a web application security scanner framework that supports many
|
||||
different kinds of security checks, including detection of insecure header,
|
||||
cross-site scripting (XSS), SQL injection, and cross-site request forgery
|
||||
(CSRF). We will run the tool twice; first on the login page, then we will
|
||||
provide the login credentials for a student to the tool -- otherwise, Arachni
|
||||
would not see much beside the login screen, similar to an unauthenticated user.
|
||||
|
||||
## Running Arachni without credentials
|
||||
|
||||
In order to run Arachni, start it with the following options:
|
||||
|
||||
```bash
|
||||
arachni --report-save-path=/tmp/sign_in_page.report \
|
||||
--check=unencrypted_password_forms,x_frame_options \
|
||||
--scope-exclude-pattern='/assets/|__web_console' \
|
||||
http://$(hostname):3000
|
||||
```
|
||||
|
||||
To speed up the analysis, we only use the `unencrypted_password_forms` and
|
||||
`x_frame_options` check, because this is the only one that will yield a result
|
||||
at this point. If we would run Arachni with all checks enabled, it would take
|
||||
considerably longer. In addition, by using `--scope-exclude-pattern`, we tell
|
||||
Arachni to skip assets and the debug console of Ruby on Rails, which is active
|
||||
since we run the app in development mode. Otherwise, Arachni will loop for a
|
||||
long time trying to navigate the console.
|
||||
|
||||
Once the analysis is finished, inspect the report:
|
||||
```bash
|
||||
arachni_reporter \
|
||||
--reporter=html:outfile=/tmp/sign_in_page.html.zip \
|
||||
/tmp/sign_in_page.report
|
||||
unzip -d /tmp/sign_in_page /tmp/sign_in_page.html.zip
|
||||
chromium /tmp/sign_in_page/index.html
|
||||
```
|
||||
|
||||
Arachni should have found insecure headers and a possibly unsecured login page.
|
||||
Remember that Arachni was acting as an unauthenticated user, so it is not
|
||||
surprising that it found considerably less than brakeman.
|
||||
|
||||
### Insecure HTTP Headers
|
||||
|
||||
1. What is the purpose of the missing headers?
|
||||
2. How could the lack of these headers be used to attack DVGM?
|
||||
3. Ruby aims to have secure defaults. Can you find which part of DVGM's sorce
|
||||
is responsible for the lack of said headers?
|
||||
4. We have now used a static analysis tool, Brakeman, and started to
|
||||
use a dynamic tool, Arachni. What are some benefits and limitations
|
||||
of these different kind of tools?
|
||||
|
||||
## Running Arachni with credentials
|
||||
|
||||
For the second run of Arachni, you will provide the login credentials for our
|
||||
student account, `peter`. This will allow Arachni to scan more parts of DVGM.
|
||||
|
||||
```bash
|
||||
arachni --report-save-path=/tmp/logged_in.report \
|
||||
--plugin=autologin:url="http://$(hostname):3000/sign_in",\
|
||||
parameters="user_session[login]=peter&user_session[password]=football",\
|
||||
check="| Logout" \
|
||||
--scope-exclude-pattern="sign_out|__web_console|/new" \
|
||||
--check=code_injection,csrf,'xss*',hsts,\
|
||||
unencrypted_password_forms,allowed_methods,x_frame_options \
|
||||
http://$(hostname):3000
|
||||
```
|
||||
|
||||
Again, the scan might take a few minutes. This time, we use the `autologin`
|
||||
plugin, which takes three parameters: `url`, the URL to the sign-in page;
|
||||
`parameters`, which contains the POST parameters that a browser sends when we
|
||||
type in username and password and submit the form; and `check`, which contains
|
||||
text that Arachni uses to check whether the login succeeded (only when we are
|
||||
logged in, we will find the text `| Logout` in the top bar). Additionally, we
|
||||
use more checks this time, because Arachni now has access to larger parts of our
|
||||
app. We also need to make sure to exclude URLs from the scan that includes
|
||||
`sign_out|` (we do not want Arachni to log out automatically) or `/new|`'
|
||||
(we do not want Arachni to end up in an infinite loop creating new grade
|
||||
comments).
|
||||
|
||||
Once the scan finishes, inspect the report:
|
||||
|
||||
```bash
|
||||
arachni_reporter \
|
||||
--reporter=html:outfile=/tmp/logged_in.html.zip \
|
||||
/tmp/logged_in.report
|
||||
unzip -d /tmp/logged_in /tmp/logged_in.html.zip
|
||||
chromium /tmp/logged_in/index.html
|
||||
```
|
||||
|
||||
Arachni should have found XSS and CSRF vulnerabilites.
|
||||
|
||||
5. We ran Arachni with the `sql_injection` plugin. Recall the SQL exploit that
|
||||
you found earlier. What could be a reason for Arachni not finding the SQL
|
||||
injection vulnerability?
|
||||
|
||||
### DOM XSS / Client-Side XSS
|
||||
|
||||
6. Read through the two types of reported XSS issues. In
|
||||
particular, click on the eye button to inspect the injected seed
|
||||
along with the presented proof. Do you think the found issues
|
||||
are true positives? How does the automatic verification of the
|
||||
found XSS vulnerabilities work? How is the found XSS vulnerability different
|
||||
from the found DOM XSS vulnerability?
|
||||
|
||||
### Cross-Site Request Forgery (CSRF)
|
||||
|
||||
7. Inspect the found cross-site request forgery attack. The Ruby on Rails
|
||||
[Security Guide](http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
|
||||
contains a good introduction to this kind of vulnerability. How can this kind of
|
||||
vulnerability be problematic found an app like DVGM? Compare the finding with
|
||||
the CSRF warning from Brakeman.
|
||||
Loading…
Reference in New Issue