• No results found

Web Application Vulnerability Scanner: Skipfish

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Web Application Vulnerability Scanner: Skipfish"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Web Application Vulnerability

Scanner: Skipfish

(2)

EXECUTIVE SUMMARY

Skipfish is an automated web application vulnerability scanner available for free download at Google’s code website. It is a scanner security professionals can use to evaluate the security profile of their own sites. Skipfish was built and is maintained by

independent developers and not Google. In addition to the code being hosted on Google’s downloads site, Google’s information security engineering team is mentioned in the project’s acknowledgements.

Skipfish is another scanning tool much in the same vein as Nikto, Netsparker or W3af. It is similar in that it is a free and open-source scanner, but it claims to be faster and less reopen-source intensive than some of the others. We have seen this scanner being used to attack financial sites -- looking for Remote File Includes (RFI) with the specific string www.google.com/humans.txt in the requested URL.

VULNERABILITY AND ATTACK DETAILS

We have seen this tool being used to probe financial sites over the past few weeks..

Specifically, we have seen an increase in the number of attempts at Remote File Inclusion (RFI). An RFI vulnerability is created when a site accepts a URL from another domain and loads its contents within the site. This can happen when a site owner wants content from one site to be displayed in their own site, but doesn’t validate which URL is allowed to load. If a malicious URL can be loaded into a site, an attacker can trick a user into believing they are using a valid and trusted site. The site visitor may then inadvertently give sensitive and personal information to the attacker. For more information on RFI, please see the Web Application Security Consortium (http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion) and OWASP

(https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Remote_File_Inclusion) websites.

Akamai has seen Skipfish probes primarily targeting the financial industry. Requests appear to be coming from multiple, seemingly unrelated IP addresses. All of these IP addresses appear to be open proxies, used to mask the attacker’s true IP address. Skipfish will test for an RFI injection point by sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site’s pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site. The Google humans.txt page contains the following text:

“Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you'd like to help us out, see google.com/jobs.”

If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website.

The included string and the user-agent are both configurable by the attacker running Skipfish. While the default user-agent for Skipfish version 2.10b is “Mozilla/5.0 SF/2.10b”, we cannot depend on that value being set. It is easily editable to any value the Skipfish operator chooses.

HOW DO I KNOW I’M AFFECTED

Using Kona Site Defender’s Security Monitor, you can sort the stats by ARL and look for the presence of the aforementioned humans.txt file being included in the ARL to the site. Additionally, log entries will show the included string in the URL.

HOW DO I FIX THE PROBLEM

(3)

was no user-agent value at all. Rule ID 960009 Protocol Violation/Missing Header Request Missing a User Agent Header would then be triggered. This rule can have a high false positive rate, but can be set to deny in order to block these types of requests. Lastly, a WAF rule can be created that would be triggered if the request were to contain the string “google.com/humans.txt”. There is no situation (other than on google.com) where this would be a valid request for a site. The following rule can be used to block requests containing this string:

<match:metadata-stage value="client-request">

<match:regex select="QUERY_STRING" transform="urlDecodeUni lowercase" regex="(?:w{3}\.google\.com\/humans\.txt)"> <security:firewall.action>

<msg>Request Indicates Skipfish explored the site</msg> <tag>AUTOMATION/SECURITY_SCANNER</tag> <id>6xxxxx</id> <deny>%(WAF_CUSTOM_R6xxxxx_DENY)</deny> <http-status>403</http-status> </security:firewall.action> </match:regex> </match:metadata-stage>

REFERENCES & RELATED READING

Traffic Light Protocol – http://www.us-cert.gov/tlp

Skipfish project page: https://code.google.com/p/skipfish/

Web Application Security Consortium (WASC) on RFI:

http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion

Open Web Application Security Project (OWASP) on RFI:

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Remote_File_Inclusion

ABOUT AKAMAI CSIRT

The Akamai Customer Security Incident Response Team (CSIRT) researches attack techniques and tools used to target our customers and develops the appropriate response – protecting customers from a wide variety of attacks ranging from login abuse to scrapers to data breaches to DNS hijacking to distributed denial of service. It’s ultimate mission: keep customers safe. As part of that mission, Akamai CSIRT maintains close contact with peer organizations around the world, trains Akamai's PS and CCare to recognize and counter attacks from a wide range of adversaries, and keeps customers informed by issuing advisories, publishing threat intelligence and conducting briefings.

CONTACTS

Existing customers that desire additional information can contact Akamai directly through CCare at 1-877-4-AKATEC (US And Canada) or 617-444-4699 (International), their Engagement Manager, or their account team.

Non-customers can submit inquiries through Akamai’s hotline at 1.877.425.2624, the contact form on our website at

http://www.akamai.com/html/forms/sales_form.html , the chat function on our website at http://www.akamai.com/ or on twitter @akamai .

(4)
(5)
(6)
(7)

Akamai®  is  the  leading  cloud  platform  for  helping  enterprises  provide  secure,  high-­‐performing  user  experiences  on  any  device,  anywhere.     At  the  core  of  the  Company’s  solutions  is  the  Akamai  Intelligent  Platform™  providing  extensive  reach,  coupled  with  unmatched  reliability,   security,  visibility  and  expertise.  Akamai  removes  the  complexities  of  connecting  the  increasingly  mobile  world,  supporting  24/7  consumer   demand,  and  enabling  enterprises  to  securely  leverage  the  cloud.  To  learn  more  about  how  Akamai  is  accelerating  the  pace  of  innovation     in  a  hyperconnected  world,  please  visit  www.akamai.com  and  follow  @Akamai  on  Twitter.  

Akamai Technologies, Inc.

International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden U.S. Headquarters 8 Cambridge Center Cambridge, MA 02142 Tel 617.444.3000 Fax 617.444.3001

U.S. toll-free 877.4AKAMAI 877.425.2624 www.akamai.com Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore

©2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such

The Akamai Difference

References

Download now ( PDF - 7 Page - 2.43 MB )

Related documents

Minutes - OCF Path Planning Committee (PPC) Meeting Sept. 26 th, 2010 In which, something gets done Attendees: Committee members: Dennis Todd,

Colleen – That’s why the motion was about agenda and minutes, a public place for people to get that info, but I don’t want to count on an email (FPP list) for agenda and

Automated Detection System for Diabetic Retinopathy Using Two Field Fundus Photography

Keywords: diabetic retinopathy; automatic detection; fundus images; red lesions; white lesions; microaneurysms; hemorrhages; exudates; cotton- wool

Few-shot Classifier GAN

Also, our Few-shot GAN performs better in multiple fake classes mode than in single fake class mode, in the presence of 70 % of the data are unlabeled.. Visual qualitative results

well completion planning

The wellbore characteristics affecting completion con- figuration or component selection are best summarized by reviewing the drilling, evaluation and pre-completion activities

Kansas City Market Profile. The City of Fountains

 KCWE is the only station in Kansas City to offer local

The OpenStack Project and Foundation

For modules of the Core OpenStack Project, the Technical Committee may recommend to the Board of Directors the modules for addition, combination, split or deletion from the

LifeSecure Insurance Company Citation Drive, Suite 300 Brighton, Michigan COMPREHENSIVE LONG TERM CARE INSURANCE POLICY

E xpenses payable for Qualified Long Term Care Services provided by a Home Health Care Agency or an Independent Provider (including Informal Caregiver services),at-home Hospice

UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA REGGIE WALLACE, ET AL., CASE NO. 8: JLS (MLGx) Plaintiffs, vs.

at 1166 (rejecting argument that the conditional incentive award provision was irrelevant because a district court ultimately determines “who receives the incentive awards and in