Web Application Vulnerability Scanner: Skipfish

Size: px

Start display at page:

Download "Web Application Vulnerability Scanner: Skipfish"

Ursula Craig
8 years ago
Views:

1 Web Application Vulnerability Scanner: Skipfish Page 1 of 7

2 EXECUTIVE SUMMARY Skipfish is an automated web application vulnerability scanner available for free download at Google s code website. It is a scanner security professionals can use to evaluate the security profile of their own sites. Skipfish was built and is maintained by independent developers and not Google. In addition to the code being hosted on Google s downloads site, Google s information security engineering team is mentioned in the project s acknowledgements. Skipfish is another scanning tool much in the same vein as Nikto, Netsparker or W3af. It is similar in that it is a free and opensource scanner, but it claims to be faster and less resource intensive than some of the others. We have seen this scanner being used to attack financial sites -- looking for Remote File Includes (RFI) with the specific string in the requested URL. VULNERABILITY AND ATTACK DETAILS We have seen this tool being used to probe financial sites over the past few weeks.. Specifically, we have seen an increase in the number of attempts at Remote File Inclusion (RFI). An RFI vulnerability is created when a site accepts a URL from another domain and loads its contents within the site. This can happen when a site owner wants content from one site to be displayed in their own site, but doesn t validate which URL is allowed to load. If a malicious URL can be loaded into a site, an attacker can trick a user into believing they are using a valid and trusted site. The site visitor may then inadvertently give sensitive and personal information to the attacker. For more information on RFI, please see the Web Application Security Consortium ( and OWASP ( websites. Akamai has seen Skipfish probes primarily targeting the financial industry. Requests appear to be coming from multiple, seemingly unrelated IP addresses. All of these IP addresses appear to be open proxies, used to mask the attacker s true IP address. Skipfish will test for an RFI injection point by sending the string or to the site s pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site. The Google humans.txt page contains the following text: Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you'd like to help us out, see google.com/jobs. If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish. While the default user-agent for Skipfish version 2.10b is Mozilla/5.0 SF/2.10b, we cannot depend on that value being set. It is easily editable to any value the Skipfish operator chooses. HOW DO I KNOW I M AFFECTED Using Kona Site Defender s Security Monitor, you can sort the stats by ARL and look for the presence of the aforementioned humans.txt file being included in the ARL to the site. Additionally, log entries will show the included string in the URL. HOW DO I FIX THE PROBLEM We have seen three behaviors by Skipfish that can trigger WAF rule alerts. The documentation for Skipfish claims it can submit up to 2,000 requests per second to a site, so Summary and Burst rate controls should be set to a value that would see this level of traffic and appropriately deny further requests. Skipfish does have a default unique user-agent (Mozilla/5.0 SF/2.10b) but it can be set to anything the operator chooses. This default user-agent could be filtered on by a WAF rule. However, in the instances where we believe Skipfish was being used, there Page 2 of 7

In addition to the code being hosted on Google s downloads site, Google s information security engineering team is mentioned in the project s acknowledgements.

3 was no user-agent value at all. Rule ID Protocol Violation/Missing Header Request Missing a User Agent Header would then be triggered. This rule can have a high false positive rate, but can be set to deny in order to block these types of requests. Lastly, a WAF rule can be created that would be triggered if the request were to contain the string google.com/humans.txt. There is no situation (other than on google.com) where this would be a valid request for a site. The following rule can be used to block requests containing this string: <match:metadata-stage value="client-request"> <match:regex select="query_string" transform="urldecodeuni lowercase" regex="(?:w{3}\.google\.com\/humans\.txt)"> <security:firewall.action> <msg>request Indicates Skipfish explored the site</msg> <tag>automation/security_scanner</tag> <id>6xxxxx</id> <deny>%(waf_custom_r6xxxxx_deny)</deny> <http-status>403</http-status> </security:firewall.action> </match:regex> </match:metadata-stage> REFERENCES & RELATED READING Traffic Light Protocol Skipfish project page: Web Application Security Consortium (WASC) on RFI: Open Web Application Security Project (OWASP) on RFI: ABOUT AKAMAI CSIRT The Akamai Customer Security Incident Response Team (CSIRT) researches attack techniques and tools used to target our customers and develops the appropriate response protecting customers from a wide variety of attacks ranging from login abuse to scrapers to data breaches to DNS hijacking to distributed denial of service. It s ultimate mission: keep customers safe. As part of that mission, Akamai CSIRT maintains close contact with peer organizations around the world, trains Akamai's PS and CCare to recognize and counter attacks from a wide range of adversaries, and keeps customers informed by issuing advisories, publishing threat intelligence and conducting briefings. CONTACTS Existing customers that desire additional information can contact Akamai directly through CCare at AKATEC (US And Canada) or (International), their Engagement Manager, or their account team. Non-customers can submit inquiries through Akamai s hotline at , the contact form on our website at the chat function on our website at or on Page 3 of 7

Lastly, a WAF rule can be created that would be triggered if the request were to contain the string google.com/humans.txt. There is no situation (other than on google.

4 APPENDIX Page 4 of 7

5 Page 5 of 7

6 Page 6 of 7

7 The Akamai Difference Akamai is the leading cloud platform for helping enterprises provide secure, high- performing user experiences on any device, anywhere. At the core of the Company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit and on Twitter. Akamai Technologies, Inc. U.S. Headquarters 8 Cambridge Center Cambridge, MA Tel Fax U.S. toll-free 877.4AKAMAI International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore 2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Page 7 of 7

Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud.

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015. 1 TLP: GREEN 02.11.15 GSI ID: 1086 SECURITY BULLETIN: MS SQL REFLECTION DDOS RISK FACTOR - MEDIUM 1.1 / OVERVIEW / Beginning in October 2014, PLXsert observed the use of a new type of reflection-based