Web Application Vulnerability Scanner: Skipfish



Similar documents
The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry

Kona Site Defender. Product Description

Secure Content Delivery Network

JOOMLA REFLECTION DDOS-FOR-HIRE

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

SSDP REFLECTION DDOS ATTACKS

Akamai Solutions for Cloud Computing. Accelerate, Scale and Fortify Applications and Platforms Running in the Cloud

Improving Web Application Security: The Akamai Approach to WAF

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Making the Internet Business-Ready

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

End-to-End Application Security from the Cloud

Protecting Your Organisation from Targeted Cyber Intrusion

Enterprise-Grade Security from the Cloud

How to Evaluate DDoS Mitigation Providers:

NSFOCUS Web Application Firewall White Paper

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

10 Things Every Web Application Firewall Should Provide Share this ebook

Secure Content Delivery Network

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Introduction: 1. Daily 360 Website Scanning for Malware

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Akamai for SAP Acceleration:

Dynamic Site Accelerator

Akamai for Software as a Service (SaaS)

SANS Top 20 Critical Controls for Effective Cyber Defense

3rd Party Audited Cloud Infrastructure SOC 1, Type II SOC 2, Type II ISO Annual 3rd party application Pen Tests.

CaliberRM / LDAP Integration. CaliberRM


How To Protect A Web Application From Attack From A Trusted Environment

Guide. Axis Webinar User Guide

APPLICATION PROGRAMMING INTERFACE

CASPR Commonly Accepted Security Practices and Recommendations

Protecting the Infrastructure: Symantec Web Gateway

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Kodak Remote Support System - RSS VPN

Web Application Vulnerability Testing with Nessus

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

Security 8.0 User Guide

DUBEX CUSTOMER MEETING

SAS CLOUD ANALYTICS MAY 2015

Best Practices for a BYOD World

Payment Card Industry Data Security Standard

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Service Organization Controls 3 Report

Using Free Tools To Test Web Application Security

Guide. Axis Webinar. User guide

2013 MONITORAPP Co., Ltd.

Symantec Messaging Gateway 10.6

Reference Architecture: Enterprise Security For The Cloud

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Where every interaction matters.

Akamai Security Products

Global Real Estate Outlook

ESISS Security Scanner

Performing a Web Application Security Assessment

METROLOGIC INSTRUMENTS, INC. MS1690 Focus Area Imaging Bar Code Scanner Supplemental Configuration Guide

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Akamai to Incapsula Migration Guide

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Symantec Messaging Gateway 10.5

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

THE OPEN UNIVERSITY OF TANZANIA

THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! AKAMAI 10For10 AKAMAI INDUSTRY BROCHURE

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

The F5 Intelligent DNS Scale Reference Architecture.

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

NSFOCUS Web Vulnerability Scanning System

The problem with privileged users: What you don t know can hurt you

Using Nessus In Web Application Vulnerability Assessments

INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI

Table of Contents. Page 2/13

Capitalize on Mobile Commerce by Optimizing the Mobile Shopping Experience

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Express Websense Hosted Web Security

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Voice Internet Phone Gateway

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security

Transcription:

Web Application Vulnerability Scanner: Skipfish Page 1 of 7

EXECUTIVE SUMMARY Skipfish is an automated web application vulnerability scanner available for free download at Google s code website. It is a scanner security professionals can use to evaluate the security profile of their own sites. Skipfish was built and is maintained by independent developers and not Google. In addition to the code being hosted on Google s downloads site, Google s information security engineering team is mentioned in the project s acknowledgements. Skipfish is another scanning tool much in the same vein as Nikto, Netsparker or W3af. It is similar in that it is a free and opensource scanner, but it claims to be faster and less resource intensive than some of the others. We have seen this scanner being used to attack financial sites -- looking for Remote File Includes (RFI) with the specific string www.google.com/humans.txt in the requested URL. VULNERABILITY AND ATTACK DETAILS We have seen this tool being used to probe financial sites over the past few weeks.. Specifically, we have seen an increase in the number of attempts at Remote File Inclusion (RFI). An RFI vulnerability is created when a site accepts a URL from another domain and loads its contents within the site. This can happen when a site owner wants content from one site to be displayed in their own site, but doesn t validate which URL is allowed to load. If a malicious URL can be loaded into a site, an attacker can trick a user into believing they are using a valid and trusted site. The site visitor may then inadvertently give sensitive and personal information to the attacker. For more information on RFI, please see the Web Application Security Consortium (http://projects.webappsec.org/w/page/13246955/remote%20file%20inclusion) and OWASP (https://www.owasp.org/index.php/owasp_periodic_table_of_vulnerabilities_-_remote_file_inclusion) websites. Akamai has seen Skipfish probes primarily targeting the financial industry. Requests appear to be coming from multiple, seemingly unrelated IP addresses. All of these IP addresses appear to be open proxies, used to mask the attacker s true IP address. Skipfish will test for an RFI injection point by sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site s pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site. The Google humans.txt page contains the following text: Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you'd like to help us out, see google.com/jobs. If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish. While the default user-agent for Skipfish version 2.10b is Mozilla/5.0 SF/2.10b, we cannot depend on that value being set. It is easily editable to any value the Skipfish operator chooses. HOW DO I KNOW I M AFFECTED Using Kona Site Defender s Security Monitor, you can sort the stats by ARL and look for the presence of the aforementioned humans.txt file being included in the ARL to the site. Additionally, log entries will show the included string in the URL. HOW DO I FIX THE PROBLEM We have seen three behaviors by Skipfish that can trigger WAF rule alerts. The documentation for Skipfish claims it can submit up to 2,000 requests per second to a site, so Summary and Burst rate controls should be set to a value that would see this level of traffic and appropriately deny further requests. Skipfish does have a default unique user-agent (Mozilla/5.0 SF/2.10b) but it can be set to anything the operator chooses. This default user-agent could be filtered on by a WAF rule. However, in the instances where we believe Skipfish was being used, there Page 2 of 7

was no user-agent value at all. Rule ID 960009 Protocol Violation/Missing Header Request Missing a User Agent Header would then be triggered. This rule can have a high false positive rate, but can be set to deny in order to block these types of requests. Lastly, a WAF rule can be created that would be triggered if the request were to contain the string google.com/humans.txt. There is no situation (other than on google.com) where this would be a valid request for a site. The following rule can be used to block requests containing this string: <match:metadata-stage value="client-request"> <match:regex select="query_string" transform="urldecodeuni lowercase" regex="(?:w{3}\.google\.com\/humans\.txt)"> <security:firewall.action> <msg>request Indicates Skipfish explored the site</msg> <tag>automation/security_scanner</tag> <id>6xxxxx</id> <deny>%(waf_custom_r6xxxxx_deny)</deny> <http-status>403</http-status> </security:firewall.action> </match:regex> </match:metadata-stage> REFERENCES & RELATED READING Traffic Light Protocol http://www.us-cert.gov/tlp Skipfish project page: https://code.google.com/p/skipfish/ Web Application Security Consortium (WASC) on RFI: http://projects.webappsec.org/w/page/13246955/remote%20file%20inclusion Open Web Application Security Project (OWASP) on RFI: https://www.owasp.org/index.php/owasp_periodic_table_of_vulnerabilities_-_remote_file_inclusion ABOUT AKAMAI CSIRT The Akamai Customer Security Incident Response Team (CSIRT) researches attack techniques and tools used to target our customers and develops the appropriate response protecting customers from a wide variety of attacks ranging from login abuse to scrapers to data breaches to DNS hijacking to distributed denial of service. It s ultimate mission: keep customers safe. As part of that mission, Akamai CSIRT maintains close contact with peer organizations around the world, trains Akamai's PS and CCare to recognize and counter attacks from a wide range of adversaries, and keeps customers informed by issuing advisories, publishing threat intelligence and conducting briefings. CONTACTS Existing customers that desire additional information can contact Akamai directly through CCare at 1-877-4-AKATEC (US And Canada) or 617-444-4699 (International), their Engagement Manager, or their account team. Non-customers can submit inquiries through Akamai s hotline at 1.877.425.2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html, the chat function on our website at http://www.akamai.com/ or on twitter @akamai. Page 3 of 7

APPENDIX Page 4 of 7

Page 5 of 7

Page 6 of 7

The Akamai Difference Akamai is the leading cloud platform for helping enterprises provide secure, high- performing user experiences on any device, anywhere. At the core of the Company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com and follow @Akamai on Twitter. Akamai Technologies, Inc. U.S. Headquarters 8 Cambridge Center Cambridge, MA 02142 Tel 617.444.3000 Fax 617.444.3001 U.S. toll-free 877.4AKAMAI 877.425.2624 www.akamai.com International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore 2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information