w3afでWeb脆弱性スキャンをやってみる

「sqlmapを使ってみる」では、sqlmapを使ってSQL injection脆弱性のスキャンを行った。 ここでは、SQL injection以外の脆弱性もスキャンできるテストツールw3afを使い、Web脆弱性のスキャンをやってみる。

環境

Ubuntu 14.04.3 LTS 64bit版、Docker 1.9.1

$ uname -a
Linux vm-ubuntu64 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:        14.04
Codename:       trusty

$ sudo docker version
Client:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.4.2
 Git commit:   a34a1d5
 Built:        Fri Nov 20 13:12:04 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.4.2
 Git commit:   a34a1d5
 Built:        Fri Nov 20 13:12:04 UTC 2015
 OS/Arch:      linux/amd64

脆弱性のあるWebアプリケーションを用意する

まず、SQL injection脆弱性のあるWebアプリケーションを用意する。 ここでは、「脆弱性テスト・学習用Webアプリケーションのメモ」にも書いたDamn Vulnerable Web Application (DVWA)を利用することにする。

Dockerイメージを使い、localhostの80番ポートからDVWAにアクセスできるようにするには次のようにする。

$ sudo docker run -d -p 80:80 citizenstig/dvwa

コンテナが起動したら、ブラウザからhttp://localhost/にアクセスすることでDVWAのトップページが表示される。

初期状態ではMySQLテーブルが作成されていないので、トップページの指示に従いテーブルを作成する。 その後、ログイン画面からadmin/passwordでログインを行う。 さらに、「DVWA Security」のページからSecurity Levelをデフォルトのhighからlowに変更しておく。

w3afのダウンロード

w3afをダウンロードするには、gitを用いて次のようにする。 依存するパッケージはw3af_dependency_install.shを実行することでインストールできるが、libjpeg-devが抜けているので別途インストールする必要がある。

$ git clone --depth 1 https://github.com/andresriancho/w3af.git
$ cd w3af
$ ./w3af_console
$ sudo apt-get install libjpeg-dev
$ . /tmp/w3af_dependency_install.sh

w3afにはGUICUIの両方が用意されているが、ここではCUIを用いた方法について説明する。 CUIを用いる場合、次のようにしてスキャン設定を対話的に行うことができる。

$ ./w3af_console
Usage of w3af for sending any traffic to a target without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Do you accept the terms and conditions? [N|y] y
w3af>>> help
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| start                      | Start the scan.                                                                                                                                                     |
| plugins                    | Enable and configure plugins.                                                                                                                                       |
| exploit                    | Exploit the vulnerability.                                                                                                                                          |
| profiles                   | List and use scan profiles.                                                                                                                                         |
| cleanup                    | Cleanup before starting a new scan.                                                                                                                                 |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| help                       | Display help. Issuing: help [command] , prints more specific help about "command"                                                                                   |
| version                    | Show w3af version information.                                                                                                                                      |
| keys                       | Display key shortcuts.                                                                                                                                              |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| http-settings              | Configure the HTTP settings of the framework.                                                                                                                       |
| misc-settings              | Configure w3af misc settings.                                                                                                                                       |
| target                     | Configure the target URL.                                                                                                                                           |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| back                       | Go to the previous menu.                                                                                                                                            |
| exit                       | Exit w3af.                                                                                                                                                          |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| kb                         | Browse the vulnerabilities stored in the Knowledge Base                                                                                                             |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
w3af>>> plugins
w3af/plugins>>> help
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| list                                       | List available plugins.                                                                                                                             |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| back                                       | Go to the previous menu.                                                                                                                            |
| exit                                       | Exit w3af.                                                                                                                                          |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| output                                     | View, configure and enable output plugins                                                                                                           |
| mangle                                     | View, configure and enable mangle plugins                                                                                                           |
| evasion                                    | View, configure and enable evasion plugins                                                                                                          |
| bruteforce                                 | View, configure and enable bruteforce plugins                                                                                                       |
| infrastructure                             | View, configure and enable infrastructure plugins                                                                                                   |
| grep                                       | View, configure and enable grep plugins                                                                                                             |
| audit                                      | View, configure and enable audit plugins                                                                                                            |
| auth                                       | View, configure and enable auth plugins                                                                                                             |
| crawl                                      | View, configure and enable crawl plugins                                                                                                            |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Plugin name         | Status | Conf | Description                                                                                                                                               |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli          |        | Yes  | Identify blind SQL injection vulnerabilities.                                                                                                             |
| buffer_overflow     |        |      | Find buffer overflow vulnerabilities.                                                                                                                     |
| cors_origin         |        | Yes  | Inspect if application checks that the value of the "Origin" HTTP header isconsistent with the value of the remote IP address/Host of the sender ofthe    |
|                     |        |      | incoming HTTP request.                                                                                                                                    |
| csrf                |        |      | Identify Cross-Site Request Forgery vulnerabilities.                                                                                                      |
| dav                 |        |      | Verify if the WebDAV module is properly configured.                                                                                                       |
| eval                |        | Yes  | Find insecure eval() usage.                                                                                                                               |
| file_upload         |        | Yes  | Uploads a file and then searches for the file inside all known directories.                                                                               |
| format_string       |        |      | Find format string vulnerabilities.                                                                                                                       |
| frontpage           |        |      | Tries to upload a file using frontpage extensions (author.dll).                                                                                           |
| generic             |        | Yes  | Find all kind of bugs without using a fixed database of errors.                                                                                           |
| global_redirect     |        |      | Find scripts that redirect the browser to any site.                                                                                                       |
| htaccess_methods    |        |      | Find misconfigurations in Apache's "<LIMIT>" configuration.                                                                                               |
| ldapi               |        |      | Find LDAP injection bugs.                                                                                                                                 |
| lfi                 |        |      | Find local file inclusion vulnerabilities.                                                                                                                |
| memcachei           |        |      | No description available for this plugin.                                                                                                                 |
| mx_injection        |        |      | Find MX injection vulnerabilities.                                                                                                                        |
| os_commanding       |        |      | Find OS Commanding vulnerabilities.                                                                                                                       |
| phishing_vector     |        |      | Find phishing vectors.                                                                                                                                    |
| preg_replace        |        |      | Find unsafe usage of PHPs preg_replace.                                                                                                                   |
| redos               |        |      | Find ReDoS vulnerabilities.                                                                                                                               |
| response_splitting  |        |      | Find response splitting vulnerabilities.                                                                                                                  |
| rfd                 |        |      | Identify reflected file download vulnerabilities.                                                                                                         |
| rfi                 |        | Yes  | Find remote file inclusion vulnerabilities.                                                                                                               |
| shell_shock         |        |      | Find shell shock vulnerabilities.                                                                                                                         |
| sqli                |        |      | Find SQL injection bugs.                                                                                                                                  |
| ssi                 |        |      | Find server side inclusion vulnerabilities.                                                                                                               |
| ssl_certificate     |        | Yes  | Check the SSL certificate validity (if https is being used).                                                                                              |
| un_ssl              |        |      | Find out if secure content can also be fetched using http.                                                                                                |
| websocket_hijacking |        |      | Detect Cross-Site WebSocket hijacking vulnerabilities.                                                                                                    |
| xpath               |        |      | Find XPATH injection vulnerabilities.                                                                                                                     |
| xss                 |        | Yes  | Identify cross site scripting vulnerabilities.                                                                                                            |
| xst                 |        |      | Find Cross Site Tracing vulnerabilities.                                                                                                                  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit xss
w3af/plugins>>> audit
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Plugin name         | Status  | Conf | Description                                                                                                                                              |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| blind_sqli          |         | Yes  | Identify blind SQL injection vulnerabilities.                                                                                                            |
| buffer_overflow     |         |      | Find buffer overflow vulnerabilities.                                                                                                                    |
| cors_origin         |         | Yes  | Inspect if application checks that the value of the "Origin" HTTP header isconsistent with the value of the remote IP address/Host of the sender ofthe   |
|                     |         |      | incoming HTTP request.                                                                                                                                   |
| csrf                |         |      | Identify Cross-Site Request Forgery vulnerabilities.                                                                                                     |
| dav                 |         |      | Verify if the WebDAV module is properly configured.                                                                                                      |
| eval                |         | Yes  | Find insecure eval() usage.                                                                                                                              |
| file_upload         |         | Yes  | Uploads a file and then searches for the file inside all known directories.                                                                              |
| format_string       |         |      | Find format string vulnerabilities.                                                                                                                      |
| frontpage           |         |      | Tries to upload a file using frontpage extensions (author.dll).                                                                                          |
| generic             |         | Yes  | Find all kind of bugs without using a fixed database of errors.                                                                                          |
| global_redirect     |         |      | Find scripts that redirect the browser to any site.                                                                                                      |
| htaccess_methods    |         |      | Find misconfigurations in Apache's "<LIMIT>" configuration.                                                                                              |
| ldapi               |         |      | Find LDAP injection bugs.                                                                                                                                |
| lfi                 |         |      | Find local file inclusion vulnerabilities.                                                                                                               |
| memcachei           |         |      | No description available for this plugin.                                                                                                                |
| mx_injection        |         |      | Find MX injection vulnerabilities.                                                                                                                       |
| os_commanding       |         |      | Find OS Commanding vulnerabilities.                                                                                                                      |
| phishing_vector     |         |      | Find phishing vectors.                                                                                                                                   |
| preg_replace        |         |      | Find unsafe usage of PHPs preg_replace.                                                                                                                  |
| redos               |         |      | Find ReDoS vulnerabilities.                                                                                                                              |
| response_splitting  |         |      | Find response splitting vulnerabilities.                                                                                                                 |
| rfd                 |         |      | Identify reflected file download vulnerabilities.                                                                                                        |
| rfi                 |         | Yes  | Find remote file inclusion vulnerabilities.                                                                                                              |
| shell_shock         |         |      | Find shell shock vulnerabilities.                                                                                                                        |
| sqli                |         |      | Find SQL injection bugs.                                                                                                                                 |
| ssi                 |         |      | Find server side inclusion vulnerabilities.                                                                                                              |
| ssl_certificate     |         | Yes  | Check the SSL certificate validity (if https is being used).                                                                                             |
| un_ssl              |         |      | Find out if secure content can also be fetched using http.                                                                                               |
| websocket_hijacking |         |      | Detect Cross-Site WebSocket hijacking vulnerabilities.                                                                                                   |
| xpath               |         |      | Find XPATH injection vulnerabilities.                                                                                                                    |
| xss                 | Enabled | Yes  | Identify cross site scripting vulnerabilities.                                                                                                           |
| xst                 |         |      | Find Cross Site Tracing vulnerabilities.                                                                                                                 |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins>>> audit config xss
w3af/plugins/audit/config:xss>>> help
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| view            | List the available options and their values.                                                                                                                                   |
| set             | Set a parameter value.                                                                                                                                                         |
| save            | Save the configured settings.                                                                                                                                                  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| back            | Go to the previous menu.                                                                                                                                                       |
| exit            | Exit w3af.                                                                                                                                                                     |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/audit/config:xss>>> view
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Setting                         | Value       | Modified          | Description                                                                                                                  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| persistent_xss                  | True        |                   | Identify persistent cross site scripting vulnerabilities                                                                     |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
w3af/plugins/audit/config:xss>>> back
The configuration has been saved.
w3af/plugins>>> back
w3af>>> exit

Liked it? Sponsor the project!

w3afでWeb脆弱性スキャンをやってみる

w3afでは、上のようなスキャン設定をスクリプトファイルとして記述することができる。 スキャンのたびに設定項目を対話的に入力するのは手間であるため、スキャンの際はスクリプトファイルを利用するとよい。

DVWAのスキャンにあたっては、まずCookieをログイン済みのブラウザの開発者コンソールなどから調べ、テキストファイルとして保存しておく。

> document.cookie
"PHPSESSID=hbolint2l342rdulhnsfeciko1; security=low"
$ cat headers.txt
Cookie: PHPSESSID=hbolint2l342rdulhnsfeciko1; security=low

上で保存したCookieを用い、RiskがHighのもののみをスキャンするスクリプトを書くと次のようになる。 スキャンする脆弱性の指定については、用意されているprofilesを用いると楽である。 また、ここではログアウトが起こらないようにweb_spiderプラグインの設定でlogoutを含むURLを除外している。

$ cat script.txt
profiles
use audit_high_risk
back

target
set target http://localhost/
back

http-settings
set timeout 30
set headers_file headers.txt
back

plugins
audit config rfi
set listen_address 127.0.0.1
set use_w3af_site False
back
crawl config web_spider
set ignore_regex .*logout.*
back
output html_file
back

start

上のスクリプトファイルを用いて実際にスキャンを行ってみる。

$ ./w3af_console -s script.txt
w3af>>> profiles
w3af/profiles>>> use audit_high_risk
The plugins configured by the scan profile have been enabled, and their options configured.
Please set the target URL(s) and start the scan.
w3af/profiles>>> back
w3af>>> target
w3af/config:target>>> set target http://localhost/
w3af/config:target>>> back
The configuration has been saved.
w3af>>> http-settings
w3af/config:http-settings>>> set timeout 30
w3af/config:http-settings>>> set headers_file headers.txt
w3af/config:http-settings>>> back
The configuration has been saved.
w3af>>> plugins
w3af/plugins>>> audit config rfi
w3af/plugins/audit/config:rfi>>> set listen_address 127.0.0.1
w3af/plugins/audit/config:rfi>>> set use_w3af_site False
w3af/plugins/audit/config:rfi>>> back
The configuration has been saved.
w3af/plugins>>> crawl config web_spider
w3af/plugins/crawl/config:web_spider>>> set ignore_regex .*logout.*
w3af/plugins/crawl/config:web_spider>>> back
The configuration has been saved.
w3af/plugins>>> output html_file
w3af/plugins>>> back
w3af>>> startEnabling dav's dependency allowed_methods
Enabling dav's dependency server_header
Called w3afCore.start()
Enabling _dns_cache()
DNS response from DNS server for domain: localhost
GET http://localhost/ returned HTTP code "200" (id=1,from_cache=0,grep=1)
GET http://localhost/ returned HTTP code "200" (id=2,from_cache=0,grep=1)
(snip)
POST http://localhost/security.php?test=%22%3E%3Cscript%3Eeval%28window.name%29%3C%2Fscript%3E with data: "security=low&seclev_submit=Submit" returned HTTP code "302" (id=14377,from_cache=0,grep=1)
POST http://localhost/security.php?test=%22%3E%3Cscript%3Eeval%28window.name%29%3C%2Fscript%3E with data: "security=low&seclev_submit=1" or pg_sleep(3) and "1"="1..." returned HTTP code "302" (id=14378,from_cache=0,grep=1)
(Test id: 140355035572368) 6.10079848766 > 0.00721096992493 > 2.98880016804
(Test id: 140355035572368) Failed to control HTTP response delay for URL http://localhost/security.php - parameter "seclev_submit" for 3 seconds using <ExactDelay (fmt:1" or pg_sleep(%s) and "1"="1, delta:0, mult:1)>, response wait time was: 0.00721096992493 seconds.
Scan finished in 12 minutes 38 seconds.
Stopping the core...
w3af>>> exit
The user stopped the core, finishing threads...
0 seconds. were needed to stop the core.

May the brute force be with you.

スキャンが終わると、デフォルトで次のパスにレポートファイルが出力される。

$ ls -al ~/report.html
-rw-r--r-- 1 user user 380445 Feb 11 23:09 /home/user/report.html

レポートファイルをブラウザで表示した際のスクリーンショットを次に示す。

f:id:inaz2:20160211235509p:plain

GUIを利用する場合

w3afをGUIで利用するには、次のようにすればよい。

$ ./w3af_gui

起動した際のスクリーンショットを次に示す。

f:id:inaz2:20160213134114p:plain

GUI版の特徴的な機能としては、サイト構造のグラフ表示、Exploitの実行補助がある。

f:id:inaz2:20160213134130p:plain

f:id:inaz2:20160213141937p:plain

詳細な操作方法については、公式のHOWTOドキュメントを参照されたい。

注意事項

このようなテストは自身の管理下あるいは管理者の許可を得たアプリケーションに対してのみ行うこと。 第三者のWebアプリケーションに対して上のようなアクセスを行った場合、各国の法律(日本であれば不正アクセス禁止法等)に抵触するおそれがある。

Usage of w3af for sending any traffic to a target without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

また、このようなテストは意図しないアクセスによりデータの書き換え・消去等を引き起こす可能性があるため、壊れても支障のないテスト用環境を用意した上で行うこと。

関連リンク