w3afでWeb脆弱性スキャンをやってみる
「sqlmapを使ってみる」では、sqlmapを使ってSQL injection脆弱性のスキャンを行った。 ここでは、SQL injection以外の脆弱性もスキャンできるテストツールw3afを使い、Web脆弱性のスキャンをやってみる。
環境
Ubuntu 14.04.3 LTS 64bit版、Docker 1.9.1
$ uname -a Linux vm-ubuntu64 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty $ sudo docker version Client: Version: 1.9.1 API version: 1.21 Go version: go1.4.2 Git commit: a34a1d5 Built: Fri Nov 20 13:12:04 UTC 2015 OS/Arch: linux/amd64 Server: Version: 1.9.1 API version: 1.21 Go version: go1.4.2 Git commit: a34a1d5 Built: Fri Nov 20 13:12:04 UTC 2015 OS/Arch: linux/amd64
脆弱性のあるWebアプリケーションを用意する
まず、SQL injection脆弱性のあるWebアプリケーションを用意する。 ここでは、「脆弱性テスト・学習用Webアプリケーションのメモ」にも書いたDamn Vulnerable Web Application (DVWA)を利用することにする。
Dockerイメージを使い、localhostの80番ポートからDVWAにアクセスできるようにするには次のようにする。
$ sudo docker run -d -p 80:80 citizenstig/dvwa
コンテナが起動したら、ブラウザからhttp://localhost/にアクセスすることでDVWAのトップページが表示される。
初期状態ではMySQLテーブルが作成されていないので、トップページの指示に従いテーブルを作成する。 その後、ログイン画面からadmin/passwordでログインを行う。 さらに、「DVWA Security」のページからSecurity Levelをデフォルトのhighからlowに変更しておく。
w3afのダウンロード
w3afをダウンロードするには、gitを用いて次のようにする。
依存するパッケージはw3af_dependency_install.shを実行することでインストールできるが、libjpeg-devが抜けているので別途インストールする必要がある。
$ git clone --depth 1 https://github.com/andresriancho/w3af.git $ cd w3af $ ./w3af_console $ sudo apt-get install libjpeg-dev $ . /tmp/w3af_dependency_install.sh
w3afにはGUIとCUIの両方が用意されているが、ここではCUIを用いた方法について説明する。 CUIを用いる場合、次のようにしてスキャン設定を対話的に行うことができる。
$ ./w3af_console Usage of w3af for sending any traffic to a target without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Do you accept the terms and conditions? [N|y] y w3af>>> help |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | start | Start the scan. | | plugins | Enable and configure plugins. | | exploit | Exploit the vulnerability. | | profiles | List and use scan profiles. | | cleanup | Cleanup before starting a new scan. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | help | Display help. Issuing: help [command] , prints more specific help about "command" | | version | Show w3af version information. | | keys | Display key shortcuts. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | http-settings | Configure the HTTP settings of the framework. | | misc-settings | Configure w3af misc settings. | | target | Configure the target URL. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | kb | Browse the vulnerabilities stored in the Knowledge Base | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| w3af>>> plugins w3af/plugins>>> help |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | list | List available plugins. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | output | View, configure and enable output plugins | | mangle | View, configure and enable mangle plugins | | evasion | View, configure and enable evasion plugins | | bruteforce | View, configure and enable bruteforce plugins | | infrastructure | View, configure and enable infrastructure plugins | | grep | View, configure and enable grep plugins | | audit | View, configure and enable audit plugins | | auth | View, configure and enable auth plugins | | crawl | View, configure and enable crawl plugins | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> audit |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent with the value of the remote IP address/Host of the sender ofthe | | | | | incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | | | Verify if the WebDAV module is properly configured. | | eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed database of errors. | | global_redirect | | | Find scripts that redirect the browser to any site. | | htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | | | Find LDAP injection bugs. | | lfi | | | Find local file inclusion vulnerabilities. | | memcachei | | | No description available for this plugin. | | mx_injection | | | Find MX injection vulnerabilities. | | os_commanding | | | Find OS Commanding vulnerabilities. | | phishing_vector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs preg_replace. | | redos | | | Find ReDoS vulnerabilities. | | response_splitting | | | Find response splitting vulnerabilities. | | rfd | | | Identify reflected file download vulnerabilities. | | rfi | | Yes | Find remote file inclusion vulnerabilities. | | shell_shock | | | Find shell shock vulnerabilities. | | sqli | | | Find SQL injection bugs. | | ssi | | | Find server side inclusion vulnerabilities. | | ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | | | Find out if secure content can also be fetched using http. | | websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | | | Find XPATH injection vulnerabilities. | | xss | | Yes | Identify cross site scripting vulnerabilities. | | xst | | | Find Cross Site Tracing vulnerabilities. | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> audit xss w3af/plugins>>> audit |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Plugin name | Status | Conf | Description | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | blind_sqli | | Yes | Identify blind SQL injection vulnerabilities. | | buffer_overflow | | | Find buffer overflow vulnerabilities. | | cors_origin | | Yes | Inspect if application checks that the value of the "Origin" HTTP header isconsistent with the value of the remote IP address/Host of the sender ofthe | | | | | incoming HTTP request. | | csrf | | | Identify Cross-Site Request Forgery vulnerabilities. | | dav | | | Verify if the WebDAV module is properly configured. | | eval | | Yes | Find insecure eval() usage. | | file_upload | | Yes | Uploads a file and then searches for the file inside all known directories. | | format_string | | | Find format string vulnerabilities. | | frontpage | | | Tries to upload a file using frontpage extensions (author.dll). | | generic | | Yes | Find all kind of bugs without using a fixed database of errors. | | global_redirect | | | Find scripts that redirect the browser to any site. | | htaccess_methods | | | Find misconfigurations in Apache's "<LIMIT>" configuration. | | ldapi | | | Find LDAP injection bugs. | | lfi | | | Find local file inclusion vulnerabilities. | | memcachei | | | No description available for this plugin. | | mx_injection | | | Find MX injection vulnerabilities. | | os_commanding | | | Find OS Commanding vulnerabilities. | | phishing_vector | | | Find phishing vectors. | | preg_replace | | | Find unsafe usage of PHPs preg_replace. | | redos | | | Find ReDoS vulnerabilities. | | response_splitting | | | Find response splitting vulnerabilities. | | rfd | | | Identify reflected file download vulnerabilities. | | rfi | | Yes | Find remote file inclusion vulnerabilities. | | shell_shock | | | Find shell shock vulnerabilities. | | sqli | | | Find SQL injection bugs. | | ssi | | | Find server side inclusion vulnerabilities. | | ssl_certificate | | Yes | Check the SSL certificate validity (if https is being used). | | un_ssl | | | Find out if secure content can also be fetched using http. | | websocket_hijacking | | | Detect Cross-Site WebSocket hijacking vulnerabilities. | | xpath | | | Find XPATH injection vulnerabilities. | | xss | Enabled | Yes | Identify cross site scripting vulnerabilities. | | xst | | | Find Cross Site Tracing vulnerabilities. | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| w3af/plugins>>> audit config xss w3af/plugins/audit/config:xss>>> help |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | view | List the available options and their values. | | set | Set a parameter value. | | save | Save the configured settings. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | back | Go to the previous menu. | | exit | Exit w3af. | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| w3af/plugins/audit/config:xss>>> view |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Setting | Value | Modified | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | persistent_xss | True | | Identify persistent cross site scripting vulnerabilities | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| w3af/plugins/audit/config:xss>>> back The configuration has been saved. w3af/plugins>>> back w3af>>> exit Liked it? Sponsor the project!
w3afでWeb脆弱性スキャンをやってみる
w3afでは、上のようなスキャン設定をスクリプトファイルとして記述することができる。 スキャンのたびに設定項目を対話的に入力するのは手間であるため、スキャンの際はスクリプトファイルを利用するとよい。
DVWAのスキャンにあたっては、まずCookieをログイン済みのブラウザの開発者コンソールなどから調べ、テキストファイルとして保存しておく。
> document.cookie "PHPSESSID=hbolint2l342rdulhnsfeciko1; security=low"
$ cat headers.txt Cookie: PHPSESSID=hbolint2l342rdulhnsfeciko1; security=low
上で保存したCookieを用い、RiskがHighのもののみをスキャンするスクリプトを書くと次のようになる。
スキャンする脆弱性の指定については、用意されているprofilesを用いると楽である。
また、ここではログアウトが起こらないようにweb_spiderプラグインの設定でlogoutを含むURLを除外している。
$ cat script.txt profiles use audit_high_risk back target set target http://localhost/ back http-settings set timeout 30 set headers_file headers.txt back plugins audit config rfi set listen_address 127.0.0.1 set use_w3af_site False back crawl config web_spider set ignore_regex .*logout.* back output html_file back start
上のスクリプトファイルを用いて実際にスキャンを行ってみる。
$ ./w3af_console -s script.txt w3af>>> profiles w3af/profiles>>> use audit_high_risk The plugins configured by the scan profile have been enabled, and their options configured. Please set the target URL(s) and start the scan. w3af/profiles>>> back w3af>>> target w3af/config:target>>> set target http://localhost/ w3af/config:target>>> back The configuration has been saved. w3af>>> http-settings w3af/config:http-settings>>> set timeout 30 w3af/config:http-settings>>> set headers_file headers.txt w3af/config:http-settings>>> back The configuration has been saved. w3af>>> plugins w3af/plugins>>> audit config rfi w3af/plugins/audit/config:rfi>>> set listen_address 127.0.0.1 w3af/plugins/audit/config:rfi>>> set use_w3af_site False w3af/plugins/audit/config:rfi>>> back The configuration has been saved. w3af/plugins>>> crawl config web_spider w3af/plugins/crawl/config:web_spider>>> set ignore_regex .*logout.* w3af/plugins/crawl/config:web_spider>>> back The configuration has been saved. w3af/plugins>>> output html_file w3af/plugins>>> back w3af>>> startEnabling dav's dependency allowed_methods Enabling dav's dependency server_header Called w3afCore.start() Enabling _dns_cache() DNS response from DNS server for domain: localhost GET http://localhost/ returned HTTP code "200" (id=1,from_cache=0,grep=1) GET http://localhost/ returned HTTP code "200" (id=2,from_cache=0,grep=1) (snip) POST http://localhost/security.php?test=%22%3E%3Cscript%3Eeval%28window.name%29%3C%2Fscript%3E with data: "security=low&seclev_submit=Submit" returned HTTP code "302" (id=14377,from_cache=0,grep=1) POST http://localhost/security.php?test=%22%3E%3Cscript%3Eeval%28window.name%29%3C%2Fscript%3E with data: "security=low&seclev_submit=1" or pg_sleep(3) and "1"="1..." returned HTTP code "302" (id=14378,from_cache=0,grep=1) (Test id: 140355035572368) 6.10079848766 > 0.00721096992493 > 2.98880016804 (Test id: 140355035572368) Failed to control HTTP response delay for URL http://localhost/security.php - parameter "seclev_submit" for 3 seconds using <ExactDelay (fmt:1" or pg_sleep(%s) and "1"="1, delta:0, mult:1)>, response wait time was: 0.00721096992493 seconds. Scan finished in 12 minutes 38 seconds. Stopping the core... w3af>>> exit The user stopped the core, finishing threads... 0 seconds. were needed to stop the core. May the brute force be with you.
スキャンが終わると、デフォルトで次のパスにレポートファイルが出力される。
$ ls -al ~/report.html -rw-r--r-- 1 user user 380445 Feb 11 23:09 /home/user/report.html
レポートファイルをブラウザで表示した際のスクリーンショットを次に示す。
GUIを利用する場合
w3afをGUIで利用するには、次のようにすればよい。
$ ./w3af_gui
起動した際のスクリーンショットを次に示す。
GUI版の特徴的な機能としては、サイト構造のグラフ表示、Exploitの実行補助がある。
詳細な操作方法については、公式のHOWTOやドキュメントを参照されたい。
注意事項
このようなテストは自身の管理下あるいは管理者の許可を得たアプリケーションに対してのみ行うこと。 第三者のWebアプリケーションに対して上のようなアクセスを行った場合、各国の法律(日本であれば不正アクセス禁止法等)に抵触するおそれがある。
Usage of w3af for sending any traffic to a target without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
また、このようなテストは意図しないアクセスによりデータの書き換え・消去等を引き起こす可能性があるため、壊れても支障のないテスト用環境を用意した上で行うこと。
