Re: [GSoC] Candidate on NSE Script Development and my first scripts

[David Fifield <david () bamsoftware com>]

On Sun, Apr 28, 2013 at 06:57:43PM +0300, George Chatzisofroniou wrote:
> My name is George Chatzisofroniou and i'm 21 years old. I 
> am an undergraduate student in the department of computer 
> science at the University of Piraeus (Greece) where i also 
> work as a system administrator for the last two years.
>
> I'm very interested on joining the Nmap development team
> starting by GSoC 2013. This is actually the second time i'm
> participating in GSoC. Last year i developed a metrics
> module for GNU/Mailman. This year i hope to join a
> community that focus on infosec which is my primary area of
> interest. Nmap is one of my favorite tools that seems to
> have a good basic architecture while the details are still
> evolving and ofcourse a great community -- a perfect
> choice for GSoC.
>
> While reading through the ideas in the wiki, the "Web
> Scanning Specialist" looks very interesting.
>
> To get my hands dirty early, i started hacking on NSE and i
> developed my first two scripts:
>
> * http-fileupload-exploiter [1]. This ideas is mentioned on
> the wiki.  In total, this script performs 45 upload
> requests to progressively exploit the fileupload mechanism.
>
> * http-comments-displayer [2]. This script extracts and
> outputs HTML/JS comments from HTTP responses.

Thank you, these scripts look nice. Were you able to test
http-fileupload-exploiter against any real software? If so, what was it
and what were the results?

> Now, I noticed that the "high-priority" section on NSE
> script ideas contains 3 interesting HTTP scripts:
>
> * XML and HTML parsing. I think we could analyze the XML
> file into nested tables using patterns. I've seen some
> implementations, like this one [3] that look interesting.
> I'm wondering if it makes sense to build this library in
> C++ for efficiency or just stick to LUA for consistency.

I would prefer a library that uses an event- or pull-driven model over
one that parses an entire document at once and gives you nested tables.
Please see http://seclists.org/nmap-dev/2011/q3/25 and
http://seclists.org/nmap-dev/2011/q2/1281 for a previous prototype. I
want to avoid with the XML parser the bug we have with the http library:
you have to buffer a huge document in memory in order to do anything
with it.

> * http-mirror. As mentioned, to make this possible we need
> a wrapper to perform the system call and create the
> directory for the mirrored site.
>
> * http-nikto-fingerprints. Nikto's database is in CSV
> format, so we could use some ready implementations like
> this one for its parsing [4].
>
> Some more ideas:
>
> * http-csrf. This will try to generate a CSRF PoC but i'm
> not sure if there is a simple way to test the effectiveness 
> of the generated PoC.
>
> * http-referer-checker. This will inform about cross-domain
> include of scripts. This could work either by checking the
> Accept-header */* where target domain differs from referer
> domain, or simply by checking all links in the HTTP response.
>
> * http-session-analyzer. This will test the randomness of
> session tokens. We could implement FIPS 140-2 the same way 
> Burp Sequencer does or find a wrapper that performs tests 
> on random values.
>
> * http-brute-phpsessid. This will perform a session
> hijacking by brute forcing the PHP session ID in
> applications that use the native PHP Session mechanism [5].
>
> * Right now http-sql-injection uses the most basic form of
> SQL injection. I think we need to perform more advanced
> techniques like blind injections or stacked queries
> probably in standalone scripts.
>
> * There is only one XSS script right now
> (http-phpself-xss). We need some scripts to perform
> different kind of XSS, like stored, reflected or DOM-based.

These are good ideas; putting them together should make a strong
proposal.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/