WebApp Sec mailing list archives
RE: webapp dependencies
From: "Ory Segal" <osegal () watchfire com>
Date: Wed, 20 Apr 2005 11:30:14 +0300
Amit - I like the idea...you might recall that a few years ago, I actually thought about using strace for a different purpose ;-) Matt - here's the strace output, when ran on the Apache server process. You'll notice that it is quite easy to notice the file open requests: - My first request was: GET /test.html HTTP/1.0 - Here's the strace output: ... NtQueryDirectoryFile (1624, 0, 0, 0, 16119860, 616, BothDirectory, 1, "test.html", 0, ... {status=0x0, info=112}, ) == 0x0 NtCreateFile (0x80100080, {24, 0, 0x42, 0, 16121156, "\??\c:\program files\apache group\apache\htdocs\test.html"}, 0x0, 128, 3, 1, 96, 0, 0, ... ... (The NtCreateFile is the one in charge of opening the existing file) - I did a second experiment just for fun, and requested a non-existing file called "fail_test.html" - Here's the strace output: NtQueryDirectoryFile (1616, 0, 0, 0, 17168436, 616, BothDirectory, 1, "fail_test.html", 0, ... ) == STATUS_NO_SUCH_FILE - You will also notice another interesting line in this example: NtWriteFile (1932, 0, 0, 0, "[Wed Apr 20 11:25:16 2005] [error] [client 127.0.0.1] File does not exist: c:/program files/apache group/apache/htdocs/fail_test.html\15\12", 135, 0x0, 0, ... {status=0x0, info=135}, ) == 0x0 Yes, that's the server writing to the log file :-) -Ory -----Original Message----- From: Matt Fisher [mailto:mfisher () spidynamics com] Sent: Wednesday, April 20, 2005 9:13 AM To: Amit Klein (AKsecurity); Ory Segal; Jarmon, Don R; webappsec () securityfocus com Cc: wasc-technical () webappsec org Subject: RE: webapp dependencies That's not a bad idea. Capturing at a lower level would indeed give more details. I don't think I've ever used strace. Would the output be relatively clean ? Ie, not too much work to filter the wheat from the chaffe ?
-----Original Message----- From: Amit Klein (AKsecurity) [mailto:aksecurity () hotpop com] Sent: Wednesday, April 20, 2005 2:27 AM To: Ory Segal; Jarmon, Don R; webappsec () securityfocus com; Matt Fisher Cc: wasc-technical () webappsec org Subject: RE: webapp dependencies On 19 Apr 2005 at 23:21, Matt Fisher wrote:I'd really be interested in hearing about it if anyonefinds a goodtool / technique but at this point I really don't see howit could besufficiently performed from any client sided product suchas crawlers,scanners, accessibility testers etc.I'd take quite a different approach. At runtim, attach to the web process at a low level (kernel?), e.g. strace, and log access to files. Then use a crawler to enumerate (to the extent possible) all flows through the app. This should give you the list of files accessed
by the web server process (there are many detailed to be ironed out, such as server caching, spawning new proceses, etc. but I believe it's
doable). In the above example, once you make a hit on the page.asp, strace would first show the web process to read page.asp, and immediately thereafter page1.html. -Amit
Current thread:
- webapp dependencies Jarmon, Don R (Apr 13)
- Re: webapp dependencies Scovetta Labs (Apr 13)
- Re: webapp dependencies victor calzado (Apr 14)
- <Possible follow-ups>
- RE: webapp dependencies Ory Segal (Apr 14)
- Re: webapp dependencies moty yacov (Apr 18)
- RE: webapp dependencies Matt Fisher (Apr 20)
- RE: webapp dependencies Amit Klein (AKsecurity) (Apr 20)
- RE: webapp dependencies Ory Segal (Apr 20)
- RE: webapp dependencies Amit Klein (AKsecurity) (Apr 21)
- RE: webapp dependencies Matt Fisher (Apr 20)
- RE: webapp dependencies Ryan C. Barnett (Apr 20)
- RE: webapp dependencies Scovetta, Michael V (Apr 21)
- Re: webapp dependencies Bill Pennington (Apr 21)
- Re: webapp dependencies Scovetta Labs (Apr 13)