RE: webapp dependencies

["Ory Segal" <osegal () watchfire com>]

Amit - I like the idea...you might recall that a few years ago, I
actually thought about using strace for a different purpose ;-)

Matt - here's the strace output, when ran on the Apache server process.
You'll notice that it is quite easy to notice the file open requests:

- My first request was: GET /test.html HTTP/1.0

- Here's the strace output:

...
NtQueryDirectoryFile (1624, 0, 0, 0, 16119860, 616, BothDirectory, 1,
"test.html", 0, ... {status=0x0, info=112}, ) == 0x0
NtCreateFile (0x80100080, {24, 0, 0x42, 0, 16121156, "\??\c:\program
files\apache group\apache\htdocs\test.html"}, 0x0, 128, 3, 1, 96, 0, 0,
... 
...

(The NtCreateFile is the one in charge of opening the existing file)

- I did a second experiment just for fun, and requested a non-existing
file called "fail_test.html"
- Here's the strace output:

NtQueryDirectoryFile (1616, 0, 0, 0, 17168436, 616, BothDirectory, 1,
"fail_test.html", 0, ... ) == STATUS_NO_SUCH_FILE

- You will also notice another interesting line in this example:

NtWriteFile (1932, 0, 0, 0, "[Wed Apr 20 11:25:16 2005] [error] [client
127.0.0.1] File does not exist: c:/program files/apache
group/apache/htdocs/fail_test.html\15\12", 135, 0x0, 0, ... {status=0x0,
info=135}, ) == 0x0

Yes, that's the server writing to the log file :-)

-Ory






-----Original Message-----
From: Matt Fisher [mailto:mfisher () spidynamics com] 
Sent: Wednesday, April 20, 2005 9:13 AM
To: Amit Klein (AKsecurity); Ory Segal; Jarmon, Don R;
webappsec () securityfocus com
Cc: wasc-technical () webappsec org
Subject: RE: webapp dependencies

That's not a bad idea.  Capturing at a lower level would indeed give
more details.  I don't think I've ever used strace.  Would the output be
relatively clean ? Ie, not too much work to filter the wheat from the
chaffe ? 

 

> -----Original Message-----
> From: Amit Klein (AKsecurity) [mailto:aksecurity () hotpop com]
> Sent: Wednesday, April 20, 2005 2:27 AM
> To: Ory Segal; Jarmon, Don R; webappsec () securityfocus com; Matt Fisher
> Cc: wasc-technical () webappsec org
> Subject: RE: webapp dependencies
>
> On 19 Apr 2005 at 23:21, Matt Fisher wrote:
>
> >   I'd really be interested in hearing about it if anyone
> finds a good
> > tool / technique but at this point I really don't see how
> it could be
> > sufficiently performed from any client sided product such
> as crawlers,
> > scanners, accessibility testers etc.
>
> I'd take quite a different approach. At runtim, attach to the web 
> process at a low level (kernel?), e.g. strace, and log access to 
> files. Then use a crawler to enumerate (to the extent possible) all 
> flows through the app. This should give you the list of files accessed

> by the web server process (there are many detailed to be ironed out, 
> such as server caching, spawning new proceses, etc. but I believe it's

> doable).
>
> In the above example, once you make a hit on the page.asp, strace 
> would first show the web process to read page.asp, and immediately 
> thereafter page1.html.
>
> -Amit