The information gathered in the previous sections is not lost. We will now go through the detection of any flaw that could be exploited in the future.
For this, we use a few utilities that enable automated vulnerability scans as uniscan, skipfish, nessus...
The different found vulnerabilities will be explained in this section.
1 Used scans
For this, we use a few utilities that enable automated vulnerability scans as uniscan, skipfish, nessus...
The different found vulnerabilities will be explained in this section.
1 Used scans
1.1 Uniscan
It is a web vulnerability scanner, implemented in perl, which is used to find vulnerabilities in Web systems. It’s area of search focuses specifically on the following vulnerabilities: Flaws type RFI (Remote File Include) and LFI (Local File Include), RCE (Remote Code Execution), Blind SQL-i and SQL-i and XSS.
To do this, UNIscan is indexing (Crawling / Collecting) by collecting resources such as web pages, images, videos ...
We used the following command (More options can be added) :
It is a web vulnerability scanner, implemented in perl, which is used to find vulnerabilities in Web systems. It’s area of search focuses specifically on the following vulnerabilities: Flaws type RFI (Remote File Include) and LFI (Local File Include), RCE (Remote Code Execution), Blind SQL-i and SQL-i and XSS.
To do this, UNIscan is indexing (Crawling / Collecting) by collecting resources such as web pages, images, videos ...
We used the following command (More options can be added) :
perl ./uniscan.pl -u http://www.target.fr/ -qweds
We will explain the different options used in this command :
- -u <url> : URL target.
- -q : Enables folders search.
- -w : Enables files search.
- -e : Enables Robots.txt check.
- -d : Enables dynamic search.
- -s : Enables static search.
The only flaw found with this scanner was a SQL-i flaw and it was found in the following url :
http://www.target.fr/xxxx/actu?num=1133+AND+1=1
1.2 Skipfish
Skipfish is also a web vulnerability scanner. It offers various interesting features :
- Quick scan : It is capable of 2000 requests per second in a local environment and 500 requests per second on the internet.
- Heuristic approach.
- Generates a detailed report in html even if the scan was stopped.
This scanner works on many types of vulnerabilities, we mention a few of them: SQL / PHP injection, XML injection, overflow, XSS,...
We used the following command :
./skipfish -o /home/results/skipfish http://target.fr/
Several vulnerabilities were found, we mention the most important ones with high risks :
- Query injection vector : The possibility of an attack by the injection of a SQL query.
- Shell injection vector : An attack by the injection of a command.
- Server-side XML injection vector : An XML injection can change the functionality of the site and even handle highly sensitive data.
- Incorrect caching directives : The way to use caching directives is incorrect. In the case of our target, it is the caching of cookies.
- XSS vector in document body: XSS script Injection to manipulate the normal response of the link in the web browser.
 |
| skipfish result |
1.3 Nessus
Nessus is a security tool. It notes the weaknesses of potential or actual machines tested. It detects living machines on a network, scans for open ports, identify active services, their version and try various attacks.
An approach is required for the installation and activation of this tool.
Since Nessus is not open source software, so we used a limited version. Consequently, the result found was very limited and revealed only one XSS vulnerability on the version of Tomcat.
We tried to find the version of Tomcat used by the site :
http://target.fr/tomcat-docs/appdev/sample/web/hello
 |
| Tomcat version : 5.5.20 |
2 Other ways to search
As already found, the version of Tomcat used is: 5.5.20.
A simple search on the internet gave us three vulnerabilities announced about this version, and they are the following :
2.1 Cross-site scripting CVE-2007-1358
Level : low
Fixed : Apache Tomcat 5.5.21, 5.0.SVN
This vulnerability allows an attacker to inject arbitrary script or HTML by using designed software to automatically accept headers containers language user that does not follow the RFC 2616.
2.2 Session hi-jacking CVE-2008-0128
Level : Medium
Fixed : Apache Tomcat 5.5.21
Insecurity in the flag of the cookie JSESSIONIDSSO in HTTPS sessions causes the possibility that an attacker can capture these cookies.
Level : Medium
Fixed : Apache Tomcat 5.5.21
Insecurity in the flag of the cookie JSESSIONIDSSO in HTTPS sessions causes the possibility that an attacker can capture these cookies.
2.3 Information disclosure CVE-2008-4308
Level : low
Fixed : Apache Tomcat 5.5.21
This flaw affects responses to Tomcat queries that contain errors.
Fixed : Apache Tomcat 5.5.21
This flaw affects responses to Tomcat queries that contain errors.
No comments:
Post a Comment