In association with heise online


By way of an experiment, we disabled the dictionary function for checking the Apache web server. However, Skipfish was still allowed to learn new words during the scan, which produced 304 new entries. This reduced the scanning time to 20 minutes, during which 300,000 HTTP requests were made, generating 232MB of network traffic.

Skipfish generally produces a relatively large number of results and saves them in the defined directory as HTML, JavaScript with JSON and raw data files. Users can then view the report in a JavaScript-enabled browser or evaluate the raw data themselves. Unfortunately, the number of false alarms was considerably higher than that produced by tools such as Nikto or the Burp Suite, which we used for comparison. For instance, some regular ASCII text files were interpreted as JSON responses without XSSI (Cross Site Script Inclusion) protection. Skipfish attaches particular importance to well-formed MIME type and character set responses from the server. Every deviation will cause an "increased risk" rating, but only some of them actually have any substance.

Skipfish did not highlight the possibility of listing directory contents for any of the targets we tested. The content of the robots.txt file, which can be of particular importance for identifying interesting server areas, are also left uncommented and presented to the user as "interesting file" results for individual interpretation.

The curtain falls

Four hours of scanning IIS 7.5 with the ScrewTurn wiki yielded 8 high risk results, 264 medium risk results, 55 low risk results, 123 warnings and 254 informational entries. The total data volume stored on disk was 851MB, and the web browser should have one Gigabyte of working memory available to allow the results page to be viewed.

Zoom All three SQL injection alerts for the Typo3 system prove to be false alarms when examined manually.
Unfortunately, the 8 most important results – all presumed to be integer overflows in HTTP-GET parameters, turned out to be false. In the next group of results, "Interesting Server responses" are HTTP 404 errors (resource not found) and HTTP 500 errors (internal server error) which are jumbled together, making it necessary to manually investigate the 130 displayed results one by one. Since IIS displays a generic error message for "HTTP 500" to avoid providing potential attackers with further information, the remaining requests would have to be individually correlated with the web server log data or retested manually. However, a look at the server logs reveals that this effort would be wasted because the flaw is always the same and has no security relevance. That false alarms are not the exception also became apparent during a subsequent analysis of a Typo3 system were Skipfish warned of a critical SQL injection hole.

It is worth mentioning that Skipfish detects the presence of an intrusion prevention system (IPS) and lists this under "Internal Warnings". During our tests, it detected the HttpRequestValidationException, which is issued by ASP.NET for very obvious SQL injection and cross-site scripting attacks. This triggered an HTTP 500 error.

Next: Evaluation

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit