LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Web application scanning with skipfish

By Jake Edge
March 31, 2010

Web application security flaws are, as always, a hot area in security research, and it isn't surprising that a company which derives much of its income from the web would be interested in helping to secure it. Google has released several tools over the past couple of years—along with a Browser Security Handbook—many of which have been written by longtime security researcher Michal Zalewski. His latest release, skipfish, is an automated web application scanner that actively probes to find vulnerabilities.

Skipfish is a high-performance tool that can do several hundred to several thousand requests per second. Each of those requests tests a different kind of potential security flaw in an application. It spiders a web application and tries its tests on each of the pages it finds. For any complicated application, that will result in huge numbers of requests—and probably errors—but because of the post-processing it does to its results, it summarizes the reported problems in a fairly manageable way.

[Skipfish running]

The code itself is 12,000 lines of C, which builds from a simple make as long as libidn is available to handle internationalized domain names. The program is command-line driven with top-like, continuously updating output (seen at right). Zalewski made some odd choices for colors in that output, making it hard to find a terminal color-scheme where it was readable. The recommended 100x35 terminal size is decidedly non-standard as well. Those nits aside, it is quite easy to get started with skipfish.

[Top-level report]

Understanding what one should do with skipfish is another story entirely. There is a large number of tests that are run, which are listed on the documentation page. That page also provides some examples of using the tool. As one might guess, there are a large number of options to handle different application needs like cookie values, HTTP authentication credentials, logout URLs to avoid, and so on. Before getting to that point, though, one must choose a dictionary.

Dictionaries in skipfish provide a starting point for the scanner to find additional URLs, files, and parameters that are used by the web application. There are four different dictionaries distributed with skipfish (minimal, default, extensions-only, and complete), and the tool will add what it learns to the dictionary as it runs. The dictionaries/README-FIRST file describes each dictionary as well as how the dictionaries are used. The minimal.wl dictionary is suggested as a good, lightweight starting point for skipfish experimentation.

[Expanded report]

And one gets the sense that a lot of experimentation will be required before any kind of skipfish-mastery is achieved. That said, a fairly short run of skipfish against a local development version of a reasonably complex web application turned up several obvious, though relatively minor, problems. There is also quite a bit more to go through in the report, so there are likely more problems awaiting discovery in even a small sample of skipfish's capabilities. One note of warning for those that have their application email with significant errors: either disable that, or you may get a chance to stress your mail server and/or be subjected to an inbox denial-of-service.

The report that skipfish produces is a summary of the problems, or potential problems that it found. It is in HTML format, that, somewhat amusingly, requires Javascript to be turned on to be useful. In fact, the "known issues" page mentions that due to "important security improvements" in Safari and Chrome, neither of those browsers will display the report via the file: protocol—"put the report in a local WWW root and navigate to http://localhost/... instead; or use Firefox".

[HTTP trace]

In the report, various categories of problems found are listed with color-coded icons to estimate the severity of the problem. Categories can be clicked on which will expose a list of the pages that exhibited the problem. For each of those, an HTTP trace can be examined (example shown at left). While some of the categories are fairly obvious, some are a bit more obscure and will require some investigation to determine whether there is truly a problem or not.

Like most, if not all, automated scanners, there will be plenty of false-positives reported, which means that the results will have to be sifted to find the real problems. Skipfish is aimed at minimizing false-positives, but it will still require an iterative approach. Limiting the search to the "interesting" parts of the application, without missing something important in the portions deemed "unimportant" will be somewhat tricky to get right.

Most web applications have vast numbers of pages that are governed by the same underlying code, so picking a truly representative sample of one of those pages is important. Otherwise, skipfish will spend an awful lot of time repetitively testing the same kinds of things against "/ExampleContent/1", "/ExampleContent/2", and so on. The same problem exists for any automated web scanner, of course.

As the documentation points out, there are other tools that do similar jobs (Nikto and Nessus are given as examples), and skipfish is "not a silver bullet". But, clearly a lot of thought has gone into it, and Zalewski has an excellent track record as a finder of security vulnerabilities. Skipfish is certainly a tool that is worth a long look.

Comments (none posted)

Brief items

Mozilla: Plugging the CSS History Leak

The Mozilla security blog discusses their response to the leaking of browser history information via CSS link styling. "First of all, we're limiting what types of styling can be done to visited links to differentiate them from unvisited links. Visited links can only be different in color: foreground, background, outline, border, SVG stroke and fill colors. All other style changes either leak the visitedness of the link by loading a resource or changing position or size of the styled content in the document, which can be detected and used to identify visited links."

Comments (1 posted)

New vulnerabilities

brltty: privilege escalation

Package(s):brltty CVE #(s):CVE-2008-3279
Created:March 31, 2010 Updated:April 19, 2010
Description: The brltty daemon has an insecure library search path built into the the executable, allowing a local attacker who applies sufficient social engineering to run code as another local user.
Alerts:
Mandriva MDVSA-2010:080 2010-04-17
Red Hat RHSA-2010:0181-05 2010-03-30

Comments (none posted)

emacs: symlink race

Package(s):emacs22, emacs23 CVE #(s):CVE-2010-0825
Created:March 30, 2010 Updated:August 30, 2010
Description: From the Ubuntu advisory:

Dan Rosenberg discovered that the email helper in Emacs did not correctly check file permissions. A local attacker could perform a symlink race to read or append to another user's mailbox if it was stored under a group-writable group-"mail" directory.

Alerts:
MeeGo MeeGo-SA-10:11 2010-08-03
Mandriva MDVSA-2010:083 2010-04-20
Ubuntu USN-919-1 2010-03-29

Comments (none posted)

fcron: symlink attack

Package(s):fcron CVE #(s):CVE-2010-0792
Created:March 29, 2010 Updated:March 31, 2010
Description: From the CVE entry:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via a symlink attack on an unspecified file.

Alerts:
Fedora FEDORA-2010-4063 2010-03-10

Comments (none posted)

gnutls: arbitrary code execution

Package(s):gnutls CVE #(s):CVE-2010-0731
Created:March 25, 2010 Updated:August 2, 2010
Description:

From the Red Hat advisory:

A flaw was found in the way GnuTLS extracted serial numbers from X.509 certificates. On 64-bit big endian platforms, this flaw could cause the certificate revocation list (CRL) check to be bypassed; cause various GnuTLS utilities to crash; or, possibly, execute arbitrary code. (CVE-2010-0731)

Alerts:
SUSE SUSE-SR:2010:014 2010-08-02
Mandriva MDVSA-2010:089 2010-05-03
CentOS CESA-2010:0167 2010-03-28
Red Hat RHSA-2010:0167-01 2010-03-25

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2010-0727
Created:March 25, 2010 Updated:September 1, 2010
Description:

From the Mandriva advisory:

The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions. (CVE-2010-0727)

Alerts:
SUSE SUSE-SA:2010:036 2010-09-01
Ubuntu USN-947-2 2010-06-04
Debian DSA-2053-1 2010-05-25
Red Hat RHSA-2010:0380-01 2010-04-27
Red Hat RHSA-2010:0331-01 2010-03-30
Red Hat RHSA-2010:0521-01 2010-07-08
Red Hat RHSA-2010:0330-01 2010-03-30
Red Hat RHSA-2010:0291-04 2010-03-30
Red Hat RHSA-2010:0178-02 2010-03-30
Mandriva MDVSA-2010:066 2010-03-24
Ubuntu USN-947-1 2010-06-03

Comments (2 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-1083 CVE-2010-1086 CVE-2010-1088
Created:March 30, 2010 Updated:October 8, 2010
Description: From the SUSE advisory:

CVE-2010-1083: A kernel information leak using user space USB devices could be used by local attackers with USB access to read recently freed kernel memory.

CVE-2010-1086: A ULE decapsulation denial of service problem in DVB drivers was fixed that could be triggered by invalid DVB data packets.

CVE-2010-1088: A NFS denial of service by following "automount" symlinks was fixed.

Alerts:
Mandriva MDVSA-2010:188 2010-09-23
SUSE SUSE-SA:2010:036 2010-09-01
Mandriva MDVSA-2010:198 2010-10-07
Red Hat RHSA-2010:0631-01 2010-08-17
Red Hat RHSA-2010:0723-01 2010-09-29
CentOS CESA-2010:0723 2010-09-30
Ubuntu USN-947-1 2010-06-03
CentOS CESA-2010:0398 2010-05-28
Pardus 2010-64 2010-06-04
Ubuntu USN-947-2 2010-06-04
Debian DSA-2053-1 2010-05-25
Pardus 2010-63 2010-05-18
CentOS CESA-2010:0394 2010-05-08
Red Hat RHSA-2010:0398-01 2010-05-06
SuSE SUSE-SA:2010:023 2010-05-06
Red Hat RHSA-2010:0394-01 2010-05-05
Mandriva MDVSA-2010:088 2010-04-30
Pardus 2010-57 2010-04-27
CentOS CESA-2010:0504 2010-07-02
SuSE SUSE-SA:2010:019 2010-03-30
Red Hat RHSA-2010:0504-01 2010-07-01

Comments (none posted)

kvm: denial of service

Package(s):kvm CVE #(s):CVE-2010-0741
Created:March 31, 2010 Updated:June 4, 2010
Description: A flaw in how QEMU-KVM handles erroneous data allows a remote attacker to crash a guest system by sending specially-crafted data.
Alerts:
Ubuntu USN-947-1 2010-06-03
Pardus 2010-51 2010-04-20
Red Hat RHSA-2010:0271-04 2010-03-30
Ubuntu USN-947-2 2010-06-04

Comments (none posted)

moin: cross-site scripting

Package(s):moin CVE #(s):CVE-2010-0828
Created:March 31, 2010 Updated:June 14, 2010
Description: The moin wiki system suffers from a cross-site scripting vulnerability in its "Despam" action.
Alerts:
Fedora FEDORA-2010-6012 2010-04-09
Fedora FEDORA-2010-6134 2010-04-09
Ubuntu USN-925-1 2010-04-08
Debian DSA-2024-1 2010-03-31
Gentoo 201210-02 2012-10-18

Comments (none posted)

moodle: cross-site scripting

Package(s):moodle CVE #(s):
Created:March 29, 2010 Updated:March 31, 2010
Description: From the Red Hat bugzilla:

An XSS flaw was reported in the phpCAS library, where it would not properly sanitize the submitted URL before displaying it on the error page. This could allow an attacker to insert scripts or other malicious content on the error page.

Alerts:
Fedora FEDORA-2010-5356 2010-03-26
Fedora FEDORA-2010-5370 2010-03-26

Comments (none posted)

Mozilla products: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird CVE #(s):CVE-2010-0174 CVE-2010-0175 CVE-2010-0176 CVE-2010-0177 CVE-2010-0178 CVE-2010-0179
Created:March 31, 2010 Updated:January 27, 2011
Description: The Firefox 3.0.19 and 3.5.9 (3.0.19 being the final planned 3.0.x update), Thunderbird 3.0.4, and SeaMonkey 2.0.4 updates fix a number of vulnerabilities.
Alerts:
CentOS CESA-2010:0966 2011-01-27
SUSE SUSE-SA:2011:003 2011-01-05
Mandriva MDVSA-2010:251-2 2010-12-24
openSUSE openSUSE-SU-2010:1054-2 2010-12-21
openSUSE openSUSE-SU-2010:1054-1 2010-12-13
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
Fedora FEDORA-2010-18775 2010-12-09
Fedora FEDORA-2010-18773 2010-12-09
CentOS CESA-2010:0544 2010-08-06
Pardus 2010-62 2010-05-18
Mandriva MDVSA-2010:070-1 2010-04-20
Red Hat RHSA-2010:0545-01 2010-07-20
SuSE SUSE-SR:2010:013 2010-06-14
Mandriva MDVSA-2010:070 2010-04-13
SuSE SUSE-SA:2010:021 2010-04-14
Ubuntu USN-920-1 2010-04-09
Ubuntu USN-921-1 2010-04-09
Fedora FEDORA-2010-5515 2010-04-01
CentOS CESA-2010:0332 2010-04-06
CentOS CESA-2010:0333 2010-04-06
CentOS CESA-2010:0333 2010-04-06
Pardus 2010-47 2010-04-06
Slackware SSA:2010-095-03 2010-04-05
Slackware SSA:2010-095-02 2010-04-05
Slackware SSA:2010-095-01 2010-04-05
Fedora FEDORA-2010-5840 2010-04-03
Debian DSA-2027-1 2010-04-03
Slackware SSA:2010-090-03 2010-04-01
Slackware SSA:2010-090-02 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5506 2010-04-01
Fedora FEDORA-2010-5515 2010-04-01
Fedora FEDORA-2010-5539 2010-04-01
Fedora FEDORA-2010-5526 2010-04-01
Fedora FEDORA-2010-5539 2010-04-01
Fedora FEDORA-2010-5526 2010-04-01
Slackware SSA:2010-202-02 2010-07-22
Slackware SSA:2010-202-01 2010-07-22
CentOS CESA-2010:0545 2010-07-22
Red Hat RHSA-2010:0333-01 2010-03-30
Red Hat RHSA-2010:0332-01 2010-03-30
Red Hat RHSA-2010:0544-01 2010-07-20
Gentoo 201301-01 2013-01-07

Comments (none posted)

openssl: multiple vulnerabilities

Package(s):openssl CVE #(s):CVE-2009-3245 CVE-2010-0433
Created:March 25, 2010 Updated:April 12, 2011
Description:

From the Red Hat advisory:

It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code. (CVE-2009-3245)

A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake. (CVE-2010-0433)

Alerts:
Gentoo 201110-01 2011-10-09
rPath rPSA-2011-0013-1 2011-04-11
CentOS CESA-2010:0977 2011-01-27
Red Hat RHSA-2010:0977-01 2010-12-13
Ubuntu USN-1003-1 2010-10-07
rPath rPSA-2010-0036-1 2010-05-07
SuSE SUSE-SR:2010:013 2010-06-14
Mandriva MDVSA-2010:076-1 2010-04-19
Mandriva MDVSA-2010:076 2010-04-15
Fedora FEDORA-2010-5357 2010-03-26
SuSE SUSE-SA:2010:020 2010-04-06
Slackware SSA:2010-090-01 2010-04-01
CentOS CESA-2010:0162 2010-03-27
CentOS CESA-2010:0173 2010-03-25
Red Hat RHSA-2010:0173-02 2010-03-25
Red Hat RHSA-2010:0162-01 2010-03-25

Comments (none posted)

sendmail: message spoofing

Package(s):sendmail CVE #(s):CVE-2006-7176
Created:March 31, 2010 Updated:March 31, 2010
Description: From the Red Hat advisory: the configuration of sendmail in Red Hat Enterprise Linux was found to not reject the "localhost.localdomain" domain name for email messages that come from external hosts. This could allow remote attackers to disguise spoofed messages.
Alerts:
Red Hat RHSA-2010:0237-05 2010-03-30

Comments (none posted)

trac: unauthorized ticket modification

Package(s):trac CVE #(s):
Created:March 30, 2010 Updated:March 31, 2010
Description: From the Trac changelog:

Trac 0.11.7 fixes a ticket validation issue that would allow unauthorized users to modify the status and resolution of a ticket.

Alerts:
Fedora FEDORA-2010-4287 2010-03-12
Fedora FEDORA-2010-4318 2010-03-12

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds