那个broken web application 后续会慢慢研究的。。。先把工作任务完成。。
工作任务1:搜索类似演示网站
http://code.google.com/p/websecurify/wiki/DemoSites工作任务2:检索XSS自动化扫描工具,开源,了解检测原理
=================================================================
(一 )工作任务1:搜索类似演示网站
示例网站:http://code.google.com/p/websecurify/wiki/DemoSites
Details
The following websites may be used to compare Websecurify with other automated web application security testing tools:
- http://demo.testfire.net
- http://testphp.vulnweb.com
- http://testasp.vulnweb.com
- http://testaspnet.vulnweb.com
- http://zero.webappsecurity.com
- http://crackme.cenzic.com
- http://www.webscantest.com
S.No. | Vulnerable Application | Platform | Remark |
1 | SPI Dynamics (live) | ASP | 漏扫厂商的缺陷demo站点,想学习还是可以玩的。有新花样最好本地玩吧,除非你是活雷锋。 |
2 | Cenzic (live) | PHP | 同1 |
3 | Watchfire (live) | ASPX | 同1 |
4 | Acunetix 1 (live) | PHP | 同1 |
5 | Acunetix 2 (live) | ASP | 同1 |
6 | Acunetix 3 (live) | ASP.Net | 同1 |
7 | PCTechtips Challenge (live) | online hack challenge, just for fun | |
8 | Damn Vulnerable Web Application | PHP/MySQL | 有提供Live CD版,适合懒人 |
9 | Mutillidae | PHP | 针对OWASP的Top 10名单设置针对性的缺陷供你耍,必须推荐 |
10 | The Butterfly Security Project | PHP | |
11 | Hacme Casino | Ruby on Rails | Hacme系列is copyright by McAfee, but toooooooooooold! take it as you will and at your own risk. |
12 | Hacme Bank 2.0 | ASP.NET (2.0) | 同上,不解释。 |
13 | Updated HackmeBank | ASP.NET (2.0) | 链接失效?我没用过。 |
14 | Hacme Books | J2EE | 还是Hacme。。。 |
15 | Hacme Travel | C++ (application client-server) | 又是Hacme。。。不过这个是C++的,比较少见。也许有价值,我没用过 |
16 | Hacme Shipping | ColdFusion MX 7, MySQL | ColdFusion平台的,有针对性的可以搭建一下试试,我没用过 |
17 | OWASP WebGoat | JAVA | 适合教学 |
18 | OWASP Vicnum | PHP, Perl | |
19 | OWASP InsecureWebApp | JAVA | |
20 | OWASP SiteGenerator | ASP.NET | |
21 | Moth | ||
22 | Stanford SecuriBench | JAVA | |
23 | SecuriBench Micro | JAVA | |
24 | BadStore | Perl(CGI) | |
25 | WebMaven/Buggy Bank (very old) | ||
26 | EnigmaGroup (live) | ||
27 | XSS Encoding Skillsx5s (Casaba Watcher) | Fiddler的扩展,辅助XSS漏洞挖掘(多种字符编码转换支持) | |
28 | Google Gruyere(live) (previously Jarlsberg) | 可以在线玩,GAE supported. So, if you are in CH1N4, you may need a VPN or proxy to access it. | |
29 | Exploit- DB | Multi-platform | 最真实的Web App漏洞资料库,totally damn real!看上哪个,直接官网下载对应缺陷版本,本地想怎么玩就怎么玩。 |
30 | exploit-kb-vulnerable-web-app | PHP/MySQL | 文档清晰,易部署,有Vmware Image版,适合懒人 |
“猪在笑”推荐几个手工的辅助工具,个人感觉挺好~
Tool | Category | Remark | Similar |
paros | HTTP代理/HTTP协议调试/spider | 最新开源版3.2.13更新于2006年,后续版本已经完全商业化。但工具的易用性、功能在今天来看都是值得推荐的。支持HTTP协议双向数据查看/修改/过滤是其亮点。 | burp proxy ,Fiddler, live http headers (Firefox addon),Firebug (Many browsers’ addon) |
HackBar | 手工SQL注入辅助 | 方便转码、编码、填充垃圾字符,绕过滤必备 | |
TamperData | HTTP请求参数控制 | 拦截HTTP/HTTPS请求,允许手工修改HTTP请求参数(GET参数、POST字段、cookie等)后再提交 | |
Groundspeed | 客户端安全措施半自动化解除 | 自动检测隐藏表单字段、去除表单验证等,免去自己通过Firebug修改html代码的麻烦 | |
BuiltWith (Chrome扩展) | 网站架构自动分析 | 自动检测和识别当前浏览网站所采用的技术架构,脚本小子的最爱 | |
Google 检索到一份整理好的渗透测试学习资源列表
by http://www.pulog.org/Resources/2242/Pentesting-Vulnerable/
Web Pentesting
War Games
Application Name | Company / Developer | URL |
Hell Bound Hackers | Hell Bound Hackers | http://hellboundhackers.org/ |
Vulnerability Assessment | Kevin Orrey | http://www.vulnerabilityassessment.co.uk/ |
Smash the Stack | Smash the Stack | http://www.smashthestack.org/ |
Over the Wire | Over the Wire | http://www.overthewire.org/wargames/ |
Hack This Site | Hack This Site | http://www.hackthissite.org/ |
Hacking Lab | Hacking Lab | https://www.hacking-lab.com/ |
We Chall | We Chall | https://www.wechall.net/ |
REMnux | REMnux | http://zeltser.com/remnux/ |
Insecure Distributions
Application Name | Company / Developer | URL |
Damm Vulnerable Linux | DVL | http://www.damnvulnerablelinux.org/ |
Metasploitable | Offensive Security | http://blog.metasploit.com/2010/05/introducing-metasploitable.html |
de-ICE | Hacker Junkie | http://www.de-ice.net/ |
Moth | Bonsai SecuritySoftware | http://www.bonsai-sec.com/en/research/moth.php |
PwnOS | Niel Dickson | http://www.neildickson.com/os/ |
Holynix | Pynstrom | http://pynstrom.net/holynix.php |
(二)工作任务2:XSS自动化扫描器系统原理
1.Google到一个关于xss的扫描器,sourceforge的xsser,以下是它的简介:
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
大概就是说它是个自动扫描利用漏洞并且报告之的东东,和我要找的符合。
源码checkout地址:svn://svn.code.sf.net/p/xsser/code
2.Google把自己的内部审计XSS的工具开源了 ratproxy
Google 推出一套免費的 Web 安全評估工具,叫做 RatProxy,這套工具可以檢測、分析您的網站是否有安全性漏洞或網頁是否有被入侵,目前可支援 Linux, FreeBSD, MacOS X, 與 Windows (Cygwin) 等執行環境(反正就是 Unix-like 的環境啦)。
RatProxy 可偵測到的漏洞包括 Cross-site Scripting (XSS, 跨網站指令碼)、指令碼惡意置入(script inclusion issues), 惡意網頁內容(content serving problems), insufficient XSRF 以及 XSS 防護(XSS defenses) 等。
RatProxy 可偵測到的漏洞包括 Cross-site Scripting (XSS, 跨網站指令碼)、指令碼惡意置入(script inclusion issues), 惡意網頁內容(content serving problems), insufficient XSRF 以及 XSS 防護(XSS defenses) 等。
ratproxy地址:http://code.google.com/p/ratproxy/#ratproxy
以下是Google到的Ratproxy用法:
Ratproxy 工作流程:
- 1) 运行脚本后,会在本地启动一个代理服务器,默认端口是 8080 ;
- 2) 浏览器设置这个地址 ([url]http://localhost:8080[/url])为 代理地址 ;
- 3) 浏览要测试的 Web 页面,进行实际登录,填写表单等操作(这些动作会被代理服务器捕捉并做点"手脚"发给待检测的页面),ratproxy 会在后台记录相关的 Log ;
- 4) 用 ratproxy 提供的工具解析 Log 并输出 <acronym title="HyperText" markup="" language "="" style="padding: 0px; margin: 0px; ">HTML 进行分析;
- 5) 修正比较严重的问题后,跳回到第一步,直到评估通过为止。
在我的 Ubuntu 下测试了一下,需要说一下的是,本地系统需要安装 libssl-dev 与 openssl 。
$ sudo apt-get install libssl-dev openssl
$ cd ratproxy ; make
然后就可以提交类似:
$ ./ratproxy -v . -w foo.log -d foo.com -lfscm
XSSDetect是精简版的.NET代码分析工具,原本供微软内部人员寻找应用软件的安全漏洞之用,大概是受开源思想影响,现在已经可以免费下载了。
下载地址:
下完就能傻瓜化安装了
这是XSSDetect的用法:
Sample Usage
- Launch Visual Studio
- Open a solution containing at least on C#, J# or VB.NET project
- Build the solution
- Click on Tools | XSSDetect Code Analysis, the Summary View dockable tool window activates
- Verify/edit the current settings (click on General Settings, Rules or Target Assemblies on the toolbar of the Summary View)
- Start the code analysis (use the Analyze button on the toolbar)
- After the analysis is complete, the Summary View tool window shows the results, and the output window shows information and error messages
- Double click on a result item in the Summary View to activate the Detail View
- In the Detail View, double click on a dataflow item to display the corresponding source line
- Use the "Previous" and "Next" buttons in the Detail View to display other result items
看到这个Launch Visual Studio就知道这个要用VS啦,挺麻烦的说。。。
看了下资料,发现这个XSSer的资料多一些,还是中文版的,就研究它了。
(三)研究XSSer系统运行原理
1.先在虚拟机上安装好相关软件如Ihttp://xsser.sourceforge.net/所说的:
Installation
XSSer runs on many platforms. It requires Python and the following libraries:
- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
On Debian-based systems (ex: Ubuntu), run:
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip
XSSer runs on many platforms. It requires Python and the following libraries:
- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
On Debian-based systems (ex: Ubuntu), run:
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip
Ps:如果有些安装不了,那是因为有些软件包需要升级。具体怎么升级可以看看:
Ps:如果你下载了XSSer的包,里面有个 /doc/INSTALL,别看了,里面的信息太老了,竟然要用到Python-xml,哎。
2.熟悉用法,看看: