Class 101 - Automating the process of fingerprinting Web Applications and Identifying Vulnerabilities.

First of all, this blog post is not for Web Application experts, instead I will cover some basic tools and approaches for beginners.

There are tons of nice Web Applications Scanners, both commercial and free, each of them with pros and cons. For example, there are Web Application Scanners that offer a huge database of well-known vulnerabilities while others are good at crawling a website and fuzzing parameters to find a issues such as SQL Injection, XSS, LDAP Injection, Remote Code Execution, etc.

While running a Web Application Scanner against your target website may give good results, you may want to try fingerprinting technologies on your target website while using fewer requests for better identification of vulnerabilities. There are different tools for this task; one that I like is called WhatWeb (https://github.com/urbanadventurer/WhatWeb).

From "README" file:

"WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

WhatWeb can be stealthy and fast, or thorough but slow. WhatWeb supports an aggression level to control the trade off between speed and reliability. When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website. Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further. The default level of aggression, called 'stealthy', is the fastest and requires only one HTTP request of a website. This is suitable for scanning public websites. More aggressive modes were developed for in penetration tests.

Most WhatWeb plugins are thorough and recognize a range of cues from subtle to obvious. For example, most WordPress websites can be identified by the meta HTML tag, e.g. '<meta name="generator" content="WordPress 2.6.5">', but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb. The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for "/wp-content/" within relative links.

Features:

  • Over 1500 plugins.
  • Control the trade off between speed/stealth and reliability.
  • Plugins include example URLs.
  • Performance tuning. Control how many websites to scan concurrently.
  • Multiple log formats: Brief (greppable), Verbose (human readable), XML, JSON, MagicTree,
  • RubyObject, MongoDB.
  • Proxy support including TOR.
  • Custom HTTP headers.
  • Basic HTTP authentication.
  • Control over webpage redirection.
  • Nmap-style IP ranges.
  • Fuzzy matching.
  • Result certainty awareness.
  • Custom plugins defined on the command line."

Let's see WhatWeb in action.

Wendel-Henriques-MacBook-Pro:whatweb-0.4.1 whenrique$ ./whatweb -v -a 4 http://www.TestingMyTargetWebSite.com
http://www.TestingMyTargetWebSite.com/ [200]
http://www.TestingMyTargetWebSite.com/images/468x60.gif [404]
http://www.TestingMyTargetWebSite.com/readme.html [200]
http://www.TestingMyTargetWebSite.com/wp-includes/js/tinymce/tiny_mce.js [200]
http://www.TestingMyTargetWebSite.com/wp-layout.css [404]
http://www.TestingMyTargetWebSite.com/wp-content/themes/twentyten/style.css [200]
<Several Requests>
<Several Requests>
<Several Requests>
http://www.TestingMyTargetWebSite.com/serendipity_editor.js [404]
http://www.TestingMyTargetWebSite.com/cgi-bin/scada-vis/index.cgi [404]
http://www.TestingMyTargetWebSite.com/favicon.ico [200]
http://www.TestingMyTargetWebSite.com [200]
Apache, Country[UNITED STATES][US], HTTPServer[Apache], IP[AAA.BBB.CCC.DDD], JQuery[1.7.1], Kordil-EDMS, Lightbox, Script[JavaScript,text/javascript], Title[My Target Website], WordPress[3.3.1], x-pingback[http://www.TestingMyTargetWebSite.com/xmlrpc.php]
URL : http://www.TestingMyTargetWebSite.com
Status : 200
Apache ---------------------------------------------------------------------
Description: The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards. - homepage: http://httpd.apache.org/

Country --------------------------------------------------------------------
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country database from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
Module : US
String : UNITED STATES

HTTPServer -----------------------------------------------------------------
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Apache (from server string)

IP -------------------------------------------------------------------------
Description: IP address of the target, if available.
String : AAA.BBB.CCC.DDD

JQuery ---------------------------------------------------------------------
Description: A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX. - Homepage: http://jquery.com/
Version : 1.7.1

Kordil-EDMS ----------------------------------------------------------------
Description: Kordil EDMS - Electronic Document Management System -
Homepage: http://www.kordil.com/

Lightbox -------------------------------------------------------------------
Description: Javascript for nice image popups

Script ---------------------------------------------------------------------
Description: This plugin detects instances of script HTML elements and
returns the script language/type.
String : JavaScript,text/javascript

Title ----------------------------------------------------------------------
Description: The HTML page title
String : My Target Website (from page title)

WordPress ------------------------------------------------------------------
Description: WordPress is an opensource blogging system commonly used as
a CMS. Homepage: http://www.wordpress.org/
Version : 3.3.1 (from md5 sums of files)
Version : 3.3.1

x-pingback -----------------------------------------------------------------
Description: A pingback is one of three types of linkbacks, methods for
Web authors to request notification when somebody links to
one of their documents. This enables authors to keep track
of who is linking to, or referring to their articles. Some
weblog software, such as Movable Type, Serendipity,
WordPress and Telligent Community, support automatic
pingbacks
String : http://www.TestingMyTargetWebSite.com/xmlrpc.php

Basically we instructed WhatWeb to test http://www.TestingMyTargetWebSite.com being verbose (-v) and aggression level set to heavy (-a 4). Please, consult the "README" file for more options and usage examples.

As demonstrated above, WhatWeb identified the Webserver, resolved the IP address and country where the system is hosted and most important, different technologies available. These available technologies are interesting because they may be vulnerable to a different set of attacks.

For example, WhatWeb identified that Kordil-EDMS is available, with a fast search at Google this potential vulnerability was found:

Title: Kordil EDMS 'Password' Parameter SQL Injection Vulnerability
Affected Script: http://www.TestingMyTargetWebSite.com/kordil/global_group_login.php
Ref.: http://www.securityfocus.com/bid/56823/exploit

Based on my experience, this Electronic Document Management System (Kordil EDMS) is not popular, consequently, even if the target website is not vulnerable to the potential issue found we could download a copy and audit it. Since this software is not popular, it's very unlikely that an expert audited it and consequently a different set of simple web attacks may exist.

Another example and probably the most interesting attack vector is WordPress being detected by WhatWeb. At this point we could look for a set of different potential issues in the exploit-db database, however, there is another nice and small tool called WPScan that can automate part of this process.

WPScan is a black box WordPress vulnerability scanner, let's see WPScan in action.

Wendel-Henriques-MacBook-Pro:WPScan whenrique$ ruby1.9 wpscan.rb --url http://www.TestingMyTargetWebSite.com --enumerate
____________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_| v2.0rNA

WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://www.TestingMyTargetWebSite.com/
| Started on Thu Dec 6 10:46:25 2012

[+] The WordPress theme in use is ffh v1.1
[!] The WordPress 'http://www.TestingMyTargetWebSite.com/readme.html' file exists
[+] User registration is enabled
[+] WordPress version 3.4.2 identified from meta generator

[!] We have identified 1 vulnerabilities from the version number :

| * Title: WordPress 3.4.2 Cross Site Request Forgery
| * Reference: http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html

[+] Enumerating installed plugins (only vulnerable ones) ...

Checking for 304 total plugins... 100% complete.

[+] We found 4 plugins:

| Name: adrotate
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/adrotate/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/adrotate/readme.txt
|
| [!] AdRotate plugin <= 3.6.5 SQL Injection Vulnerability
| * Reference: http://unconciousmind.blogspot.com/2011/09/wordpress-adrotate-plugin-365-sql.html
|
| [!] AdRotate plugin <= 3.6.6 SQL Injection Vulnerability
| * Reference: http://www.exploit-db.com/exploits/18114/

| Name: backwpup
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/backwpup/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/backwpup/readme.txt
|
| [!] BackWPUp 2.1.4 Code Execution
| * Reference: http://www.exploit-db.com/exploits/17987/
|
| [!] plugin BackWPup 1.5.2, 1.6.1, 1.7.1 Remote and Local Code Execution Vulnerability
| * Reference: http://osvdb.org/show/osvdb/71481

| Name: dynamic-widgets
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/dynamic-widgets/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/dynamic-widgets/readme.txt
|
| [!] Dynamic Widgets <= 1.5.1 Cross Site Scripting
| * Reference: http://packetstormsecurity.org/files/112706/

| Name: relevanssi
| Location: http://www.TestingMyTargetWebSite.com/wp-content/plugins/relevanssi/
| Readme: http://www.TestingMyTargetWebSite.com/wp-content/plugins/relevanssi/readme.txt
|
| [!] Relevanssi 2.7.2 Stored XSS Vulnerability
| * Reference: http://www.exploit-db.com/exploits/16233/

[+] Enumerating installed themes (only vulnerable ones) ...

Checking for 137 total themes... 100% complete.

[+] We found 1 themes:

| Name: unite
| Location: http://www.TestingMyTargetWebSite.com/wp-content/themes/unite/
|
| [!] XSS vulnerability in Parallelus premium WordPress themes
| * Reference: http://jannefi.blogspot.fi/2012/10/xss-vulnerability-in-parallelus-premium.html

[+] Enumerating timthumb files ...

Checking for 1561 total timthumbs... 100% complete.
No timthumb files found :(

[+] Enumerating usernames ...

[+] We found the following 4 username/s :

| id: 1 | name: admin | nickname: empty
| id: 2 | name: backup | nickname: backup admin
| id: 3 | name: asmith | nickname: empty
| id: 4 | name: test | nickname: empty

[+] Finished at Thu Dec 6 10:58:51 2012
[+] Elapsed time: 00:12:26

Basically we instructed WPScan to test http://www.TestingMyTargetWebSite.com (--url) and to run all enumeration tools (--enumerate). Please, consult the "README" file for more options and usage examples.

As demonstrated above, WPScan identified:

  • The theme available and a potential vulnerability.
  • Fingerprinted the WordPress version and identified one CSRF vulnerability within WordPress.
  • Tested for available plugins and listed several potential vulnerabilities.
  • Finally, 4 usernames were enumerated allowing brute-force attacks.

There are tons of other options, but the goal of this blog post is not to exhaust them all. I hope that readers that are beginners with Web Application Security could understand how important is to fingerprint available technologies and how they could be used to compromise a target website.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.