Google Hands Out Web Security Scanner 65
An anonymous reader writes "Apparently feeling generous this week, Google has released for free another of their internally developed tools: this time, a nifty web security scanner dubbed skipfish. A vendor-sponsored study cited by InformationWeek discovered that 90% of all web applications are vulnerable to security attacks. Are Google's security people trying to change this?"
Re:I don't trust it (Score:4, Informative)
Re:I don't trust it (Score:4, Informative)
The ACLU has an interesting video regarding data retention and proliferation: http://www.aclu.org/ordering-pizza [aclu.org]
It's not quite all here yet, but it's definitely not outside the realm of probability.
Skipfish vulnerability scanner (Score:3, Informative)
We configured skipfish and pointed it at our custom platform with full administrator rights. Entered our systems custom file extensions into the skipfish dictionary.
Overall the performance is quite good (>3k HTTP requests per second) after tweaking concurrent connection count. Orders of magnitude better than any scanner we have ever used.
The report UI seemed polished and provided quite a bit of useful data with summaries and drill down to detail. It would really help if instead of simply posting raw request/response data it would highlight sections of the response that lead it to make an assumption WRT a particular vulnerability.
In terms of scan results they look for quite a number of common vulnerabilities, some of the checks are quite creative. I especially liked the check for "interesting" contents. Some of our test data tripped them - this was perfectly reasonable given content.
Aborted the scanner at the 5 million http request mark ~20mins later.
In terms of actual results against our system out of the several dozen possible vulnerabilties reported from XSRF, injection..etc there were no actual problems discovered - 100% false alarms.
There is something really odd about some of the requests being made .. I don't know if its intentional to discover bugs but the folder/file parsing looks to be broken and its building stupid path names with the filename /subfolder.. This seems to be causing most of the UI not to crawl as it seems to be ending up in the 404 category. Maybe this is my fault on dictionary configuration but the system wastes way too many requests throwing the dictionary at each resource and not nearly enough time crawling the site and discovering whats available for expliot.
I then took a cursory glance at the source code.. all of the rule checking is hard-coded in C. (See analysis.c) ... which to me seems quite stupid and useless.
The tool is a start already better than many freebie tools I have used over the years.
My advice is to first and foremost abstract the analysis details out of C code. Focus more on walking even if its dynamic content and bolt in some intelligence/expert system to direct activities.
Re:I don't trust it (Score:1, Informative)
Here's your evidence: *.doubleclick.net (e.g., g.doubleclick.net, ad.doubleclick.net) still infests the web with its ads and cookies on a great majority of websites.
They are still using Doubleclick technologies on the web in parallel with their own technologies. Doubleclick was considered as "evil" long before they were acquired by Google, and that doesn't change as long as the Doubleclick presence persists on those websites. Check it for yourself--enable your cookies and turn off your ad-blocker--Doubleclick still serves various types of animated ads and Flash ads just like several other ad providers in existence (Burstnet, Fastclick, etc.) that the ad-blockers have been designed to block.