Backup file check

corelanc0d3r's Avatar

corelanc0d3r

14 Feb, 2016 07:52 AM

Hi,

Is there a reason why Arachni is flagging jpg files as a "backup file in server"? (e.g. http://www..com/img/gallery/london/image_15.jpg)

thanks!

  1. Support Staff 1 Posted by Tasos Laskos on 14 Feb, 2016 07:56 AM

    Tasos Laskos's Avatar

    Hello,

    Is it actually mydomain.com or did you use that as a placeholder? (mydomain.com actually exists).

    Cheers

  2. 2 Posted by corelanc0d3r on 14 Feb, 2016 08:02 AM

    corelanc0d3r's Avatar

    heh sorry, placeholder :)

  3. Support Staff 3 Posted by Tasos Laskos on 14 Feb, 2016 08:06 AM

    Tasos Laskos's Avatar

    OK, I'm guessing there's an image at http://www.mydomain.com/img/gallery/london/image_1.jpg (probably listed as the "referring page" in the report), one of the backup filename formats is appending numbers, thus image_1 becomes image_15 and if it exists then it gets logged.

    By default, Arachni considers all resources as being within the scan scope, you can however configure it to your liking.

    Does that sound like your situation?

  4. 4 Posted by corelanc0d3r on 14 Feb, 2016 08:11 AM

    corelanc0d3r's Avatar

    yep - pretty common scenario actually with image galleries :-) ...

    the 'problem' with setting the exclude scope is that it requires a lot of manual work first, to go through the website tree and find those cases.

    Maybe it would make sense to only flag files that have an number appended, when they are not images ?

  5. Support Staff 5 Posted by Tasos Laskos on 14 Feb, 2016 08:19 AM

    Tasos Laskos's Avatar

    Sounds like a bit of a hassle, but this check is ultimately up to the user. Like there could be a legitimate reason for index.php.bak to exist, it's impossible to actually tell if something truly is a backup.

    And I don't like messing with the scope, so this check utilizes some enumeration and that should apply to all resources within the scope, and by default everything is within scope.

    Now if the logged resource was something like a custom-404 or something that would be unacceptable and outright an FP and a bug, in these cases however it's up to the user to either configure Arachni appropriately or use their judgement afterwards.

    I do however think that it would be a good idea to add a remark to these issues, letting the user know of how Arachni came to check for the logged resource, how the filename was manipulated, that should help clear things up.

  6. 6 Posted by corelanc0d3r on 14 Feb, 2016 08:22 AM

    corelanc0d3r's Avatar

    ok, fair enough. I understand the difficult balance between finding too much (and finding the one case that is actually legit) vs reducing false positives.
    A remark would definitely help, especially when images are involved. (i.e. image_1.jpg, image_11.jpg, etc), as those are almost always FP. image_1.jpg.bak or anyfile.ext.bak would almost always trigger my attention. Images not so much.

  7. 7 Posted by corelanc0d3r on 14 Feb, 2016 09:38 AM

    corelanc0d3r's Avatar

    FYI, I played with the "Scope exclude path patterns" field and noticed that a scan won't even start when using *.jpg as the exclude pattern. (In fact, I can save/edit the profile, but I can't export the profile either).

  8. Support Staff 8 Posted by Tasos Laskos on 14 Feb, 2016 10:08 AM

    Tasos Laskos's Avatar

    The patterns are not wildcards, they're regular expressions and the one you provided is invalid, you can instead use \.jpg$, that'll match jpg extensions.

    You should have gotten a nice error message telling you the above when you tried to save the profile though, I'll fix this asap and push a bugfix release.
    And I also see that I didn't add the new --scope-exclude-file-extensions option to the WebUI, I'll take care of this too.

  9. Support Staff 9 Posted by Tasos Laskos on 14 Feb, 2016 10:55 AM

    Tasos Laskos's Avatar

    Pushing nightlies now, I'll let you know once they're up so that you can verify the fixes.

    Cheers

  10. 10 Posted by corelanc0d3r on 14 Feb, 2016 12:27 PM

    corelanc0d3r's Avatar

    okay, thanks !

  11. Support Staff 11 Posted by Tasos Laskos on 14 Feb, 2016 02:11 PM

    Tasos Laskos's Avatar

    I messed up the first build, pushing again now.
    I'll probably fall asleep soon but check the nightlies in a couple of hours, they'll have finished uploading by then (you can also check for the "last modified" date to change).

  12. 12 Posted by corelanc0d3r on 14 Feb, 2016 05:32 PM

    corelanc0d3r's Avatar

    ok, upgraded to latest build, will continue to play with it - thanks !

  13. Tasos Laskos closed this discussion on 15 Feb, 2016 01:13 AM.

  14. Tasos Laskos re-opened this discussion on 15 Feb, 2016 01:42 AM

  15. Support Staff 13 Posted by Tasos Laskos on 15 Feb, 2016 01:42 AM

    Tasos Laskos's Avatar

    How does that look?
    Remarks are on the bottom, the first one is the new one.

     [+] [1] Backup file (Untrusted)
     [~] ~~~~~~~~~~~~~~~~~~~~
     [~] Digest:     909131573
     [~] Severity:   Medium
     [~] Description: 
     [~] 
    A common practice when administering web applications is to create a copy/backup
    of a particular file or directory prior to making any modification to the file.
    Another common practice is to add an extension or change the name of the original
    file to signify that it is a backup (examples include `.bak`, `.orig`, `.backup`,
    etc.).
    
    During the initial recon stages of an attack, cyber-criminals will attempt to
    locate backup files by adding common extensions onto files already discovered on
    the webserver. By analysing the response headers from the server they are able to
    determine if the backup file exists.
    These backup files can then assist in the compromise of the web application.
    
    By utilising the same method, Arachni was able to discover a possible backup file.
    
     [~] Tags: path, backup, file, discovery
    
     [~] CWE: http://cwe.mitre.org/data/definitions/530.html
     [~] References:
     [~]   WebAppSec - http://www.webappsec.org/projects/threat/classes/information_leakage.shtml
    
     [~] URL:        http://testfire.net/feedback.exe
     [~] Element:    server
    
     [~] Proof:     "HTTP/1.1 200 OK"
    
     [~] Referring page: http://testfire.net/feedback.aspx
    
     [~] Affected page:  http://testfire.net/feedback.exe
     [~] HTTP request
    GET /feedback.exe HTTP/1.1
    Host: testfire.net
    Accept-Encoding: gzip, deflate
    User-Agent: Arachni/v2.0dev
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.8,he;q=0.6
    Cookie: ASP.NET_SessionId=ft3tdtqoozcbsrjykt3je145;amSessionId=193910181084
    
    
    
     [~] Remarks
     [~] -------
     [~]   By check:
     [~]     *  Identified by converting the original filename of 'feedback.aspx' to
    'feedback.exe' using format '[name].exe'.
     [~]   By meta_analysis:
     [~]     *  This issue was logged by a discovery check but the response for the resource it
    identified is very similar to responses for other resources of similar type.
    This is a strong indication that the logged issue is a false positive.
    
  16. 14 Posted by corelanc0d3r on 15 Feb, 2016 06:44 AM

    corelanc0d3r's Avatar

    great !!! but I still have mixed feelings - perhaps it would make sense to add a specific note regarding images (original is an image and new file is an image too), as those are the ones causing most of the FPs... in any case, the remarks will help

  17. Support Staff 15 Posted by Tasos Laskos on 15 Feb, 2016 06:47 AM

    Tasos Laskos's Avatar

    I don't much like this idea, if I'm to go down that road then I'd rather ignore images completely and be done with it.
    And given that this discussion is indeed taking place then I have to go down this road so images are getting the boot.

    Will let you know once fresh nightlies are up.

    Thanks for the feedback. :)

  18. Support Staff 16 Posted by Tasos Laskos on 15 Feb, 2016 06:55 AM

    Tasos Laskos's Avatar

    Better yet, I'll ignore all media, image, audio and video, makes sense, right?

  19. 17 Posted by corelanc0d3r on 15 Feb, 2016 07:12 AM

    corelanc0d3r's Avatar

    it does - but you could leave it up to the tester. A small option "ignore media" in the backup file check would make this quite easy :) thanks !

  20. Support Staff 18 Posted by Tasos Laskos on 15 Feb, 2016 07:36 AM

    Tasos Laskos's Avatar

    Checks don't have options, they just check whatever is in scope.
    At this point ignoring all media would be best I think, you turned me around on the subject.

  21. 19 Posted by corelanc0d3r on 15 Feb, 2016 08:06 AM

    corelanc0d3r's Avatar

    cool, thumbs up from my side :)

  22. Support Staff 20 Posted by Tasos Laskos on 15 Feb, 2016 11:56 AM

    Tasos Laskos's Avatar

    I've pushed nightlies for this and it should take care of the issue, it'll ignore image, audio, video and font files.

  23. Tasos Laskos closed this discussion on 15 Feb, 2016 11:56 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac