Categories
Security

A different kind of spider

It’s always nice to discover a new tool or service that does things differently. Even if just a little. I remember when someone first told me about hipmunk. Just when I thought all flight search websites are pretty much the same, here’s one example of something different.

Arachni

Perhaps this wasn’t as obviously different as hipmunk is, but one of the tools I came across recently within the security testing world is Arachni. A number of things made it stand out a little. First of all, it is written in Ruby. That already sparked some curiosity. I’m not entirely sure why, but I guess I’m naturally more interested in programs and tools in Ruby and Python. The next thing that was evidently different from other web scanners was the fact that Arachni seems to be very pluggable and interface-able. Arachni appears to be geared towards interfacing with external scripts or programs though an API. One of its core features is its distributed architecture, allowing to launch many modules independently and control them programmatically.

After playing around with it, I came across some issues and couldn’t make it work as I expected. Most of them out of my own lack of knowledge or being lazy reading through the extensive documentation. Luckily, it didn’t take more than a few minutes after posting a question on github, that I received a response from Arachni’s creator, Tasos Laskos, aka Zapotek.
After chatting with Tasos a few times via email, I became even more intrigued about him and the project. I then decided it would be interesting to interview him for my blog. I have no experience interviewing people, but what the heck.

Tasos accepted my invitation for an interview, with the condition that it must be a text-based interview. So this interview was carried out via email alone. I personally suspect his voice is funny, but he (obviously) denied it :)
Tasos is certainly not an ordinary person. It becomes apparent when you read his blog, or even the documentation for Arachni. As you could see from the interview, Tasos appears to have very strong and clear opinions. He doesn’t mince his words, and very directly expresses what he thinks. Nevertheless, Tasos and Arachni seem to be doing something a little different, and there’s definitely more to wait for.

Spiderman

Q : What got you interested in Security in particular?

A : Silly story, I had always been interested in electronics from a young age (10 or so) — I was always fixing the remotes around the house or sort of hacking my toys — and along with gaming this led to an interest in computers and programming.

One night the movie “Hackers” was on TV — I was 14 or so, and out of curiosity I typed “hackers.com” in my browser and the then HDC (HackersDotCom) forum appeared.

I joined that community and that’s how it all started.

Q : What did you do before writing Arachni?

A : I’ve always kept myself busy with small side-projects and teaching myself new programming languages etc.

Simple stuff like port-scanners, small static web servers (these make for a nice exercise when learning a new language), sniffers etc.

I’ve also spent several years working as a web developer.

A few of the interesting ones was a File Inclusion Scanner I had written when I was younger in PHP for PHP.
It performed some very simple static analysis of PHP code and then tried to inject a file and checked if the inclusion had been successful.

If you look around I’m sure you’ll be able to find it, don’t though.
It was a very early effort and the code must be terrible.

It did get into the OWASP Top 100 tools and used/referenced in some research papers for some peculiar reason so I guess that it wasn’t a total waste of time. :)

Then there was a CDP (Cisco Discovery Protocol) sniffer called CDPSnarf which I wrote when I started college.
I had a Cisco networking class and I found the material a bit boring so I figured the best way to learn about the protocol would be to dissect it.

So I started the project and once I got it to barely work I released the code.
It was a bit of a success in a kind of niche way.
A lot of people sent suggestions and network dumps to help me extend it and fix bugs.

To my surprise, even Cisco’s, at the time, head of incident response team (if I’m not mistaken) sent me feature requests and network dumps to help improve it because they found the sniffer handy and were using it internally so that was kind of cool.

Hmmm what else, I had developed a CLI *nix client in C for Veoh’s streaming service.
Theirs only run on Windows and that was the only way to get/see the video in its entirety and its original quality.
I wanted to watch a Greek comedy series while I was studying abroad and that restriction had really ticked me off.

The client worked nicely for a while but then there was a sort of cat and mouse chase thing and they kept changing their protocol to block 3rd party clients and I kept updating it and so it went for a while.

Ultimately, they ended up crippling their service and only streaming the crappy FLV compressed version of the videos so I stopped maintaining the project — it wasn’t worth it any more.

I’ve got a lot of those little projects so I’ll stop now because this will take a while. :)

Q : What are you doing currently besides developing Arachni?

A : Beside developing Arachni I am:

  • Contributing to “Practical Software Security”, a book started by Mark Curphey — it looks like it’s going to be amazing, a sort of bible in its field.
  • Consulting with WebAppSec SaaS providers and helping them integrate Arachni into their platforms.
  • some other stuff that I can’t tell you about right now but you’ll definitely see them in the news if/when they pan out — fingers crossed :)

Q : What do you mean when you say “consulting with”?

A : It’s more like a collaboration with the vendors themselves.
I get a steady source of feedback from people who can extensively test Arachni and in turn they promote Arachni and can count on me to help them out if need be.

When something very special is required then this usually turns into some contract work.
Then, if I think that others can benefit from the new feature I push for it to be open sourced — that’s how Arachni got the initial XMLRPC client/dispatcher model.

Q : As for the “other stuff”… Can you give us some hints?

A : There’s a chance that Arachni will be bundled with one of the products of one of the biggest names in town.
If this goes through you can forget about Arachni as it is.
There will be a steady and vigilant workforce behind it with great funding and pretty much infinite resources while of course remaining open source.

A sure project that’s coming up is integration with another system (can’t hint to that because it’ll be too obvious) which will effectively:

  • Crowd-source the crawling process.
  • Perform audits as new resources are discovered.
  • Virtually/dynamically patch any vulnerabilities that may be detected, on the fly.

I’m also involved in the development of a F/OSS web-based platform which will provide extensive vulnerability management.
For example, there will be plug-ins for Arachni, OpenVAS, Metasploit etc. and the user will be able to control them via a shared interface, perform scans, share information between them, generate reports and you see where I’m going with this…
This one is a sponsored project but it’s too early to name names.

Looot’s of cool stuff on the way.

Q : There are many commercial and open source web application security scanners. What made you create another one?

A : Ah…this is going to be a bit anticlimactic.
It was summer, I was bored and I wanted to learn Ruby. I had no other reason, sorry.

You can find more details on Arachni’s history here

But I gave you the short version already.

Q : What other tools do you use or recommend for performing web application evaluation or testing?

A : Personally, I just use Arachni and a couple of Firefox plug-ins that modify input and inspect full responses etc.

If there’s a very specialised task I need to perform I just script it either using Arachni’s libs as an API or develop a framework plug-in to do it.

I wouldn’t recommend that to other people though since it requires an intimate familiarity with Arachni.

If you want a helpful UI in order to perform the same tasks then Burp would be a good choice.

Far from meaningless

Q : On the latest report from WAVSEP, Arachni came rated quite high, not only compared to other open source scanners, but also against commercial tools. What is your opinion about this method of evaluation? Do you think it gives a true reflection of product performance in real-life?

A : WAVSEP covers a big range of cases and it has been very helpful in improving Arachni.

But, the webapp landscape is ridiculously heterogeneous and you can’t expect a single-focus test to reflect a product’s performance in its entirety.

It’s far from meaningless but it’s far from everything too, that’s what you should keep in mind.

There are 2 things a scanner has to do:

  • find the input
  • identify whether or not its vulnerable

WAVSEP covers only the 2nd one and only for XSS and SQL injection vulnerabilities.

Q : How well do you estimate Arachni performs compared to other products in the discovery area? Which functionality would you like to improve in Arachni?

A : Arachni surely lags behind on crawling due to the lack of JS/DOM/AJAX support.
I’ve already started experimenting with it and from what I’ve seen it’s certainly do-able and it will be included down the line.

The next critical bit is background oriented and that’s a full test suite.
At this stage it would be irresponsible not to have extensive testing procedures in place.
I’m currently working on that.

A next one is porting the WebUI to Ruby-on-Rails with a re-designed interface that would combat the ones available in other tools.

Possibilities are practically endless

Q : How do you see Arachni or other open source tools performing against commercial tools? What are the challenges for open source and where or how can they do better?

A : I think that F/OSS scanners lag behind but that makes sense considering that these F/OSS projects work with virtually no budget and a very small team.

That’s especially true when it comes to their user interfaces, amount of features and integration with other corporate systems.

That’s something you won’t be able to beat while working in your spare time.

You can however expand your target audience by adding functionality that these commercial tools don’t have — or cost an arm and a leg if they do, or can’t afford to add.

In my case, that was the distributed deployment.
Up until now there was no scanner one could use to provide services to 3rd parties because most of the commercial ones weren’t designed to scale or be configured in a client/server fashion at all — or their license didn’t allow that sort of deployment.

Now though any start-up can use Arachni (and this is already happening) to provide SaaS webappsec scanning.

The possibilities are practically endless. It has already attracted corporate interest which will hopefully result in some funding. This will in turn help me improve the aspects of Arachni which are inferior to their commercial counterparts.

So, you’ve got to pick your battles and make your system attractive in ways that the commercial ones can’t afford to.
And if you do a good job you’ll eventually get the funding you need to improve the rest.

Q : Are there any concrete discussions for funding for Arachni? Would you consider “selling” it to a closed-source security vendor or leaving the project to work for one?

A : I’ve been informed that Arachni is considered for some sponsorships but it’s nothing solid. The only source of funding I see in the horizon will come from the bundling I mentioned earlier.

As for the rest of the questions the answer is a big, fat NO.
I can say with a reasonable amount of certainty that that’s never going to happen, Arachni will remain open and free.
There may be commercial versions in the future but these will be in addition to the existing free system.

And if I do decide to work for a vendor I’d still not give up Arachni.

Q : Is there some collaboration between different open source security tools? or is there more of a sense of rivalry and competition?

A : I’ve never seen any sort of rivalry, if anything we help each other.

The only negativity I’ve experienced was when I first mentioned that I was thinking of starting Arachni in a post in the WebAppSec.org mailing list. However, there were only a handful of negative ones, and the vast majority of the comments were very encouraging and supportive.

As for the collaboration, yes that has started to happen. I’m currently discussing with a few other project developers about ways to integrate our tools.
The future is indeed bright and exciting.

Acknowledge it, learn from it, don’t do it again

Q : Arachni is written in Ruby. Was it a deliberate choice, or just the language you felt most comfortable with? Which languages do you like/dislike and why?

A : I didn’t know Ruby at the time, I chose it because I wanted to learn it and it quickly became my favourite language.

As for my likes and dislikes, I like C and Ruby.
I haven’t written C in a long time so I’m pretty certain I’ve forgotten even the basics but I admire its simplicity and control.

I dislike Perl, Python and Java.
Perl because of its syntax and the way it promotes unreadable code.
Python because I don’t trust a language that takes such a rigid stance on indentation — it just seems wrong.
Java I’ll admit has its uses but after a few months of working with it I felt a bit stupider than when I started — Java rots the brain.

Obviously, these are just personal preferences and may even have nothing to do with reality.

Q : From your experience with web applications, what degree of influence does the programming language or framework have on the security of the product?

A : I don’t think that specific languages or frameworks influence security unless there’s an inherent vulnerability which is out of the developer’s control.

Past that you’re on your own, if something bad happens it’s your own damn fault.
Acknowledge it, learn from it, don’t do it again.

Q : Some frameworks do however offer e.g. built-in CSRF protection, default output escaping in templates etc. Don’t you think those make a difference? Aren’t there better frameworks that makes it harder for you to make those mistakes in the first place? To make testing easier etc? Or worse framework that makes it easier to make mistakes?

A : Well yes, that’s the difference between the language proper and a framework.

You use frameworks to delegate the boring stuff to them and make your life easier.
I hope that you’re not expecting me to go though all of them with pros and cons though — short of doing that I don’t think I can give you a better answer, sorry.

I might be a bit phased by working in that field but I don’t think that you get extra points for having proper input canonicalization and forgery protection.
That’s something you should already be doing in the first place.

You don’t get extra points for not beating your kids senseless.

Expect Great Things

Q : Can you give a couple of quick-tips or recipes on some neat ways to run Arachni?

A : I generally use the full profile or just the default options.

One important thing to remember is to exclude logout links/forms while scanning and be aware of infinite pages like calendars.

The neat stuff is generally included as default plugins so you don’t have to do any extra work to reap the benefits.

One newly added plug-in that can help is the ReScan plugin which expects an AFR file and uses it to extract the paths from the previous scan in order to avoid re-crawling.

Another similar thing is the extend-paths and restrict-paths crawler options.
You can pass a file containing a list of paths in order to extend the scope or just limit the audit to that list of paths respectively.
This is helpful when you’ve already used some other tool to perform the crawl.

One more option you should consider using is authed-by, this will put your name in the From header field which will make the sys-admin’s life easier.
In case something bad happens they’re know who to contact to sort things out just by looking at the HTTP server logs.

I’ve tried to make the default options the best way to run Arachni so there aren’t any special tricks.
And if you think that you may need something extra then a glimpse at the help output (arachni -h) should be enough to help you decide what you need to do next.

Q : Where do you see Arachni 1 year from now? and in 5 years?

A : I’ll leave this one as an exercise for the readers, all I can say is that I started Arachni about one and half years ago and the project has only just started gaining decent traction.

One thing’s for sure, you can expect great things.

Leave a Reply

Your email address will not be published. Required fields are marked *