Wednesday, March 28, 2012

Ultimate Obsolete File Detection - An OWASP ZAP Plugin for Advanced Resource Detection


During a penetration test, testers often need to combine dictionary  attacks (via tools such as Dirbuster), crawling tools (in order to get the list of application files) and obsolete file detection features (such as scanner plug-ins) in order to efficiently detect obsolete & hidden files... resulting a time consuming process which isn't as comprehensive as it should be.

That's the issue that ZAP UOFD plug-in attempts to resolve (don't try and pronounce it, for your own good).   

OWASP ZAP proxy can serve as a great framework for hidden file detection, since learns the structure of the application entry points (as long as it used during the penetration test), and since Dirbuster is already built inside... and now the missing component is available as well - a great obsolete/hidden file detection plug-in.The first out of three OWASP ZAP plug-ins which will be released by Hacktics this year (Ernst & Young ASC) -This plug-in uses ZAP's built-in Dirbuster engine to locate obsolete/hidden files, while relying on Dirbuster's improved entry point identification features.The plug-in is imported as an active scan plugin, and supports the following obsolete / hidden file detection methods:  

- Customizable extensions - a predefined list of customizable extensions which are tested on each file in ZAP's URL tree (both append to the original extension and replace the original extension). 
- Prefixes & Suffixes - append customizable prefixes & suffixes to the filename (prior to the extension), including incremental digits and customizable strings
- Intelligent structure detection - an intelligent numeric structure detection & increment pattern, used to locate hidden files with incremental names. 
- Test method unification - after performing each test individually, the plugin-in combines the methods and performs the different tests on the potential URLs generated by the different tests (for example, adding an incremental suffix to a potential obsolete extension). 
-Configuration - a customizable list of extension to ignore, timeout support and other restrictions. 

Credit:
Authors: Alexander Ganelis and Dan Meged of Hacktics ASC, Ernst & Young

No comments: