Results tagged “graudit” from Just Another Hacker

Well April sped past like a bullet. I missed updates to the blog as I migrated to yet another hosting provider. By now I have done it so many times that the core shift only takes about 10 minutes work and some rsync commands. As usually I forget a few bits and pieces. If you have had any email bounces to me then please resend to the usual wireghoul address.

So here is a quick roundup of April:
  • charmunge.pl was the April addition to Jason
  • Graudit gets closer to 2.0 release
  • My first 2011 advisory went out (JAHx111)
  • No April tutorial happened.
And that is it for April. For the remainder of May there will be another update to Jason, two tutorials, more graudit updates, one or more advisories and if you're going to AusCERT and want to catch up for a beer/coffee let me know!

Graudit 1.9 released

|
The next graudit version is already out! There were some serious issues with the 1.8 release that needed fixing.
  • Fixed php (php/xss.db) database which had a blank line at the end, causing everything to match. (Thx @jodymelbourne)
  • Added test case for blank lines in signature scripts
  • Added database validating aux script
  • Updated Makefile file manifest
  • Fixed bug in test script template (t/blank-test.sh)

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.

Graudit 1.8 released

|
The next (long overdue) graudit version is out! Just in time for those who wants to do some hacking during the holidays.
  • -L operator does vim friendly line numbers
  • Man pages and documentation updates
  • PHP signature updates
  • JSP signature updates
  • Dotnet signature updates
  • Perl signature updates and bug fixes
  • Python signature updates
  • Bug fixes for aux/ scripts
  • More aux/ scripts
  • Fixed ignore CVS directories by default

Package maintainers should note that graudit now has a man page. The install section of the Makefile does not currently place it anywhere, so please patch for the appropriate location. I will add more distro neutral updates to the makefile for next release.This release fixes some of the broken whitespace neutral rules I added last release. For the perl users, I'm sorry.

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.
Happy christmas!

Custom graudit signatures

|
Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

It is time for another graudit release, and this time it includes some big changes.
  • New PHP signatures
  • Improved C signatures for fewer false positives
  • Improved dotnet signatures
  • Whitespace neutrality for all signatures
  • -l operator lists available databases
  • -x operator for excluding files
  • configure script added to make chain
  • Makefile install targets changed, install is now server wide
Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.
As promised I have uploaded the slides and the corresponding advisory for my graudit talk at the ruxcon meetup this month.

I am presenting at this months Ruxcon Monthly Meetup.

Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)

RMIT Building 8 entrance is off Swanston Street (just past Swanston and
La Trobe). Please take the lift to Level 9 and make your way to Room 42.
We will have directions posted up in the building.

Presentations
=============

Unsanitary Web Activities - Tim Noise (MovingData)

In the land of the internet, web developers are constantly rolling out
new applications and letting them free into the Internet. Many with
little knowledge or experience in security. They assume the users will
provide data in a manner they expect. This talk will cover webapp
security basics and commonplace attacks, showing you the effect this
oversight can have, and how to prevent it.

Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup
(Stratsec)

In this talk the presenter will discuss various security incidents he
has been involved in during the course of his career. Starting with old
school bof through to modern day malware and blackmail. This isn't a
deep technical analysis of each incident but an overview of the
charateristics of each of the attacks and what the repurcussions were to
the organisation or individual.

Static analysis with Graudit - Eldar Marcussen

Graudit is a rough audit tool, that can be used to find vulnerabilities
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this
presentation I will show how to get the most out of graudit.

After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan multi language projects. The rough database has also been deprecated. As usual there are some new features, bug fixes and signature tweaks, see the changelog for the full details.

You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.

Graudit version 1.5 released

|
The latest version of graudit is out. Notable changes are;
        New features for server wide install
        Source distro file for package maintainers
        Signature bug fixes
        New php, python and perl signatures
        Deprecating the rough signature set
        Fixed graudit usage text
        Improved documentation
        Several color modes supported
You can obtain the latest version from the graudit download page.

Graudit version 1.4 released

|
This will be a short lived release, it's actually more like 1.5RC1. Anyway, there are some improvements to the PHP signatures so if you really can't wait until the start of December for version 1.5, then grab a copy from the graudit download page.

Graudit, reducing false positives

|
Some anon called "R" left a comment today, but it was on a page where I had accidentally left comments on, so I won't publish it. He complained about false positives in graudit, and it is not the first time I have head this, or seen it for that matter. So I thought I would address it publicly, R's comment was;

"graudit seems to trip on things like "update_profile(", proudly hilighting "file(" :)"

This is true (I mostly see it around function names containing mail) and I would very much like to correct all the false positives matches and avoid any false negative ones too for that matter. However, this is a hobby project for me. I am not a company selling software, nor am I paid or given time off by my employer to work on graudit. Therefore my contribution to the project very much depends on my real life activities.

Graudit is meant to be a rough auditing tool. You run it against large/new projects so you can pick some starting points for your audit or even spot some low hanging fruit. It is not a complete solution and cannot validate whether what it highlights is exploitable or not. Since it uses grep it saves me from spending time on parsing engines for the supported languages, but it does make it harder to write signatures that are completely free of false positives. Regular expressions aren't that great for parsing :(

However, it is opensource, feel free to fix the issue and submit a patch, otherwise you will probably have to wait for version 1.5+ before any radical changes to the signatures happen. Until then I guess you will have to live with some false positives.

Graudit lightning talk

|
I will present a graudit lightning talk at the 2009 AISA Annual Seminar Day.
As a result I will aim to release new  versions more often, so I can present more bells and whistles. Expect graudit to version 1.6 by Christmas 2009!

For the full 2009 AISA ASD agenda please see http://www.aisa.org.au/index.php?page=243

What is graudit?
Graudit is a semantic static analys tool that highlights potential vulnerabilities in source code.


Who should use graudit?
System administrators, developers, auditors, vulnerability researchers and anyone else that cares to know if the application they develop, deploy or otherwise use is secure.

What languages are supported?
Version 1.5 Shipped with support for the following languages:
  • ASP
  • JSP
  • Perl
  • PHP
  • Python
  • Other (looks for suspicious comments, etc)
Can you add support for language x,y,z?
I can add support for almost any language, but if I don't program in the language myself it is likely to have a high false-positive or even false-negative rate. If you can point me to an existing set of rules for a language I can convert these to graudit.

Can I help?
Sure you can! I could use help with anything and everything, improved rulesets, documentation, packaging, testing, etc. And if you're unable to help with any of these you can tell someone else about graudit.

Download graudit

|
Please use the links below to download your preferred graudit release. We recommend that you use the latest release, or even stay up to date by using our github repository.

Latest version:
1c0e8954e8b205915ad9bb698b43611f graudit-1.9.tar.gz
a90ce37860fde6e7a255b3e01eb127bc graudit-1.9.zip
bc7d05f29c87fc21fa3d16da690aead1 graudit-1.9_src.tar.gz

Older versions;
9b63cf2c003ce3b0be730a77150e1aeb  graudit-1.8.tar.gz
eb76eef43f7a0ef9a379a98cf8bf72c4  graudit-1.8.zip
5001669ee9c1c6f5fa670a031d8041ef  graudit-1.8_src.tar.gz
b40ef6d7c2de0b17bcdcfa8f863c24aa  graudit-1.7.tar.gz
2720f4b625a511a5b2ac50f0cdc5690a  graudit-1.7.zip
89bb69911cebf49bc52c172388232705  graudit-1.7_src.tar.gz
5f43b14b3af77f5af7e02fc549bcf4b3  graudit-1.6.tar.gz
ec6db94b7e450860af2afa1a24ddc69b  graudit-1.6.zip
1b6b255e8a384faec9e4f6a20179ad9d  graudit-1.5.tar.gz
e55c3463ff0d7c1a1c75c3e57ba92c9d  graudit-1.5.zip
0cbf01f09f1b84c6b3dd7dec78ba5784  graudit-1.5_src.tar.gz
291545462e89943aed26637047e78dc8  graudit-1.4.tar.gz
0f1771062fb54c61d85ab88963167231  graudit-1.4.zip
71297a09bd5c378826acc91e44baceb3  graudit-1.3.tar.gz
028dc34ad97ba8a1a5080f511f5fe638  graudit-1.3.zip
dd513e8663ab1bcfe61a034823c75d8f  graudit-1.2.tar.gz
85a73ef39fc685aaf72d1a8057406ed3  graudit-1.2.zip
a4a8937481a71f27df85bd7cd9ec2d25  graudit-1.1.tar.bz2


Graudit version 1.3 released

|
The latest version of Graudit is here, version 1.3. The most exiting news about this release is the added support for ASP and JSP. That's right, Graudit now supports 5 languages.
There are also some new signatures and bug fixes for the existing rules.

You can obtain the latest version from the graudit download page.

Graudit version 1.2 release

|
Graudit version 1.2 is finally out. Here It fixes several gripes I've (and other) had with some of the signatures. There are less false positives, the default signatures are aimed easier to detect vulnerabilities, there is a new signature set called other which focuses more on comments left by developers. Some bug fixes and better POSIX compliance for graudit. Better documentation (should be better still). And finally, if you get yours from github there is a Makefile and a basic test harness in place to ensure that future releases remain "quality".

Most notably though, the signature changes is what most people will enjoy.

You can obtain the latest version from the graudit download page.

Benchmarking graudit

|
Benchmarking might not be the correct term as graudit does not have the capacity to determine if a signature match is in fact a vulnerability or not. It only highlights a potential problem area so you can pay closer attention to it. Like most signature based approaches it does stand a fairly good chance of catching low hanging fruit, but certain kind of vulnerabilities will remain impossible to detect. None-the-less I am aiming to improve the standard of the signature sets, so from now on graudit will be "benchmarked" on each release.

To avoid writing signatures for specific vulnerabilities I am using two vulnerable applications to benchmark graudit with;

* Multillidae
* Damn Vulnerable Web Application

My hope is to approximate 100% low and 75% medium detection rate by version 2.0. Now to find some non PHP equivalents for the other languages.

Graudit

|
graudit-1.1-screenshot.jpgGRAUDIT
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

USAGE
Graudit supports several options and tries to follow good shell practices. For
a list of the options you can run graudit -h or see below. The simplest way to use
graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

DOCUMENTATION
See the readme file and frequently asked questions.
DOWNLOAD
You can download the latest version from the graudit download page.

SOURCE
Graudit is available from github, you can check the github project page or check it out directly using git from git://github.com/wireghoul/graudit.git

Graudit version 1.1 is out

|
So with little fanfare I present to you the first proper release of graudit. If you did not already know; graudit is a rough code auditing tool for dynamic languages.
In all honesty it is just a bash script that uses grep with several regular expressions to highlight potential problem areas in source code. The results are comparable to that of other rough auditing tools such as rats or flaw-finder.

You can obtain the latest version from the graudit download page.

projects

|
If you like my projects, please say thanks or buy me a beer.

bop
Unique pattern generator and offset finder in perl. Based on the previous work of HDmoore, metasploit crew and Immunity.
Use this to find the offset where crashes occurs in buffer overflow vulnerabilities.

Dugong-fuzz
A simple genetic file fuzzer written in perl6. It works by mixing "X" and "Y" chunks of data from two parent files. This allows it to operate on files without knowing the file format of the files it is fuzzing.

Evil Website Testing Suite
A collection of web pages that behave badly or provide malicious content in an attempt to break web based applications or cause malicious code inclusions in third party output, for example a RSS feed reader, link checker report, etc.

Graudit
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder. Received the security database excellent award in 2009.
Excellent SD Award 09
htshells
A number of self contained htaccess file based shells and attacks.

Jason
A set of tools for butchering password lists.

WWW-TamperData
WWW::TamperData is a perl module that lets you replay web requests exported to xml from the "Tamper Data" firefox extension. By using the request and response hooks you can use this for active or passive security testing like fuzzing SQL injection.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.