There's manual pentesting and writing reports, and there is blindly
copying the output of automated scantools. I am fortunate enough to
write and review a lot of pentest reports, as well as read pentest
reports of a other companies.
Nothing looks as bad as "vulnerabilities" in a report that haven't
been verified as such. This really degrades the quality of the report.
Below is a number of simple one-liners that can help with verifying vulnerabilities. All examples can be run in a basic shell (Bash, zsh), where the TARGET variable contains the hostname of the target that needs to be verified (without protocol).
SSL/TLS: BREACH
for compression in compress deflate exi gzip identity pack200-gzip br bzip2 lzma peerdist sdch xpress xz; do curl -ksI -H "Accept-Encoding: $compression" https://$TARGET \| grep -i "content-encoding: $compression"; done
*Might* be vulnerable when: one or more compression methods are
shown.
SSL/TLS: Client-Initiated Secure Renegotiation
echo "R\nQ" | timeout 10 openssl s_client -connect ${TARGET}:443
Vulnerable when: Renegotiation is successful (exit code == 0)
HTTP: TRACE enabled
for proto in http https; do echo testing ${proto}://${TARGET};
curl -qskIX TRACE ${proto}://${TARGET}\|grep -i TRACE; done;
Vulnerable when: the verb TRACE is shown
HTTP: Open (Secure) Redirect
for proto in http https; do curl -sIH "Host: vuln" ${proto}://${TARGET}/ |
grep -i "Location: https\\?://vuln/"; done
Vulnerable when: The Location header is shown
Note that the checks for BREACH and Open Secure Redirect can be found in the latest version of analyze_hosts.py - use the
--httpflag.
Comments
comments powered by Disqus