Saturday, December 29, 2007

Interview with Andres Riancho, creator of w3af

This interview was originally published over on LearnSecurityOnline.com.

==============================
Interview with Andres Riancho
==============================


In my opinion penetration testing frameworks and toolkits are fast becoming a necessity in today's audit process. Tools like Core Impact, Saint, BidiBlah and others are staking their claim in this service/client-side exploitation side of this market market and toolslike Web Inspect, Accunetix, Appscan, have staked their claim in the web application security side of the market.

I'm an open-source security tool user myself so my tools of choice for these two areas have been Metasploit (Service/Client-side), and Wapiti (Web App), but ladies and gentlemen there is a new kid on the block. The tool is called w3af (Web Application Attack and Audit Framework). The tool developer Andres Riancho has graciously agreed to an interview with LSO.

I have to say that Andres has been such a great help to me in not only developing a web application testing methodology/framework for my job, but also teaching me the basics of web app security auditing. He has so many skills from his years of experience so he was able give me little tips that really helped me connect the dots so to speak. So Andres, thanks for w3af - I really like the tool, and thanks for all of the help. I really appreciate it.

-j0e

# LSO #
How about some background about yourself, who you are? What you do? Who you work for? Location?

# AR #
First of all I'm a simple guy, that enjoys spending time with his friends, girlfriend, family and dog. On the other hand, I'm a security consultant that works at Cybsec (www.cybsec.com). I'm located in Argentina, land of "dulce de leche" and great meat.

# LSO #
How did you get into the security business (your specific field)?

# AR #
Like most of us, I'm a really curious person , so I started with security when I was 14. After some time, I got a job as an IPS administrator at a local ISP, when I got bored of it (pretty fast actually) I started working for Cybsec, mostly performing web application penetration tests. In other words, I started with security as a hobby, and now I make a living out of it.

# LSO #
How do you think technical aspects of web hacking have changed over time and how does one keep up with the current advances?

# AR #
Technical aspects of web hacking haven't changed much, the vulnerabilities are almost the same, but the "transport" method for the vulnerability is what keeps changing, before we had URL encoded strings, now it's XML and JSON, tomorrow it will be another type of encoding, but there always will be SQL injection, information leakage, etc.

# LSO #
Say I want to get into web security, it HUGE, where do i start?

# AR #
You should start by knowing how HTTP works, the basics of web application development and you should also read a lot about Cross Site Scripting, SQL injection, remote file inclusion and other common vulnerabilities. A good place to start is the OWASP site, and particularly the OWASP TOP 10.


# LSO #
Do you think Javascript is the new shellcode? If so why?

# AR #
I think that new things are still to be discovered about Javascript, but I don't really think it's going to be the "next generation shellcode". Browser security and cross site scripting are an important part of web security, but it's just that, a part of it. We should not focus all the attention on Javascript, there is still a lot of work to be done securing the web applications vulnerabilities that lead to the server being compromised.

# LSO #
Tell us what you think of the future of network enumeration via javascript. What are the attacks that we should look for in the coming years from javascript?

# AR #
Right now we have seen just the beginning of advanced javascript attacks, in the future someone will code a good framework for doing all kinds of attacks over cross site scripting. BeEF (http://bindshell.net/tools/beef/) is one of the cross site scripting exploitation frameworks I have been checking out, and I think it really has some potential.

# LSO #
How viable of a web application audit tool is Firefox? http://www.securityfocus.com/infocus/1879/1 shows Firefox being used for crawling websites, discovering hidden calls, and logic discovery - what are the top 5 tools that you use the most in web application/web services auditing and why?

# AR #
Browsers are the most powerful/useful tool to perform a web app audit, in the particular case of Firefox, this power is multiplied by100 if you use security aware extensions. The TOP5 tools I use while performing a web app audit are:

1- paros or burp ( two of the best local proxies, this tools are the most important in the whole process)
2- firefox ( as explained before )
3- firefox extensions like the web developer toolbar ( very usefull to test sites that have javascript )
4- w3af ( just because I coded it ;) )
5- nikto ( it's a classic, but it finds nice things once in a while )

# LSO #
Ajax is thought by some people to be what is going to lead us into "Web 2.0", and a great deal many security consultants see it as the ultimate attacker's playground. How do you see Ajax?

# AR #
There are only a few security consultants that do interesting work around web2.0, all the others out there are just reinventing the wheel every day; don't get me wrong, Ajax has introduced and will introduce a lot of new attack vectors, but the risk for users and companies IMHO will be low.

# LSO #
Do you plan to integrate ajax discovery/fingerprinting into w3af? Tools like fingerajax.rb/scanajax.rb are good for really simple stuff if you see a .aspx in the url, but there really isn't much of anything else on the market for command-line Linux tools for dealing with ajax.

# AR #
Well, actually I'm going to create a w3af plugin that wraps a browser or some other library/project that knows how to handle javascript. My idea is to wrap a browser, configure the browser to use a local proxy that will be run by w3af and then start interacting with the web application doing "clicks" on every HTML tag and recording the requests that are sent to the browser. Using this approach, w3af will be able to analyze most javascript-enabled sites!

I have been playing with pykhtml and discarded it because of some problems and the lack of portability to windows; and now I'm trying to achieve this task using zc.testbrowser.real, but I'm still working on this section of the project, so if anyone wants to help, just let me know.


# LSO #
Can you compare/rate the criticality of XSS, XSRF, SQLI?

# AR #
XSS: 3/10
XSRF: 2/10
SQLI: 9/10

As you may see, I'm not really into the "XSS is going to destroy the planet" thing, as I said before, it's something important but it's not so critical and we shouldn't loose our perspective and objectivity.


# LSO #
How important do you feel that programming is for this field, specifically how do you feel about Web Language programming? If yes, what language(s) do people need to know well?

# AR #
I think that you can't be a really good security expert if you don't know how to code in at least one low level programming language like C and one high level programming language, like Python. Source code is the base of all what happens in your computer, and if you don't know how to create it, you won't ever understand what happens when you click on a window button.

Web Language programming is something I don't personally enjoy, but it seems to be the future of programming. GWT is getting better and its user base is growing, so it seems that the future is going that way...

# LSO #
What tools need to be in every web application pen-tester's toolkit?

# AR #
w3af is in beta stage right now, but in a year or so it will be a must have tool for every web application pen-tester. Some other awesome tools I use are paros proxy, sqlmap and sqlninja.

# LSO #
What do you think are the 3 biggest changes in the security field in the last 5 years?

# AR #
The shift from attacking the servers, to attacking the clients has been an interesting change that started when most penetration testers found out that the servers weren't the weak link in the chain and that users would download and execute almost everything.

Big companies acquiring security companies was also a change that I was surprised with. Just to mention two of the most important business changes, IBM bought ISS and HP bought SPI Dynamics. I'm still expecting to see the long term repercussions in the world wide market!

One of the new things that have appeared in this last years are the vulnerability markets, like the zero day initiative and wabisabilabi. This business type is really interesting and gives freelance researchers good options to make money without the risks of selling their vulnerabilities and exploits to the Russian mafia.

# LSO #
Where do you see the security field going in the next 1-3 years?

# AR #
I think that many applications will be built over the HTTP protocol, and more than ever they will use Ajax and all the javascript tricks. So, more than ever a stable, complete and open source framework that can audit web applications will be needed.

# LSO #
What are the basics that you think every security person should know?

# AR #
The most important things to know in order to be a security professional are:
- Programming
- TCP/IP
- Web Application security
- Buffer overflows, format strings

# LSO #
What are the specifics that a person in your security field should know?

# AR #
Well, I mostly deal with web application penetration tests, so a person in my security field should really understand how HTTP works, it's internals, encodings, etc. It is also really important for a web application penetration tester to know how the information flows through a web application, type casting, data conversion, database queries, etc; so programming is one of the most important things. Finally but not least important, a good web application penetration tester should keep himself informed about new types of web vulnerabilities, this can only be achieved by reading mailing lists, reading the latest whitepapers and attending to one or two good security conferences a year.


# LSO #
Any suggestions on breaking into the security field? Or someone considering security for a career?

# AR #
There are two really important things to know when you are starting in the information security field:
- knowledge is power
- ask smart questions(http://catb.org/~esr/faqs/smart-questions.html),
no one will answer questions on the mailing lists if you don't ask them the right way

And of course, be ready to buy some glasses, work long hours and become really paranoid about sending non encrypted data over the wire.

# LSO #
Can you tell us about X, Y, Z (latest book, future book, current/future projects)?

# AR #
Right now, and at least for one more year, I'm going to be working on my main project, w3af. The framework has evolved a lot in the last year, and my personal objective is to create a stable and usable open source alternative to the commercial web application vulnerability scanners, that also includes among it's features the option to exploit the vulnerabilities that are found. Some new features I'm working at are Javascript and Flash support, this two features are going to be added to the almost impressive list of features, that include:

- Exploitation plugins
- Advanced post-exploitation payloads
- Integration with metasploit
- Detection of almost all web application vulnerabilities
- Information gathering using internet search engines
- Dynamic communication between plugins
- Easy to use console interface

w3af - Web Application Attack and Audit Framework

1 comment:

  1. I did a small writeup on the new w3af GTK interface here:
    http://fuzion.rootmybox.org/?p=11

    ReplyDelete