Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a plugin for clustering a huge amount of scan results #17345

Open
artem-smotrakov opened this issue Oct 17, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@artem-smotrakov
Copy link
Contributor

commented Oct 17, 2018

Most of existing plugins are based on static checks like searching for pre-defined patterns (for example, they can look for typical error messages from database servers). This approach allows to catch only issues which the plugins are aware of. But a scan may cause an application to behave in an unusual and unexpected way which actually may be a vulnerability. This may be a logical bug or just very application-specific. If such a behavior doesn't match to the patterns which used by plugins, then most probably no one notice the problem. In particular, the more extensive a scan is, and the less likely a tester notices a problem because it may require a (semi)manual analysis of a huge amount or scan logs.

To help a tester with analysis of scan results, we can add a plugin which applies some machine learning techniques to the scan results. For example, the plugin can apply a clustering algorithm to HTTP requests and responses which put similar ones to the same bucket (cluster). Then, the tester can review a couple of random samples from each cluster to make sure that the application behaved correctly.

This plugin doesn't guarantee that all issues are found during testing. In fact, it should be even fine if the plugin doesn't report issues at all. This plugin should be considered as a tool which helps with analysis of huge amount of scan results.

Hope I can find some time to prototype such a plugin. Meanwhile, I'd appreciate any feedback.

@artem-smotrakov

This comment has been minimized.

Copy link
Contributor Author

commented Oct 17, 2018

See also #17171

@andresriancho

This comment has been minimized.

Copy link
Owner

commented Oct 17, 2018

Not sure how related it is, but when I read this issue I thought about Burp's Backslash Powered Scanner.

@artem-smotrakov

This comment has been minimized.

Copy link
Contributor Author

commented Oct 18, 2018

I read Backslash Powered Scanning: hunting unknown vulnerability classes, it looks a bit related but Backslash Powered Scanner tries to discover new interesting payloads, and then detect anomalies. The plugin I described above is a completely passive tool - it's supposed to analyze results produced by other plugins.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.