Directory Brute-forcing should be towards the end of the scan #441

Closed
viyatb opened this Issue May 1, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@viyatb
Member

viyatb commented May 1, 2015

@7a : When a user runs OWTF on a huge scope, the LAST thing they want is the scan to STOP because … OWTF launched DirBuster pretty close to the beginning. DirBuster is a great tool, but directory brute-forcing, which requires some manual oversight, is best placed towards the end of the scan, so that the user has “some results to look up” when they “wake up” :)

Fix:

Please move DirBuster towards the end of the tools to launch, at the moment it looks as if the original web order is not respected..

@DePierre

This comment has been minimized.

Show comment
Hide comment
@DePierre

DePierre Jun 30, 2015

Contributor

@delta24 @7a I do not think that the fix is as simple as moving DirBuster toward the end of framework/config/web_testgroups.cfg. In fact, I don't think that there is a nice way to fix such issue.

The only fix that I have found and tested is fucking ugly in the way that OWTF tests for the hardcoded keycode of DirBuster plugin. Look at this:

--- a/framework/db/worklist_manager.py
+++ b/framework/db/worklist_manager.py
@@ -147,6 +147,7 @@ class WorklistManager(BaseComponent):

     def add_work(self, target_list, plugin_list, force_overwrite=False):
         for target in target_list:
+            dirbuster_work_model = None
             for plugin in plugin_list:
                 # Check if it already in worklist
                 if self.db.session.query(models.Work).filter_by(
@@ -160,7 +161,14 @@ class WorklistManager(BaseComponent):
                         if force_overwrite is True:
                             self.plugin_output.DeleteAll({"target_id": target["id"], "plugin_key": plugin["key"]})
                         work_model = models.Work(target_id=target["id"], plugin_key=plugin["key"])
-                        self.db.session.add(work_model)
+                        # Hack to force DirBuster to run last (See #441).
+                        if 'active@OWTF-CM-006' in plugin['key']:
+                            dirbuster_work_model = work_model
+                        else:
+                            self.db.session.add(work_model)
+            # DirBuster is run in last position in order to avoid blocking the test (See #441).
+            if dirbuster_work_model is not None:
+                self.db.session.add(dirbuster_work_model)
         self.db.session.commit()

     def remove_work(self, work_id):
--

Please tell me that there is a better way! @tunnelshade will you be my savior? I don't want to be the one creating such ugly fix...

Contributor

DePierre commented Jun 30, 2015

@delta24 @7a I do not think that the fix is as simple as moving DirBuster toward the end of framework/config/web_testgroups.cfg. In fact, I don't think that there is a nice way to fix such issue.

The only fix that I have found and tested is fucking ugly in the way that OWTF tests for the hardcoded keycode of DirBuster plugin. Look at this:

--- a/framework/db/worklist_manager.py
+++ b/framework/db/worklist_manager.py
@@ -147,6 +147,7 @@ class WorklistManager(BaseComponent):

     def add_work(self, target_list, plugin_list, force_overwrite=False):
         for target in target_list:
+            dirbuster_work_model = None
             for plugin in plugin_list:
                 # Check if it already in worklist
                 if self.db.session.query(models.Work).filter_by(
@@ -160,7 +161,14 @@ class WorklistManager(BaseComponent):
                         if force_overwrite is True:
                             self.plugin_output.DeleteAll({"target_id": target["id"], "plugin_key": plugin["key"]})
                         work_model = models.Work(target_id=target["id"], plugin_key=plugin["key"])
-                        self.db.session.add(work_model)
+                        # Hack to force DirBuster to run last (See #441).
+                        if 'active@OWTF-CM-006' in plugin['key']:
+                            dirbuster_work_model = work_model
+                        else:
+                            self.db.session.add(work_model)
+            # DirBuster is run in last position in order to avoid blocking the test (See #441).
+            if dirbuster_work_model is not None:
+                self.db.session.add(dirbuster_work_model)
         self.db.session.commit()

     def remove_work(self, work_id):
--

Please tell me that there is a better way! @tunnelshade will you be my savior? I don't want to be the one creating such ugly fix...

@tunnelshade

This comment has been minimized.

Show comment
Hide comment
@tunnelshade

tunnelshade Jul 1, 2015

Member

@DePierre Yes, there is a better way. I will push it soon.

Member

tunnelshade commented Jul 1, 2015

@DePierre Yes, there is a better way. I will push it soon.

@DePierre

This comment has been minimized.

Show comment
Hide comment
@DePierre

DePierre Jul 26, 2015

Contributor

@tunnelshade Do you have any updates on your fix?

Contributor

DePierre commented Jul 26, 2015

@tunnelshade Do you have any updates on your fix?

@tunnelshade

This comment has been minimized.

Show comment
Hide comment
@tunnelshade

tunnelshade Jul 26, 2015

Member

@DePierre The best way is to

  • Add Many to One relationship between TestGroup and Plugin model
  • Add an autoincrement integer column to TestGroup
  • Move bruteforcing test group to bottom of the file
  • GetAll in plugin_manager.py returns a query, change that to query.order_by using the foriegn key test group id
Member

tunnelshade commented Jul 26, 2015

@DePierre The best way is to

  • Add Many to One relationship between TestGroup and Plugin model
  • Add an autoincrement integer column to TestGroup
  • Move bruteforcing test group to bottom of the file
  • GetAll in plugin_manager.py returns a query, change that to query.order_by using the foriegn key test group id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment