Friday, March 26, 2010

first impressions of Google’s Skipfish WVS

after getting really interested in a late Google project, i spent few hours today with Google’s Skipfish v1.25b , which is a Google project for a web application security scanner , or as some times referred in the professional arena – a WVS ( web vulnerabilities scanner ) and is completely open source as i like it.

as i mentioned, i am playing with version v.1.25b ( although 1.26b is available at time of writing the article ) against a vulnerable demo web application that i wrote a few months back… and got some impressions on the current version.

first of all, i have to admit , its blazing fast … once given a destination to scan, the scan is fast , and the results are displayed in a very elegant way ( although a bit too hardcore ) moreover the depth and methods of detecting problems are quite impressive.

that being said .. the security checks themselves missed lots of the application vulnerabilities , including some quite basic SQL Injections which were there especially for security demonstrations. but i will give the credit and wait until this tool matures a little more before i try it again , and i am sure it will be much better.

the report is excellent , very insightful and shows track of the trace of the stream until the vulnerability has been detected , which is always good, nevertheless – i would like to see in future versions some different export mechanisms of reports, such as XML and PDF, to make it more usable in the IT security ecosystem environment.

there is a point to remember that at current time it is being written and managed by one person at Google , as compared to enterprise tools such as IBM’s Rational AppScan or Qualys etc, so you have to give credit here :)

for ease of use , it is easy , but i do expect a UI , since most people that will run this scanner will require some interaction with it that does not require any CLI / Linux skills, since it is not in their job requirements , they just need to run a tool and test for baseline ( unfortunately that also includes lots of “consultants” ).

if i am to rate this tool , i would rate it at its current version (1.25b) with 6.5 of 10 for now , since i really like the speed and the overall architecture of it , but i do see the need for some more maturity and some more robust security tests.

it detected 9 of 14 SQLi and 4 of 8 XSS , and none of the 4 persistent XSS vulnerabilities ( although it claims to detect it ) .. and yes , i have fed it some credentials as needed..

its a descent alternative to lots of the tools out there even in its current stage , and i would definitely go back to it when some holes are put to its belt.

 

Finally, just a quick install HOW-TO for it.
if you want to install it under CentOS ( i used 5.2 ) then do the following :

1. download and extract the tgz file anywhere ( example : tar zxpfv skipfish*.tgz )
2. install some neccesary packages for the install

- yum instll gcc
- yum install openssl-devel
- yum install libidn-devel

3. step into the folder extracted and run – make
4. there you go. :)

Labels: , , , , ,

Thursday, March 04, 2010

My New ESXi Lab System

For a while now , i have been thinking about building a Lab Server at home , that will save me time and effort for my day to day dev and other tech stuff. and decided to go with VMWare’s ESXi solution for a virtual environment.

My basic requirements were :

  1. need to run at least 6 resource demanding machines at the same time
  2. need for virtual networking
  3. silence in my lab
  4. performance.

After some spec digging , I finally went for the following spec :

  • Motherboard : Gigabyte GA-X58A-UD3R (link)
  • Memory : Crosair 12GB (6x2GB) DDR3 1333 (link)
  • CPU : Intel i7 920 (link)
  • CPU Cooler : Thremaltake V1-AX CPU Cooler (link)
  • HD : 4x WD Caviar Blue 500GB 7200RPM 16MB WD5000AAKS (link)
  • RAID Controller : Adaptec 2405S (link)
  • Display : Gigabyte HD 4350 512MB GDDR2 DX10.1 HDTV DVI HDMI PCI-E (link)
  • Case : Antec - Nine Hundred Two (link)
  • PSU : Thermaltake ToughPower W0103 600W PFC (link)
  • Additional NIC : Intel PRO/1000 GT Desktop Adapter (link)

Although the Motherboard of my choice includes 3 (!) built in RAID controllers for different raid approaches , i had to introduce a more robust RAID controller that will support my demand for performance ( RAID 10 ) , will offload the CPU cycles to a dedicated processor , and will also be supported by VMWare ESXi , which is not trivial. same reason goes for the additional NIC – the Intel PRO/1000 MT is there in order for the ESXi HSC to have all drivers and hardware in my box officially supported.

Some design decisions :

  • first , i wanted to make sure that the network card is officially supported , because as of now , VMWare only supports specific certified hardware ( an up-to date list of supported hardware can always be found here ) but the problematic ones are always the network controller and the disk controller (which halt the install if the install process doesn't like them). that's why i went with an Intel one, which at the time can be purchased in eBay for around 25-30$.
  • for the disks , i chose 4 x Caviar Blue 500GB disks, and wanted to use them as a RAID 10 array , so all and all i will get 1TB of extremely fast storage, and i chose the Caviar Blue, because unlike the Caviar Green which throttles down to save energy , i need performance – and the Caviar Blue maintains a constant 7200RPM rate.
  • the network card consumed my one and only PCI slot on the Motherboard , so although i was already considering a PCI Express RAID Controller , this became an essential part. at first i thought i could try to use one of the onboard RAID controllers , but VMWare rejected them, which at the end was ok – since by introducing the Ataptec card , all of the CPU cycles that are required to maintain the RAID are offloaded to a dedicated processor on the card. choosing the adaptec was fairly easy , since i wanted 4 disks in RAID 10 and PCI Express , and then i came across this article from Overclock3d.net which was enough to convince me im taking the right approach.
  • for power supply i went as i always do with a Thermaltake Toughpower PSU , which i calculated based on their online PSU calculator , and multiplied by 1.6 as I always do when scaling a PSU.
  • for RAM , just wanted a Triple Channel memory, and as much of it as i can get for a descent price, same as for display – i just had to have a display adapter in , so this was a cheap one with DVI+VGA+HDMI which made sense to have for future screens if i ever need one on this system.
  • for the chasis , i wanted a box that will be cool , good air flow and fanning , and will be easy to build a heavy duty system into. my only complain will be that in order to mount drives , i had to take out the drive bay out ( the bold holders are hidden ) which took some time, but other than that , its an impressive beast. a good review of the box could be found here.

The ESXi latest version at time of install is the 4.0U1 which has more than a handful of features.

I am a happy chap today.

 

not one of my standard posts … but hey , its my blog :)

Barry.

Labels: , , , ,


About

    My Name is Barry Shteiman, im a devoted tech junkie, and this is my blog.
    E: barry.shteiman -at- gmail.com
    Twitter : bshteiman

Tags & Categories

Mailing List & RSS

Stay Updated  
Add to Technorati Favorites