Recommender: optimal injection code for detecting web app vulnerabilities

PyRecommender

Recommends optimal injection code for you.

PyRecommender can recommend optimal injection code for detecting web app vulnerabilities.
Current PyRecommender’s version is beta, it only supports reflective Cross Site Scripting (RXSS).

Please refer to this blog for detail explanation of some of this tool.

Recommender

PyRecommender consists of two subsystems.

  • Investigator
  • Recommender

Investigator

Investigator investigates the possibility of vulnerability while crawling target web apps. In the detail, it sends crafted HTTP requests to each query parameters. And, it vectorizes output places of parameter values and escaping type of symbols/script strings for RXSS.

Recommender

Recommender computes recommended optimal injection code using vectorized values by Investigator and recommends it to you. By the way, Recommender has a recommendation engine realized by Machine learning (Multilayer perceptron).

Running example

  • Training.
    pyRecommender is model of supervised learning.
    So, You have to train PyRecommender using training data such as sample data set.
    local@client:~$ python main.py TRAIN
    Using TensorFlow backend.
    [*] Loading train data and Create label.
    [*] Training model..
    [+] Train samples: 1410
    _________________________________________________________________
    Layer (type)                 Output Shape              Param #   
    =================================================================
    dense_1 (Dense)              (None, 50)                900       
    _________________________________________________________________
    activation_1 (Activation)    (None, 50)                0         
    _________________________________________________________________
    dropout_1 (Dropout)          (None, 50)                0         
    _________________________________________________________________
    dense_2 (Dense)              (None, 100)               5100      
    _________________________________________________________________
    activation_2 (Activation)    (None, 100)               0         
    _________________________________________________________________
    dropout_2 (Dropout)          (None, 100)               0         
    _________________________________________________________________
    dense_3 (Dense)              (None, 100)               10100     
    _________________________________________________________________
    activation_3 (Activation)    (None, 100)               0         
    _________________________________________________________________
    dropout_3 (Dropout)          (None, 100)               0         
    _________________________________________________________________
    dense_4 (Dense)              (None, 141)               14241     
    _________________________________________________________________
    activation_4 (Activation)    (None, 141)               0         
    =================================================================
    Total params: 30,341
    Trainable params: 30,341
    Non-trainable params: 0
    _________________________________________________________________
    Train on 1015 samples, validate on 113 samples
    Epoch 1/1000
    
      32/1015 [..............................] - ETA: 10s - loss: 4.9794 - acc: 0.0000e+00
     416/1015 [===========>..................] - ETA: 0s - loss: 5.0210 - acc: 0.0072     
     832/1015 [=======================>......] - ETA: 0s - loss: 4.9810 - acc: 0.0096
    1015/1015 [==============================] - 1s 504us/step - loss: 4.9619 - acc: 0.0108 - val_loss: 4.8834 - val_acc: 0.0088
    Epoch 2/1000
    
      32/1015 [..............................] - ETA: 0s - loss: 4.7992 - acc: 0.0312
     416/1015 [===========>..................] - ETA: 0s - loss: 4.8381 - acc: 0.0168
     768/1015 [=====================>........] - ETA: 0s - loss: 4.8196 - acc: 0.0195
    1015/1015 [==============================] - 0s 149us/step - loss: 4.8007 - acc: 0.0177 - val_loss: 4.7378 - val_acc: 0.0000e+00
    
    ...snip...
    
    Epoch 999/1000
    
      32/1015 [..............................] - ETA: 0s - loss: 0.1324 - acc: 0.9375
     480/1015 [=============>................] - ETA: 0s - loss: 0.2703 - acc: 0.8438
     928/1015 [==========================>...] - ETA: 0s - loss: 0.2592 - acc: 0.8491
    1015/1015 [==============================] - 0s 124us/step - loss: 0.2593 - acc: 0.8463 - val_loss: 0.2351 - val_acc: 0.8142
    Epoch 1000/1000
    
      32/1015 [..............................] - ETA: 0s - loss: 0.1828 - acc: 0.9688
     480/1015 [=============>................] - ETA: 0s - loss: 0.2484 - acc: 0.8708
     928/1015 [==========================>...] - ETA: 0s - loss: 0.2671 - acc: 0.8610
    1015/1015 [==============================] - 0s 121us/step - loss: 0.2708 - acc: 0.8581 - val_loss: 0.2387 - val_acc: 0.8142
    [*] Finish training.
    [*] Evaluation.
    [+] Test loss: 0.3130897362815573
    [+] Test acc: 0.7801418448170871
    [+] Saved model: "Your environment path"/Recommender/src/../trained_data/recommender.h5

     

  • Recommend.
    You can execute pyRecommender after training.
    local@client:~$ python main.py https://192.168.220.129/wavsep/active/index-xss.jsp
    Using TensorFlow backend.
    2018-06-06 14:20:49 [scrapy.utils.log] INFO: Scrapy 1.5.0 started (bot: scrapybot)
    2018-06-06 14:20:49 [scrapy.utils.log] INFO: Versions: lxml 3.7.3.0, libxml2 2.9.4, cssselect 1.0.3, parsel 1.4.0, w3lib 1.19.0, Twisted 17.5.0, Python 3.6.1 |Anaconda custom (64-bit)| (default, May 11 2017, 13:25:24) [MSC v.1900 64 bit (AMD64)], pyOpenSSL 17.0.0 (OpenSSL 1.0.2o  27 Mar 2018), cryptography 1.8.1, Platform Windows-7-6.1.7601-SP1
    
    ...snip...
    
    2018-06-06 14:20:58 [scrapy.core.engine] DEBUG: Crawled (200) <GET https://192.168.220.129/wavsep/active/Reflected-XSS/RXSS-Detection-Evaluation-GET/index.jsp> (referer: https://192.168.220.129/wavsep/active/index-xss.jsp)
    2018-06-06 14:21:04 [scrapy.core.engine] DEBUG: Crawled (200) <GET https://192.168.220.129/wavsep/active/Reflected-XSS/RXSS-Detection-Evaluation-COOKIE-Experimental/index.jsp> (referer: https://192.168.220.129/wavsep/active/index-xss.jsp)
    2018-06-06 14:21:05 [scrapy.core.scraper] DEBUG: Scraped from <200 https://192.168.220.129/wavsep/active/Reflected-XSS/RXSS-Detection-Evaluation-GET/index.jsp>
    
    ...snip...
    
    [*] Loading train data and Create label.
    ----------------------------------------------------------------------------------------------------------------------------------
    [*] Target url: https://192.168.220.129/wavsep/active/Reflected-XSS/RXSS-Detection-Evaluation-GET/Case02-Tag2TagScope.jsp?userinput=textvalue
    Parameter: userinput
    [*] Feature: [7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    [*] Loading trained data: C:\Users\i.takaesu\Documents\GitHub\Recommender\src\../trained_data\recommender.h5
    [*] Recommended.
    [+] Rank	     Injection code	                         Probability
    =============================================================================
    [+] 1	        </textarea><script>alert();</script>	   0.9992570281028748
    [+] 2	        <script>alert();</script>	              0.0006935920100659132
    [+] 3	        <script>alert();</script>	              3.7410824006656185e-05
    [*] Elapsed time :0.4894998073577881[sec]
    ----------------------------------------------------------------------------------------------------------------------------------
    [*] Target url: https://192.168.220.129/wavsep/active/Reflected-XSS/RXSS-Detection-Evaluation-GET/Case24-Js2ScriptTag.jsp?userinput=1234
    Parameter: userinput
    [*] Feature: [6, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 0]
    [*] Loading trained data: C:\Users\i.takaesu\Documents\GitHub\Recommender\src\../trained_data\recommender.h5
    [*] Recommended.
    [+] Rank	     Injection code	Probability
    =============================================================================
    [+] 1	        </textarea><img src=x onerror=alert();>	 0.9942600727081299
    [+] 2	        src=saivs.js 	                           0.0057328855618834496
    [+] 3	        </textarea><img src=x onerror=prompt();>	6.2975282162369695e-06
    [*] Elapsed time :0.439500093460083[sec]
    
    ...snip...

     

    Injection codes are displayed in order of recommendation.
    And, Probability indicates an accuracy of recommendation.

Training data.

Training data consists of explanatory variable and response variable.

Explanatory variable

Explanatory variable indicates feature that behavior of web app.
It consists two fields.

1. Output places of parameter values

This field indicates where the input parameter value to the web app will be output.

variabledescription
op_htmlHTML tag types.
op_attrAttribute types.
op_jsOutput places in JavaScript .
op_vbsOutput places in VBScript.
op_quotQuotation types.
2. Escaping types

This field indicates how the input values are escaped by the web app.

variabledescription
esc_doubleDouble quotation (“) is non-escape (0) or escape (1).
esc_singleSingle quotation (‘) is non-escape (0) or escape (1).
esc_backBack quotation (`) is non-escape (0) or escape (1).
esc_leftLeft symbol (<) is non-escape (0) or escape (1).
esc_rightRight symbol (>) is non-escape (0) or escape (1).
esc_alertScript string (alert();) is non-escape (0) or escape (1).
esc_promptScript string (prompt();) is non-escape (0) or escape (1).
esc_confirmScript string (confirm();) is non-escape (0) or escape (1).
esc_balertScript string (alert“;) is non-escape (0) or escape (1).
esc_sscriptScript tag (<script>) is non-escape (0) or escape (1).
esc_escriptScript tag (</script>) is non-escape (0) or escape (1).
esc_msgboxScript tag (Msgbox();) is non-escape (0) or escape (1).

Response variable

The response variable indicates the answer (injection code) corresponding to the explanatory variable.

variabledescription
labelinjection code.
label is expressed number.Inspection code is expressed string.

Installation && Use

Copyright 2018 Isao Takaesu

Share