[GSOC 2015] Web Scanning Specialist

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi,

I have introduced myself here before but I want to introduce myself again.
My name is Gyanendra Mishra and I am an undergraduate student in the
Department of Computer Science in the Birla Institute of Technology and
Science Pilani, Pilani, India. I have programming experience in Lua (NSE),
Python (Scripting/Scraping/Automation), Java (OOP and GUI), C/C++ (mainly
for competitive programming). I have recently started contributing to open
source projects.

I am very interested in being the part of the Nmap GSOC 2015 team as a 'Web
Scanning Specialist'. This is the first time I will be participating in the
Google Summer of Code. I like the security field and would like to see
myself as a permanent contributor to Nmap. I believe any person
contributing to NSE should have a goal to beat Patrik Karlsson's record
(both libraries and scripts) ;). Apart from contributing code post GSOC I
would like to help in increasing the size of the community by actively
helping new contributors and encouraging them to contribute.

I have a few script ideas :

 ->http-devframework: Currently the script has around 13 fingerprints to
use in the data file. I plan on rewriting the script from scratch to use[1]
which has support for countless different frameworks. Currently OWASP uses
this here [2].

->http-joomla-enum: We have a http-wordpress-enum script. Joomla is also
similarly easy for extension/template enumeration. The only annoying thing
is how they organize their code and how they name their extensions. They
organize their extensions in to Component(comp), Module(mod),
Plugins(plugin) and installations hold them in directories like
/site/modules/mod_acymailing/.

->http-mirror : I had posted a rough version of http-mirror here[3]. The
script needs some work for Windows and OSX support among other things
mentioned in the ToDo list in the script.

->http-phpBB-enum: phpBB is the largest used forum software on the web and
it is open for extension/style and modification enumeration. All styles
have style.cfg in their root directory and all extensions are installed as
ext/<author>/<extension_name>.

->Enumeration and Brute force scripts for other popular CMSs available.

->http-seo-analysis: A simple script that gets you SEO data for a webpage.
Similar to the extension posted here [4]. Will not be a default script as
it has some scraping involved which may slow down a scan.

->http-lang-enum: A script to enumerate what all languages a webpage is
available in. Some pages have espanol.example.com for their spanish version
while others have example.com/?locale=in. Or other similar patterns could
be used to check if the response is 200 or 404.

I believe there will be a few big full disclosures during the summer of
which I plan on adding detection/exploitation scripts. I havent really made
a timeline yet. If time permits I can work on a some CVEs that might have
been missed but are useful. I hope to have more ideas(hopefully
exploitatiive) by the application period and would love to hear your input
regarding the same.

I can also work on http and other scripts listed here[5]. I liked the http
parser and xml parser idea. Having not worked on a parser before I would
require some time and reading to implement the same. I was thinking of
putting a second proposal for the parser but I had my doubts after reading
more about building parsers and I am much more confident about writing web
scripts. I was wondering if we could modify different HTML/XML parsers
available in lua[6][7] and bring them upto NSE standards with proper
permissions of course. In my experience of writing scripts I felt that an
HTML/XML parser would be really useful. One of the mini tasks that I could
do would be to port one of these lua based parsers to Nmap and upgrade
different scripts/libraries to use the same.

I have had some experience writing NSE scripts which I have listed here:

->Merging http-wordpress-themes and http-wordpress-plugins[8]

->Added theme checking to http-drupal-modules [9]

->Modified http-grep to include built in patterns and multiple pattern
search.[10]

->Made a rough http-mirror script[3] has some limitations.

->http-tumblr-info: Throws stats about tumblr pages.[11]

->http-awstats-stats: A script that looks for open awstats folders in root
directory.

->microsoft-version-table:A library file[13] that does whatever is listed
here[14].

Apart from this I have also contributed the Hindi(mother tongue)
translation of Zenmap.

I am really enthusiastic and excited about this summer and would love to be
a part of Nmaps team for Google Summer of Code and beyond. Having a mentor
would really help me develop as a programmer.

I have written a lot for now! I should have added a tl;dr ;). I would
appreciate some comments :).

Gyanendra

[1] https://github.com/AliasIO/Wappalyzer/blob/master/src/apps.json

[2] https://code.google.com/p/zap-extensions/wiki/AddOn_techDetection

[3] http://seclists.org/nmap-dev/2015/q1/246

[4]
https://chrome.google.com/webstore/detail/website-and-seo-analysis/ajkomeiemllejmopbbjjngpmmikfedad?hl=en

[5] https://secwiki.org/w/Nmap/Script_Ideas

[6] https://github.com/wscherphof/lua-htmlparser

[7] https://matthewwild.co.uk/projects/luaexpat/

[8] http://seclists.org/nmap-dev/2015/q1/155

[9] http://seclists.org/nmap-dev/2015/q1/223

[10] http://seclists.org/nmap-dev/2015/q1/166

[11] http://seclists.org/nmap-dev/2015/q1/248

[12] http://seclists.org/nmap-dev/2015/q1/274

[13] http://seclists.org/nmap-dev/2015/q1/107

[14] https://secwiki.org/w/Nmap/Script_Ideas#Microsoft_Version_Table

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/