Dailydave mailing list archives

Re: Thought of the day: graphing web applications

From: Pedram Amini <pedram () redhive com>
Date: Tue, 11 Jul 2006 09:52:07 -0500

While I don't have a bundled solution for you. I do recommend that you 
take a look at the following two components from PaiMei 
(http://www.openrce.org/downloads/details/208/PaiMei):

     pgraph
     utils/udraw_connector

Install uDraw, launch it in server mode (-server switch), as you spider 
your target start creating nodes and edges, you can modify the default 
color attributes as you create the nodes:

     import pgraph
     import utils

     # connect to localhost on default port
     udraw = utils.udraw_connector()
     graph = pgraph.graph()

     # node id's must be numeric
     page1 = pgraph.node(id)
     page2 = pgraph.node(id)

     page1.label = "/some/path/login.jsp"
     page2.label = "/some/path/process_login.jsp"

     # page1 has interesting forms:
     page1.color = 0xFF0000

     edge = pgraph.edge.edge(page1.id, page2.id)
     edge.label = "inherits variables username, password"

     # add the nodes and edges to the graph.
     graph.add_node(page1)
     graph.add_node(page2)
     graph.add_edge(edge)

     # update the graph as we spider.
     udraw.graph_new(graph)

     # center the graph on the last created node.
     udraw.focus_node(page1.id)

Creation of static graphs are free. At any point, you can save your 
uDraw output to disk:

     fh = open("graph.udg", "w+")
     fh.write(graph.render_graph_udraw())
     fh.close()

or render the graph as GML:

     fh = open("graph.gml", "w+")
     fh.write(graph.render_graph_gml())
     fh.close()

or generate an image through GraphViz / PyDOT:

     png = function.render_graph_graphviz()

     # twopi might be a better 'prog' value here
     png.write_png("graph.png", prog="dot")

It's all Python so it should tie into CANVAS seamlessly.

-pedram

Dave Aitel wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I use CANVAS as an attack platform for Web Application Assessments
quite often. There are probably better specialized tools, but I like
having everything in Python because each assessment is different and
it's easy to add to CANVAS for me.

In today's case, I'm looking at another large JSP application. Typical
three tier stuff.

What I want to do is browse the whole site, and then have another script
go through my SPIKE Proxy saved request-and-response files and graph
them. Pages with lots of forms on them or interesting text or variables
could get graphed larger, and links can be drawn between forms that
share the same data or lead to each other. And it'd be nice to cull and
color the graph and say "I checked this variable - it's safe" or even
tie it into the fuzzing mechanism. "Fuzz from this page to that page"

Essentially I want WebAppNavi. Does anyone have anything similar ?

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEs69ytehAhL0gheoRAsZNAJ4/fU8bDlPCGr3FUvWBFDr2TzunEgCbBIIV
cMJkjbT/cOmdW9QD0Q3jJ1E=
=D7o0
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Thought of the day: graphing web applications Dave Aitel (Jul 11)
- Re: Thought of the day: graphing web applications Jan Münther (Jul 11)
- Re: Thought of the day: graphing web applications Pedram Amini (Jul 11)
- Re: Thought of the day: graphing web applications list (Jul 11)