Testing for Known CGI Vulnerabilities: Whisker

If you have the joy of monitoring an ad-hoc network of servers that could potentially be running Web services (that is, any university campus), you might want to employ some automated testing for known CGI vulnerabilities. A well-known Perl tool known as Whisker makes this possible. Whisker automatically crawls a given URL and tests located CGIs against a list of known vulnerability fingerprints . It also provides information about the server itself, including the Web root options and server response banners.

To install Whisker, download, unarchive , and enter the source distribution directory. Whisker can be downloaded from http://www.wiretrip.net/:

 %  curl -O http://www.wiretrip.net/rfp/bins/whisker/whisker-2.1.tar.gz  %  tar zxf whisker-2.1.tar.gz   % cd whisker-2.1

Next , install the software (as root), using perl install.pl . The default installation values should be fine:

 #  perl install.pl  Whisker data files will be placed in the following directory:         /usr/local/share/whisker/ If this is OK, then type 'Y', otherwise type 'N'. Choice [y/n]:  y  A whisker symlink will be made in the following directory:         /usr/local/bin/ If this is OK, then type 'Y', otherwise type 'N'. Choice [y/n]:  y  Installing whisker.pl...done. Copying CHANGES...done. Copying html.plugin...done. Copying LW.pm...done. Copying main.test...done. Copying newbie.help...done. Copying README...done. Making whisker symlink...done. All done installing! To run whisker, type:         /usr/local/bin/whisker

After it is installed, Whisker can be invoked (in its simplest form) with /usr/local/bin/whisker -h <url to check> . For example, to check for potential vulnerabilities on the machine fusion.poisontooth.com , I'd type:

[View full width]

  [View full width] 
 #  /usr/local/bin/whisker -h http://fusion.poisontooth.com  ---------------------------------------------------------------------------- Title: Notice Whisker scans for CGIs by checking to see if the server says a particular URL exists.  However, just because a URL exists does not necessarily mean it is vulnerable/exploitable--the vulnerability might be limited to only a certain version of the CGI, and the server might not be using the vulnerable version.  There is also the case where many scripts use the same generic CGI name (like count.cgi); in this case, the exact CGI being used may not be the same one that contains the vulnerability. Thus, the actual vulnerability of the CGI must be verified in order to get a true assessment of risk.  Whisker only helps in pointing out the problem areas.  The next step after scanning with whisker is to review each found CGI by reviewing the reference URLs or searching for the CGI name on SecurityFocus.com or Google.com. ---------------------------------------------------------------------------- Beginning scan against http://fusion.poisontooth.  com---------------------------------------------------------------------------- Whisker is currently crawling the website; please be patient.  ---------------------------------------------------------------------------- Title: Server banner Id: 100 Severity: Informational The server returned the following banner:         Microsoft-IIS/4.0 ---------------------------------------------------------------------------- Title: Alternate server type Id: 103 Severity: Informational Testing has determined that the server may not necessarily be an 'Microsoft-IIS' server due to it not responding correctly to certain requests.  This means that the admin may have changed the server banner to subvert attackers. ---------------------------------------------------------------------------- Title: Server OPTIONS results Id: 109 Severity: Informational The server responded to an OPTIONS query with the following public methods: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE ---------------------------------------------------------------------------- Title: ColdFusion installed Id: 102 Severity: Informational Allaire/Macromedia ColdFusion was found to be installed on the server. ColdFusion has various security problems which are not possible to scan for.  The following CVE entries indicate potential vulnerabilities which may exist on the server: 1999-0760       2000-0050       2000-0051 2000-0297       2000-0334       2000-0410 2000-0862       2000-1049       2000-1051 2000-1050       2001-0179 ---------------------------------------------------------------------------- Title: cfmlsyntaxcheck.cfm Id: 502 Cve: 1999-0924 Found URL: /cfdocs/cfmlsyntaxcheck.cfm No specific information is provided for this item. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0924 ---------------------------------------------------------------------------- Title: index.cfm Id: 505 Bid: 1314 Cve: 2000-0538 Found URL: /cfide/administrator/index.cfm No specific information is provided for this item. References: http://online.securityfocus.com/bid/1314 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0538 ---------------------------------------------------------------------------- Title: Notable directories found Id: 101 Severity: Informational Found URL: /cart/ Whisker scans for a list of 'notable' directories--that is, directories which may contain interesting information and/or CGIs. The finding of a directory does not immediately signal a problem; rather, you should go back and review the contents of each found URL to determine if there is any sensitive material in those directories. ...

Although most of the messages that are returned are classified as informational, those that represent a potential security risk are provided with CVE IDs for easy identification and correction. A default Mac OS X Apache installation should show only a few information messages and no exploitable conditions.

Whisker supports a number of command-line options to alter its behavior and performance. Table C.1 documents the available Whisker options.

Table C.1. Whisker Command-Line Options

Option	Description
`-h` `<URL to scan>`	Set the URL of the site to be scanned.
`-a <` `user :pass>`	Provide a username and password for use when Whisker encounters HTTP AUTH protected pages.
`-P` `<proxy server>`	Send requests via the named proxy server.
`-A` `<user:pass>`	Authenticate with a proxy server using the given username and password.
`-t` `<seconds>`	Specify a timeout (in seconds) for results to be returned to Whisker.
`-I` `<mode number>`	Enable Whisker's intrusion detection system evasion. Available modes are
	1 URL encoding
	2 /./ directory insertion
	3 premature URL ending
	4 long URL
	5 fake parameter
	6 TAB separation (not NT/IIS)
	7 case sensitivity
	8 Windows delimiter
	9 session splicing (slow)
	0 NULL method
`-S` `<string>`	Override the server banner to force Whisker to consider a specific server type ”such as `apache` ”regardless of how the server presents itself.
`-G`	Force all scans on all servers (regardless of the platform).
`-l` `<output file>`	Log the output to the named file.
`-q`	Quiet mode. Results are not sent to STDOUT.
`-d` `<level to crawl>`	Set the depth of the Web server "crawl" that will take place.
`-c` `<crawl options>`	Change Whisker's crawl log behavior. The available crawl options are
	`d` Do not crawl site.
	`p` Take URL parameters into account when crawling.
	`h` Use HEAD requests for potential speed increase.
	`l` Raise the URL buffer limit from 1,000 to 10,000.
	`a` Do not populate SPIDER directory array.
	`c` Add form target directories to CGIBIN directory array.
	`e` Do not add .asp or .php form targets to CGIBIN dir array.
`-T` `<tweak options>`	Tweak the Whisker output. Choose from these tweak options:
	`c` Track and handle cookies as a normal client would.
	`p` Include PHTML in generic PHP extensions.
	`l` Double-scan all mixed-case URLs as lowercase.
	`d` Suppress CGI disclaimer in output report.
	`i` Suppress all interactive questions.
	`r` Invert the `-r` parameter (as in, do not run those tests).
	`R` Turn off libwhisker retries feature.
	Use HTTP/1.0.
	`3` Report all move (3xx) responses.
	`4` Report all authentication (401) responses.
	`5` Report all failure (500) responses.
	`f` Report all form targets.
	`C` Report all cookies given during scanning.
	`A` Report everything.
	`D` Print debug output to `STDERR.`
	`T` Dump TRACK hash to `track.log` in current directory when done.
	`H` HTML format output.

TIP

If invoked without any command-line arguments, Whisker provides a text-based "wizard" for configuring a scan. For those who don't like memorizing options, this is an easy way to set up a scan.

Although Whisker can help you identify potential Web application problems and basic Web server configuration issues, it cannot diagnose internal errors in your custom-built applications. It is a useful tool ”but incapable of protecting you from yourself.

Top