Amit - I like the idea...you might recall that a few years ago, I
actually thought about using strace for a different purpose ;-)
Matt - here's the strace output, when ran on the Apache server process.
You'll notice that it is quite easy to notice the file open requests:
- My first request was: GET /test.html HTTP/1.0
- Here's the strace output:
...
NtQueryDirectoryFile (1624, 0, 0, 0, 16119860, 616, BothDirectory, 1,
"test.html", 0, ... {status=0x0, info=112}, ) == 0x0
NtCreateFile (0x80100080, {24, 0, 0x42, 0, 16121156, "\??\c:\program
files\apache group\apache\htdocs\test.html"}, 0x0, 128, 3, 1, 96, 0, 0,
...
...
(The NtCreateFile is the one in charge of opening the existing file)
- I did a second experiment just for fun, and requested a non-existing
file called "fail_test.html"
- Here's the strace output:
NtQueryDirectoryFile (1616, 0, 0, 0, 17168436, 616, BothDirectory, 1,
"fail_test.html", 0, ... ) == STATUS_NO_SUCH_FILE
- You will also notice another interesting line in this example:
NtWriteFile (1932, 0, 0, 0, "[Wed Apr 20 11:25:16 2005] [error] [client
127.0.0.1] File does not exist: c:/program files/apache
group/apache/htdocs/fail_test.html\15\12", 135, 0x0, 0, ... {status=0x0,
info=135}, ) == 0x0
Yes, that's the server writing to the log file :-)
-Ory
-----Original Message-----
From: Matt Fisher [mailto:mfisher@spidynamics.com]
Sent: Wednesday, April 20, 2005 9:13 AM
To: Amit Klein (AKsecurity); Ory Segal; Jarmon, Don R;
webappsec@securityfocus.com
Cc: wasc-technical@webappsec.org
Subject: RE: webapp dependencies
That's not a bad idea. Capturing at a lower level would indeed give
more details. I don't think I've ever used strace. Would the output be
relatively clean ? Ie, not too much work to filter the wheat from the
chaffe ?
-----Original Message-----
From: Amit Klein (AKsecurity) [mailto:aksecurity@hotpop.com]
Sent: Wednesday, April 20, 2005 2:27 AM
To: Ory Segal; Jarmon, Don R; webappsec@securityfocus.com; Matt Fisher
Cc: wasc-technical@webappsec.org
Subject: RE: webapp dependencies
On 19 Apr 2005 at 23:21, Matt Fisher wrote:
I'd really be interested in hearing about it if anyone
finds a good
tool / technique but at this point I really don't see how
it could be
sufficiently performed from any client sided product such
as crawlers,
scanners, accessibility testers etc.
I'd take quite a different approach. At runtim, attach to the web
process at a low level (kernel?), e.g. strace, and log access to
files. Then use a crawler to enumerate (to the extent possible) all
flows through the app. This should give you the list of files accessed
by the web server process (there are many detailed to be ironed out,
such as server caching, spawning new proceses, etc. but I believe it's
doable).
In the above example, once you make a hit on the page.asp, strace
would first show the web process to read page.asp, and immediately
thereafter page1.html.
-Amit
