GatewayNode

Delays and Attack Harnesses


So when I find a problem in code I find I need to prove it out in code. I see no point in wasting anyone's time with a theoretical weakness when there are applied weaknesses that need to be highlighted. And as I've found over and over again, you can automate anything with Python. So why not automate a full discovery and exploitation routine with Python?

This is actually where open source shines and terrifies all at the same time. With open source I can build the target locally and build an automated and dynamic attack script without any single owner of the given app aware of my activities. This is also the only truly legal way to do penetration testing. I own the server and and I'm not doing anything over the network. Both things that would be illegal to pentest otherwise.

The general risk here is when you open source your server application software you are exposing yourself to people who can do the same. An ideal scenario is people like myself do such attack automation and responsibly disclose the results and hand over the attack harness as a testing gate for future releases. But the downside is that hostile attackers can generate their own clones of your infrastructure and attack it all day long without your least bit of awareness.

Attack Harness

Very much like the similarly named "test harness", this is a Python app that grabs the relevant live code or API and turns it into a data structure that can be used to run attack tools against the whole of the attack surface area. The harness has a few minimal requirements to really be considered a harness:

  • It must be dynamic, "So if you update an application is must also pick up the changes and put them into the primary metadata structure."
  • It must be tool agnostic, "It should be generic enough to be used by any given tool that can run in batch mode or otherwise without human interaction."
  • It must ignore any common sense, "This is about being thorough, not making sense. Thoroughness will find flaws, playing like you are supposed to with a target will not."

Anyway, like any good thing this requires more upfront work, which is where my head has been as of late.

Ouroboros, you know the snake that eats itself...