Ticket #123 (closed bug: fixed)

Opened 1 year ago

Last modified 1 year ago

Bug in URL processing bypasses Honeyclients

Reported by: mbriggs Assigned to: kindlund
Priority: highest Milestone:
Component: HoneyClient::Agent::Driver::Browser Version: 0.99
Severity: critical Keywords: escape,character,is_uri,url,validation
Cc:

Description

By crafting a URL with escaped characters, a malicious web page can evade detection by Honeyclients if the URL contains escaped characters (e.g. '%20' for a space). This is a result of Data::Validate::URI→is_uri() rejecting such links. They are added to the links_ignored list.

Attachments

Change History

11/27/07 15:11:17 changed by kindlund

I believe this bug was fixed in the latest version of Data::Validate::URI (v0.04). See ticket: http://rt.cpan.org/Public/Bug/Display.html?id=30848

I'm going to run a few tests to confirm that it was fixed.

— Darien

11/27/07 17:24:55 changed by kindlund

  • status changed from new to closed.
  • resolution set to fixed.

Yep. It's fixed.

11/29/07 10:42:45 changed by xkovah

  • status changed from closed to reopened.
  • resolution deleted.

That bug may be fixed, but can I get a confirmation on whether or not I'm seeing correct behavior when spidering with this new VM? (or whether it's just extra verbosity) It seems to me like it's ignoring a lot of relative links now

examples

Youtube: ser::IE - Driving To Resource: http://www.youtube.com/user/NewsInColor 2007-11-29 10:35:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: '/watch?v=exHpkfkeDNM' 2007-11-29 10:35:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: '/user/vvaldezfritimearts' 2007-11-29 10:35:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: '/watch?v=X0CoeQWCTKM' 2007-11-29 10:35:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: '/user/SHWADE22'

slashdot: 2007-11-28 12:23:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: '//slashdot.org/search.pl?tid=88' 2007-11-28 12:23:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: 'mailto:sean.simons@gmail.com' 2007-11-28 12:23:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: '//slashdot.org/search.pl?tid=103' 2007-11-28 12:23:16 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm:

(I know slashdot uses weird links but still, these should be valid)

some random possibly malicious site I just copied while I was watching it:

2007-11-29 10:25:56 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: 'index.php?id=faq' 2007-11-29 10:25:56 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: 'index.php?id=register' 2007-11-29 10:25:56 WARN [HoneyClient::Agent::Driver::Browser::_validateLink] (lib/HoneyClient/Agent/Driver/Browser.pm: 703) - Ignoring invalid URL: 'index.php?id=advertise'

11/29/07 17:42:26 changed by xkovah

  • status changed from reopened to closed.
  • resolution set to fixed.

I think this is fixed now, per trunk commit #1065,1066 as I don't see any more of the slashdot URLs listed. It was an issue with Browser.pm:_validateLink() assuming it would only get in absolute URLs (ala _getNextURL() usage), but it was being passed relative ones by _processLinks().

Add/Change #123 (Bug in URL processing bypasses Honeyclients)




Change Properties
Action