How To - Malicious Web SIte Analysis Environment

There are numerous sites and web-server side scripts which perform malicious attacks or simply unpleasant problems to their visitors.

The latest one that gained prominence, is the although not really causing much harm is the "Want 2 C Something Hot?". It is an elegant CSRF (Cross-site request forgery) which just shares itself on the facebook profile of the visitor.

The careful visitor will simply steer away from such links. The careful but curious visitor would want to see what such code does, but in a safe environment. So, here is a sample environment for a safe preliminary analysis of a malicious web site:

  1. The analysis computer - a Cleanly installed VMware Windows XP SP3 guest OS. The guest OS should be configured with a bridged networking. Configure your host OS firewall to block all communication from the guest OS IP address to the host OS IP address.
  2. The protective shielding - The guest OS should have a latest updated antivirus software. We recommend AVIRA, with active heuristics scanning. Also, include an anti-malware software, like Spybot - Search and Destroy.
  3. The analysis tools - Now is the time to fire up your arsenal:
    • Wireshark/Ethereal - all traffic should be captured with a network sniffer, so if the application level tools miss something, you can always revert to the packet capture. Set the sniffer to automatic saving of packet capture to disk, and start the sniffer before you start surfing!
    • Latest Firefox with Firebug Add-In - all request/reply communication will be tracked through the Firebug. This is the application tool that will help you start dissecting the communication to and from the browser, and what is actually received.
The results of a the "Want 2 C something hot?" through firebug is seen on the next image. From there you can start dissecting each request and reply to fully understand the sequence of events.

Please note that the results are not magical, and that by only using this toolset you won't become an instant securuty analyst or a hacker. This is just a safe environment for analysis of web sites.

Talkback and comments are most welcome

Related posts
Google's Ratproxy Web Security Tool for Windows
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Checking web site security - the quick approach


Steven said...

This is not XSS. This is clickjacking which is a form of CSRF. Nothing at all to do with XSS. Please do not say that.

Bozidar Spirovski said...

Corrected. My bad :)

Designed by Posicionamiento Web