STOCKHOLM, SWEDEN – the Detectify Security Research team announced the general availability of Ugly Duckling, a stand-alone application security tool specifically tailored for ethical hackers to make it easier for them to share their latest findings. This new open-source scanner was developed with the Detectify Crowdsource community hackers in mind, and it is available for any security enthusiasts to tinker with as well.
What it is & why it exists
Ugly Duckling is a stand-alone vulnerability scanner specifically tailored for ethical hackers to make it easier for them to share their latest findings.
Finding web vulnerabilities as soon as they emerge – before attackers exploit them – is critical to stay on top of web security. Ugly Duckling is built by the research team at Detectify so that members of Detectify Crowdsource can submit proof-of-concept modules in a way that we can test and implement efficiently.
We wanted people to be able to develop, test, and run modules in a simple and easy to document format.
With the Ugly Duckling web scanner, users can detect “stateless” vulnerabilities, i.e., vulnerabilities that can be identified with a single HTTP request, analyzing the response that comes back. Upon detection, ethical hackers can write modules as JSON files that describe what request needs to be made and what analysis should be done on the response.
Using Ugly Duckling, vulnerability findings can run live as security tests within 5-10 minutes after they have been submitted; it’s a win-win for both customers and hackers.
Today Detectify implements vulnerability knowledge from hacker-to-scanner in as fast as 15-minutes (new record since this article), and activating ethical hackers to submit accurate Proof-of-Concepts will enable a higher velocity of security information flow to security defenders.
Pricing and Availability
The Ugly Duckling vulnerability scanner tool is open-source and available on Github. Consistent with Detectify’s belief in approaching security in a collaborative way, the Ugly Duckling web scanner is not exclusive to ethical hackers in Detectify’s Crowdsource network, but available for anyone to use for bug bounty hunting, security research, or penetration testing.
Technical details (from Github)
Building
ugly-duckling is written in Go and has no external dependencies.
You can install it with go get:▶ go get github.com/detectify/ugly-duckling
Or clone the repository and build it manually:▶ git clone https://github.com/detectify/ugly-duckling.git
▶ cd ugly-duckling
▶ go install
Usage
ugly-duckling reads URLs on stdin, and takes a list of modules as its arguments (defaulting to ./modules/*.json if none are provided).
A standard invocation to run a single module against a single URL might look like this:▶ echo https://example.com/ | ugly-duckling modules/test3.json
Or to run against multiple URLs contained in urls.txt:▶ cat urls.txt | ugly-duckling modules/test.json
Options
c / --concurrency -set the concurrency for HTTP requests (defaults to 1)v / --verbose -display debug type output (e.g. which modules have been loaded)
Module Format
Here is an example module that demonstrates all functionality in ugly-duckling:
{
"request": {
"method": "POST",
"path": "/anything",
"body": "{"magicWord": "please!"}",
"headers": [
"Content-Type: application/json",
"Accept: application/json"
]
},
"response": {
"matchesRequired": 2,
"matches": [
{"type": "static", "pattern": "please!", "required": true},
{"type": "regex", "pattern": "magic\w"},
{"type": "status", "code": 200},
{"type": "header", "name": "Content-Type", "pattern": "application/.*"}
],
"mustNotMatch": [
{"type": "regex", "pattern": "(server error|not found)"}
]
}
}
The request and response sections are both required. The minimum possible module has a path in the request section, and at least one thing in the matches list in the response section:
{
"request": {
"path": "/anything"
},
"response": {
"matches": [
{"type": "static", "pattern": "data"}
]
}
}
Request Section
The request section contains details about the HTTP request to be sent.method – HTTP method to use; GET, POST, HEAD etcpath – Path and query string to append to the input URLbody – Data to be sent as the request bodyheaders – An array of headers to send with the request
Response Section
The response section contains details about how to check the response for a hit.matchesRequired – How many matches must be made for a module to be considered a ‘hit’matches – An array of objects describing the matches to be performedmustNotMatch – An array of objects describing things which must not be matched
Matches
Match objects can have one of a few different types:static – an exact text match is performed using the pattern parameterregex – a regular expression match is performed using the pattern parameter; the regex engine is the default Go engine.status – the status code of the response is compared to the integer in the code parameterheader – a regular expression match is performed against the header specified in the name parameter using the pattern specified in the pattern parameter
Any match object in the matches array can have a required parameter set to true so that a match must be met for a module to be considered a hit.
For more information, please contact:
Fredrika Isaksson, PR Manager
[email protected]
or [email protected]
+46 (0) 76 – 774 96 66
Reagan McAfee
Offleash for Detectify
[email protected]
What is Detectify?
A challenger to conventional application security, Detectify automates the latest security knowledge from leading ethical hackers and brings it into the hands of security defenders and web application teams. Powered by a network of handpicked ethical hackers, Detectify’s web vulnerability scanner checks your application beyond the OWASP Top 10 and helps you stay on top of threats in the cloud.
What will Detectify find in your web apps? Start a free 2-week trial of Detectify today.