diviner

An active information gathering platform that predicts the structure of server source-code, memory and processes

Diviner - Clairvoyance in the Digital Frontier

Diviner is an active information gathering platform, built as an extension for http://code.google.com/p/zaproxy/'>OWASP Zed Attack Proxy (ZAP),
and aimed to enhance the tester’s decision making process.

Developed by http://www.hacktics.com'>Hacktics ASC
http://www.hacktics.com'>http://diviner.googlecode.com/files/hacktics_logo.jpg' />
Diviner is a unique platform that attempts to predict the structure of the server-side memory, source code and processes,
by executing scenarios aimed to fingerprint behaviors that derive from specific lines of code, processes or memory allocations,
by employing the use of a variety of coverage processes, content differentiation tests and entry point execution scenarios,
and by using deduction algorithms that convert this information into a visual map of the application.

The information is also presented in the form of leads, that can help testers locate complex vulnerabilities,
the same way they locate vulnerabilities that are considered low hanging fruit.

Requirements:



  • Diviner requires Java 1.7.x (it will not work with previous java versions), and was tested with ZAP v2.0/1.4.0.1/1.4.1.




  • Verify that ZAP proxy is executed using Java 1.7.x, prior to running the installer.

    http://diviner.googlecode.com/files/diviner-poc-server-memory-divination-and-leads-for-cross-page-attacks.png'> http://diviner.googlecode.com/files/diviner-poc-server-memory-divination-and-leads-for-cross-page-attacks.png' width='200' height='150' /> http://diviner.googlecode.com/files/diviner-poc-server-memory-divination-and-leads-for-cross-page-peristent-attacks.png'> http://diviner.googlecode.com/files/diviner-poc-server-memory-divination-and-leads-for-cross-page-peristent-attacks.png' width='200' height='150' /> http://diviner.googlecode.com/files/diviner-poc-server-source-code-divination-clairvoyance-feature.png'> http://diviner.googlecode.com/files/diviner-poc-server-source-code-divination-clairvoyance-feature.png' width='200' height='150' />

    How Does it Work?
    Diviner analyzes and reuses the requests found in ZAP's history at at the moment of its activation,
    activates the application entry points under different extreme conditions, generates and isolates specific application behaviors,
    and uses the information obtained to predict the structure of the server side memory, source code, and processes.
    These aspects are then presented in the form of a visual map, which includes leads, tasks and payload recommendations.

    Diviner also attempts to analyze this information in order to locate potential leads for vulnerabilities,
    both simple and complex, and provides recommendations for detecting and exploiting them.

    The following videos demonstrate the use of some of diviner's features:




  • http://www.youtube.com/watch?v=RmxiUL8ImkA&feature=plcp'>Using the Clairvoyance Feature to Gain Insight into the Server Memory, Code and Processes



  • http://www.youtube.com/watch?v=3Gh4_UnUrKg&feature=plcp'>Using the Advisor Feature to Detect SQL Injection via Session Attributes



  • http://www.youtube.com/watch?v=YKfIIVi8IN8&feature=plcp'>Using the Advisor Feature to Detect XSS via Session Attributes

    Quickstart

    1. Install Diviner directly from ZAP's Add-ons screen.
    2. Once Diviner is installed, it can accessed from the tools menu.
    3. Prior to using Diviner 'Analysis' feature (upper menu), define ZAP as the browser proxy, and manually crawl the application,
      while activating the various features and operations with valid input. The better the coverage, the better the result.
      It is currently recommended to use diviner only on small to medium sized applications (or on a limited amount of URLs).

    Developers
    Diviner is developed and maintained by http://twitter.com/sectooladdict/'>Shay Chen, http://twitter.com/secure_et'>Eran Tamari and https://twitter.com/nashcontrol'>Alex Mor.

    Features

    Analysis FeaturesCoverage Features







  • Detect Input Reflections (Potential XSS, CRLF Injection, Etc)












  • Detect Error-Generating Scenarios (Potential Injections)












  • Detect Content Differentiation Effects (Direct & Indirect Effect of Input)













  • Reuse the Content in ZAP's History












  • Domain Restrictions












  • URL Exclusion






    Deduction ProcessesBarrier Support







  • Convert Behaviors into Pseudo-code Representation of Server-Side Code












  • Predict the Structure of the Server Side Memory (Session / DB / Etc)












  • Isolate and Present a Map of the Server-Side Processes












  • Specific Payload Recommendations













  • Authentication Support












  • Anti-CSRF Token Support












  • Resend Updated Values of Required Parameters (VIEWSTATE, Etc)












  • Replay Relevant History Prior To Resending Requests






    Built-in PluginsIntegration Features







  • A Customized Manual Penetration Test Payload Manager












  • Report Generator













  • Integration With ZAP's 'Resend Request' Feature





    •

    Project Information

    The project was created on Feb 26, 2012.

    • License: GNU GPL v3
    • 15 stars
    • svn-based source control