Vimana is an experimental security framework that aims to provide resources for auditing Python web applications.
This is a significant release, the biggest since the first one of this project. In general lines, below are the main improvements.
This is a core component of Vimana to support extensions to be plugged, extending the range and type of resources available. This passed through significant improvements focused on reliability and information.
In addition to the step-by-step approach, this release allows you to set up Vimana using a single bash command line:
$ curl -s https://raw.githubusercontent.com/s4dhulabs/vimana-framework/main/scripts/get_vimana | bash
Once most plugin operations are now handled through a database, the initial setup now requires plugins to be registered before you can play with Vimana. You can accomplish that by running:
vimana load --plugins
This brand-new resource aims to centralize everything related to the plugin's specifications, required arguments, usage examples, and lab setups. Now you can just use the following syntaxes once you have the Framework ready:
vimana guide --plugin <plugin name> --args/--examples/--labs
In this version, there are available other three new utilities on post-analysis with DMT (Django Misconfiguration Tracker):
qx/query_extractor: Looks for SQL queries on exception metadata
cx/creds_extracotr: Looks for credentials on metadata
ss/secret_scan: Scan leaked source code and environment for well-known secret patterns
:zap: :sparkles: About the journey
Since the last release, many (crazy) ideas has been put into practice, some resources has been improved and a lot of code has been written. Below I present some important points in this journey of developing an experimental tool that has been taking shape, little by little, at the speed of the hands of a lonely sadhu in his free time. [:
This release brings several improvements to the siddhis present in the previous release, in addition to some new features.
Basically, the following changes were made:
:sparkles: :bug: DJunch (Django Application Fuzzer)
This siddhi was completely restructured to carry out the tests and parser the result using Scrapy/Twisted Web. This allowed to expand the tests, perform dynamic scope creation, in addition to decoupling several resources to separate the actions of the engine from those isolated and generic, which can be used by other modules.
Although it still needs countless improvements, in this version the engine is much more robust than the previous one and also brings the correction for issues: #8 (comment)
:sparkles: 2pacx (Unsecure Zip File Extraction Exploit)
This is the first siddhi of the 'exploit' type, that is, instead of tracking, identifying vulnerabilities or correlating, this is a module that actively exploits a vulnerability in a popular Python module.
In this case, it is an exploit to exploit vulnerabilities related to unsafe file extraction using Python Zipfile package. The idea for the exploit was born from researcher Ajin Abraham's analysis .
:sparkles: VMNF Payloads
With the entry of the siddhi 2pacx, it was necessary to initiate a specific resource for generating payloads dynamically in an obfuscated manner. For now, the payload engine is still quite simple and supports only two types of payloads:
- olpcb_payload (One-liner Python base64 encoded connect back payload)
- pws_payload (Python base64 encoded web shell payload)
Another new feature in this release that is also related to exploits is the feature for listing supported payloads, it is an option of the list command: vimana list --payloads
There are integration plans with Meta to allow other options for generating payloads.
:sparkles: Overview in load
The Framework now lists the number of modules available per type on the initial load screen.
All of these new features need to be improved, and are still running in an experimental phase. Some have been thoroughly tested, while others still need to be evaluated in other scenarios.
Apart from all that, Vimana is still an experimental tool about which I also know very little. I am still not clear what I intend with specific resources, where they can reach and how they can feed other types of approaches, however, it is clear that they can yield a lot, just depending on the analyst's creativity. For now, the plan is to put ideas into practice, over time, we will see how to make better use of each one.
:alien:
This release contains all core and siddhis modules (vimana plugin-ins) with standard features, as they were initially published, but with some improvements.
Since this alpha version has plugins with a greater focus on the Django framework, one of the main siddhis is DJunch, an application fuzzer, which has been undergoing several improvements and should come out with much more robust and comprehensive features in the next release.