Search Go hack yourself with Detectify
×

A web security blog from Detectify

Detectify Research Team releases Ugly Duckling, a web scanner for hackers

May 18, 2021

STOCKHOLM, SWEDEN – the Detectify Security Research team announced the general availability of Ugly Duckling, a stand-alone application security tool specifically tailored for ethical hackers to make it easier for them to share their latest findings. This new open-source scanner was developed with the Detectify Crowdsource community hackers in mind, and it is available for any security enthusiasts to tinker with as well.

About Ugly Duckling:

What it is & why it exists

Ugly Duckling is a stand-alone vulnerability scanner specifically tailored for ethical hackers to make it easier for them to share their latest findings.

Finding web vulnerabilities as soon as they emerge – before attackers exploit them – is critical to stay on top of web security. Ugly Duckling is built by the research team at Detectify so that members of Detectify Crowdsource can submit proof-of-concept modules in a way that we can test and implement efficiently.

We wanted people to be able to develop, test, and run modules in a simple and easy to document format.

With the Ugly Duckling web scanner, users can detect “stateless” vulnerabilities, i.e., vulnerabilities that can be identified with a single HTTP request, analyzing the response that comes back. Upon detection, ethical hackers can write modules as JSON files that describe what request needs to be made and what analysis should be done on the response.

Using Ugly Duckling, vulnerability findings can run live as security tests within 5-10 minutes after they have been submitted; it’s a win-win for both customers and hackers.

Today Detectify implements vulnerability knowledge from hacker-to-scanner in as fast as 15-minutes (new record since this article), and activating ethical hackers to submit accurate Proof-of-Concepts will enable a higher velocity of security information flow to security defenders.

Pricing and Availability

The Ugly Duckling vulnerability scanner tool is open-source and available on Github. Consistent with Detectify’s belief in approaching security in a collaborative way, the Ugly Duckling web scanner is not exclusive to ethical hackers in Detectify’s Crowdsource network, but available for anyone to use for bug bounty hunting, security research, or penetration testing.


Technical details (from Github)

Building

ugly-duckling is written in Go and has no external dependencies.

You can install it with go get:
▶ go get github.com/detectify/ugly-duckling

Or clone the repository and build it manually:
▶ git clone https://github.com/detectify/ugly-duckling.git
▶ cd ugly-duckling
▶ go install

Usage

ugly-duckling reads URLs on stdin, and takes a list of modules as its arguments (defaulting to ./modules/*.json if none are provided).
A standard invocation to run a single module against a single URL might look like this:
▶ echo https://example.com/ | ugly-duckling modules/test3.json

Or to run against multiple URLs contained in urls.txt:
▶ cat urls.txt | ugly-duckling modules/test.json

Options

  • c / --concurrency - set the concurrency for HTTP requests (defaults to 1)
  • v / --verbose - display debug type output (e.g. which modules have been loaded)

Module Format

Here is an example module that demonstrates all functionality in ugly-duckling:

{
	"request": {
		"method": "POST",
		"path": "/anything",
		"body": "{\"magicWord\": \"please!\"}",
		"headers": [
			"Content-Type: application/json",
			"Accept: application/json"
		]
	},
	"response": {
		"matchesRequired": 2,
		"matches": [
			{"type": "static", "pattern": "please!", "required": true},
			{"type": "regex", "pattern": "magic\\w"},
			{"type": "status", "code": 200},
			{"type": "header", "name": "Content-Type", "pattern": "application/.*"}
		],
		"mustNotMatch": [
			{"type": "regex", "pattern": "(server error|not found)"}
		]
	}
}

The request and response sections are both required. The minimum possible module has a path in the request section, and at least one thing in the matches list in the response section:

{
	"request": {
		"path": "/anything"
	},
	"response": {
		"matches": [
			{"type": "static", "pattern": "data"}
		]
	}
}

Request Section

The request section contains details about the HTTP request to be sent.
method – HTTP method to use; GET, POST, HEAD etc
path – Path and query string to append to the input URL
body – Data to be sent as the request body
headers – An array of headers to send with the request

Response Section

The response section contains details about how to check the response for a hit.
matchesRequired – How many matches must be made for a module to be considered a ‘hit’
matches – An array of objects describing the matches to be performed
mustNotMatch – An array of objects describing things which must not be matched

Matches

Match objects can have one of a few different types:
static – an exact text match is performed using the pattern parameter
regex – a regular expression match is performed using the pattern parameter; the regex engine is the default Go engine.
status – the status code of the response is compared to the integer in the code parameter
header – a regular expression match is performed against the header specified in the name parameter using the pattern specified in the pattern parameter

Any match object in the matches array can have a required parameter set to true so that a match must be met for a module to be considered a hit.

For more information, please contact:

Fredrika Isaksson, PR Manager
fredrika.isaksson@detectify.com
or press@detectify.com
+46 (0) 76 – 774 96 66

Reagan McAfee
Offleash for Detectify
detectify@offleashpr.com

 


What is Detectify?

A challenger to conventional application security, Detectify automates the latest security knowledge from leading ethical hackers and brings it into the hands of security defenders and web application teams. Powered by a network of handpicked ethical hackers, Detectify’s web vulnerability scanner checks your application beyond the OWASP Top 10 and helps you stay on top of threats in the cloud.

What will Detectify find in your web apps? Start a free 2-week trial of Detectify today.

Test your website's security with Detectify Sign up for a free trial