Full Report
If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we’ve also ushered in a new year and in celebration SensePost is releasing source code for our in-house web proxy, Suru, under a BSD-style license. When released in 2006, Suru introduced a number of unique features to the world of inline proxies including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements include timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own. Since then, most of these features have been incorporated into more full-featured commercial proxies, negating the need for Suru.
Analysis Summary
# Tool/Technique: Suru
## Overview
Suru is an in-house web proxy developed by SensePost, released as open-source under a BSD-style license. Its primary purpose was to facilitate penetration testing and web application security assessments by acting as an inline proxy, offering features that were unique or lacking in commercial proxies at the time of its initial release (2006).
## Technical Details
- Type: Tool
- Platform: Unknown (Implied Windows/VS 2005 compilation environment)
- Capabilities: Inline proxy functionality, trivial fuzzing, token correlation, background directory brute-forcing, timing analysis, indexable directory checks.
- First Seen: Released in 2006 (Source code update/release occurred around January 2011).
## MITRE ATT&CK Mapping
Suru is a specialized offensive tool used primarily during the initial phases of security assessments that relate to reconnaissance and discovery of web applications.
- T1566 - Phishing (Related in context as proxies can support interception/manipulation)
- *Not directly applicable, but proxies are often used for traffic manipulation.*
- T1046 - Network Service Scanning
- T1046.001 - Port Scanning/Service Enumeration (via associated brute-forcing/directory checks)
- T1595 - Active Scanning
- T1595.002 - Web Scraping/Content Discovery (Supported via directory brute-forcing and checks)
## Functionality
### Core Capabilities
- **Inline Web Proxy:** Functions as an intermediary for intercepting and modifying web traffic.
- **Trivial Fuzzing:** Ability to inject varied or unexpected input into web inputs to test for vulnerabilities.
- **Token Correlation:** Likely used to track session tokens or specific application elements across requests.
### Advanced Features
- **Background Directory Brute-Forcing:** Allows the proxy to perform directory enumeration attacks concurrently or in the background while other testing activities are ongoing.
- **Timing Analysis:** Analyzing response times of web requests, often used in side-channel attacks or to detect differences in how the server handles valid versus invalid requests.
- **Indexable Directory Checks:** Specifically checking for directories or resources that might be unintentionally exposed or indexed by the server.
## Indicators of Compromise
As this is a source code release of a penetration testing tool, traditional malware IOCs (like specific hashes or C2s) are not provided or relevant unless analyzing a potentially malicious usage of the tool.
- File Hashes: N/A (Source code release)
- File Names: Suru
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Web traffic manipulation indicative of fuzzing or automated directory enumeration.
## Associated Threat Actors
This tool was developed and used internally by SensePost, a security consultancy. It is not associated with established adversarial threat actor groups (APTs).
## Detection Methods
Detection focuses on the *behavior* of the tool if used maliciously or without authorization on a network, rather than detecting the tool's static components.
- Signature-based detection: Not applicable for general source code; specific detection would rely on application security tools flagging the unique request patterns generated by Suru's fuzzing or brute-forcing modules.
- Behavioral detection: Look for high volumes of sequential or structured requests characteristic of directory brute-forcing or input fuzzing against web servers.
- YARA rules: N/A
## Mitigation Strategies
Mitigation centers on hardening web servers against automated scanning and abuse.
- Prevention measures: Implement strong rate-limiting on HTTP requests to detect and block automated scanning/fuzzing attempts.
- Hardening recommendations: Configure web servers to return consistent response times for non-existent vs. existing resources where possible (to mitigate timing analysis), and ensure robust input validation to neutralize fuzzing payloads. Strict access control lists (ACLs) on sensitive directories.
## Related Tools/Techniques
- Commercial/Open-Source Proxies: Burp Suite, OWASP ZAP, ZAP, Fiddler.
- Techniques: Web Application Fuzzing, Directory Indexing/Brute-forcing.