Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan


Published on

Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string?

Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and efficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan

  1. 1. HAWAS – Hybrid Analyzer for Web Application Security Lavakumar Kuppan lava@ironwasp.org https://twitter.com/lavakumark https://ironwasp.org
  2. 2. AboutPenetration Tester 5+ years of experienceSecurity Researcher Flash 0-day WAF bypass 0-day using HPP Multiple HTML5 based attack techniques 5th best Web Application Hacking Technique of 2010 Attack and Defense Labs – http://andlabs.org HTML5 Security Resources Repository – http://html5security.org
  3. 3. AboutDeveloper IronWASP (C# + Python + Ruby) Ravan (PHP + JavaScript) JS-Recon (JavaScript) Shell of the Future (C# + JavaScript) Imposter (C# + JavaScript)Speaker BlackHat OWASP AppSec Asia NullCon SecurityByte ClubHack
  4. 4. Automated Tools exist for finding:SQL InjectionCross-site ScriptingCommand InjectionCode Injectionetc 4
  5. 5. But there is a lot more to PentestingCSRF checksAccess-control violationsHidden Parameter GuessingandIdentifying and testing for site-specificcustom attack vectors 5
  6. 6. HAWAS helps with the automation of the second type of issues 6
  7. 7. What is HAWAS?HAWAS is an open source tool that analyzes HTTP logs and: Lists out all Parameter names and values Identifies encoded values and decodes them Identifies hashed values and tries to crack them Identifies potential Stored XSS candidates Helps with automation of Hidden parameter guessing, CSRF testing, Access-control checks and more 7
  8. 8. Listing Parameter namesAll Query, Body, Cookie, Header, Set-Cookie parameters are listed for analysis.Eg: lang user pwd id … … logged_in is_admin … …Notice anything interesting? This can be probed further manually 8
  9. 9. Listing Parameter valuesAll Query, Body, Cookie, Header, Set-Cookie parameter values are listed for analysis.Eg: en true 23944 … … Fy2010_11_report.pdf Fy2011_12_report.pdf … … http://partner.site/data.php … SELECT id FROM Users 9
  10. 10. Parameter Values say a lotFy2010_11_report.pdf – possible LFI vulnerabilityhttp://partner.site/data.php - possible RFI / OpenRedirect vulnerabilitySELECT id FROM Users – SQL queries created on theclient-side and executed on the server-side !!!Ironically automated scanners might not detect thistype of SQL Injection! 10
  11. 11. Identifying Encoded values and decoding themHAWAS identifies base64 and hex encoded valuesfrom the list of parameter values and decodes themIt tries to decode every single parameter value bybase64 and hex decoding.If the result is a proper ascii string then it flags it asan encoded value 11
  12. 12. Why this is important?Do you see anything interesting in the strings below:asdljz2398sdsdsdsdkssz23sds9sd9a;sdk=awebgf2yto6c2vjcmv0mtiz646973636f756e743a3231252238019jadja8498434dfdfLsjflosow2384fkshfl 12
  13. 13. How about now?asDljz2398sdYDKus3lnsz23sdE9sd9Asdk=awebGF2YTo6c2VjcmV0MTIz –Base64 Decode- > lava::secret123646973636f756e743a323125 –Hex Decode-> discount:21%2238019jadja8498434dfdflsjflosow2384fkshfl 13
  14. 14. Identifying Hashes and cracking themAll parameter values are checked to see ifthey look similar to MD5, SHA1, SHA256,SHA384 or SHA512 hashes.If any matches are found then the hashesare cracked using the entire list of parametervalues are dictionaryBoth cracked and uncracked hashedparameter values displayed to user 14
  15. 15. Stored XSS candidates identificationAnalyzes all responses for reflection of any of theinput parametersIf user input is reflected back in other responsesdown the line then it is highlightedRarity of reflection is given higher priority to reducenoise in the results 15
  16. 16. Interactive TestingCSRF testing, Hidden parameter guessing and Access- control checks all follow the same 3 step processStep 1: Pick a request and corresponding base-line ‘good response’Step 2: Add or edit any of the parameters in the request and send the it againStep 3: Compare this response with the base-line response 16
  17. 17. HAWAS automates thisAbility to select one or more requests fromlog for checkUser specifies which parameter must bechanged or added to the requestThe response for the new request iscompared with the baseline and resultsdisplayed to userAbility to support logout detection, autologin, CSRF token updating etc throughSession Plugins 17
  18. 18. Thank You! 18