Your SlideShare is downloading. ×
  • Like
Augmented reality in your web proxy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Augmented reality in your web proxy

  • 1,436 views
Published

This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API. …

This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.

The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.

The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,436
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
17
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Roberto Suggi Liverani - @malerisch Hamburg AppSec Research 2013 OWASP HackPra AllStars
  • 2. Who am I?  A guy who likes to find bugs   Speaker at various cons/events:  Hack in the Box, DefCON, EUSecWest, OWASP, HackPra  OWASP New Zealand Chapter Founder  Twitter: @malerisch  Research blog: blog.malerisch.net 2
  • 3. Outline  Challenges / Solutions  Introducing Burp CSJ / DEMOs  Stories from the automation world  Conclusions / Future plans 3
  • 4. Traditional testing approach 4 Web Proxy Web AppBrowser
  • 5. The concept of proxy suite 5 Web Proxy Suite Web App Intruder Spider Scanner Repeater
  • 6. The problem is… 6 Web App Web Proxy Web App Browser Web proxy originally design to focus on server-side technology Client-side technology shift A web app is designed to be used by a browser
  • 7. Combining technologies  How can we get a browser close to a web proxy or vice versa? 7 Browser Automation Framework Web Proxy API
  • 8. So what do we achieve? 8 Web Proxy Web AppBrowser Web Proxy Web AppBrowser 1 2 3
  • 9. Browser automation options…  Selenium  Browser automation framework  Crawljax  Crawler for Ajax apps based on Selenium  JUnit  Testing framework 9
  • 10. Selenium Server  Integrates Selenium RC  Launches and kills browsers  Interprets and runs Selenese commands  Supports Grid and nodes  Known as:  selenium-server-standalone  selenium-server 10
  • 11. Selenium Client & WebDriver  Based on WebDriver wire protocol – RESTful + JSON  Direct calls to browser  Multiple drivers available: Chrome, IE, Opera, Android, iPhone  Known as selenium-java 11
  • 12. Selenium IDE & JUnit  Create/Repeat/ Execute Test case  Firefox addon  Export to JUnit WebDriver 12
  • 13. Crawljax  Based on Selenium WebDriver APIs  State-flow interpretation of DOM states 13
  • 14. Crawljax 14 Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
  • 15. Web proxy options…  Burp Extender API  Java/Python/Ruby  Scanner, Proxy, Repeater, Cookie, Target Session handling, HTTP requests/responses  ZAP API  RESTful interface  Spider, core, params, ascan, context auth, acsrf, autoupdate, pscan 15
  • 16. Crawljax - Pros  Why integrate Crawljax?  Augmented reality in your proxy  Increased coverage for complex web apps  Scalability with big/dynamic apps  Integrated in ZAP - Ajax Spider @GuifreRuiz - very cool work!  16
  • 17. JUnit - Pros 17  Why use JUnit?  Increase chances to discover hard-to-find bugs  Easily create repeatable sequence of steps  Reuse existing JUnit test-case  Leverage Burp session handling/macro
  • 18. So how to combine all this?  Created a burp extension (Burp CSJ)  Integrates Crawljax  Integrates JUnit test-case created via Selenium IDE 18 Source: https://github.com/malerisch/burp-csj Coded in Java using google, stackoverflow, a mix of guessing , luck and a lot of swearing…
  • 19. How it works… 19 Burp CSJ Web AppBrowser Crawljax Selenium IDE Selenium WebDriver Junit JDK
  • 20. Crawljax integration  Key Features  Support for Burp cookie jar  Support for multiple browsers, including remote webdriver  Support for multiple HTML elements  Exclusion list for crawling  Support for CrawlOverview plugin 20
  • 21. Crawljax Tab (1/3) 21
  • 22. Crawljax Tab (2/3) 22
  • 23. Crawljax Tab (3/3) 23
  • 24. DEMO  Crawling a site with auth  Crawling a site with auth + remote web driver  DEMO 24
  • 25. JUnit Integration  Key Features  Import compiled Selenium IDE JUnit Test cases  Register test-case into Burp session handling  Test case can be invoked in the Macro editor  Interface to execute Junit test case 25
  • 26. JUnit Tab 26
  • 27. DEMO  Launching JUnit test-case via Burp Proxy  Registering Junit Test-case via Burp and setting a macro  DEMO 27
  • 28. Burp CSJ Tips  Use Burp Spider + Crawljax for crawling and after scanning/attacking application  Create JUnit test cases for sequence which takes long time to repeat  Set Burp macro to use JUnit test case  When using JUnit with Burp CSJ, set the Cookie: header with Burp 28
  • 29. Stories from the automation world… 29
  • 30. base64 and command injection  Crawljax clicked on some pages with base64 encoded data  A scan was run before  Some of those pages content was decoded  Trace of ping command output were found  An indirect OS command injection was found! 30
  • 31. jQuery, toggle() and XSS  Complex app – use of jQuery  Lot of clickable elements which would invoke toggle()  Crawljax clicked element  New page added to Burp Target  Page vulnerable to XSS 31
  • 32. A nice deal…  Internet banking web app  Create a new payee (8 steps)  Perform money transfer (3 steps)  E.g. transfer 10000 JPY (=~ 76 EUR)  Attack: change currency but keep same amount  10k JPY deducted -> 10k EUR sent to other side! 32
  • 33. A nice shopping cart!  Vulnerable shopping cart  Special product item would decrease amount  Sequence of steps had to be performed before  JUnit test-cases made the difference 33
  • 34. Burp CSJ future  Expand Crawljax integration  Support plugin import feature  Expand JUnit Integration  Compile from Java Source directly…  Also change browser set in Junit test case…  Support for Burp cookie jar 34
  • 35. Conclusions  Combining automation is a different type of testing  Time for preparation needed  Not ideal for testers looking for quick wins  ROI is always in bugs discovery  … especially bugs with critical severity 35
  • 36. Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net  Source Code: https://github.com/malerisch/burp-csj  Tutorial: soon on blog.malerisch.net 36
  • 37. References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes  http://www.ece.ubc.ca/~amesbah/docs/t web-final.pdf 37
  • 38. References  Crawljax  http://crawljax.com/  Selenium  http://docs.seleniumhq.org/  JUnit  http://junit.org/ 38
  • 39. References  Burp Extender API  http://portswigger.net/burp/extender/api/inde x.html  ZAP API  https://code.google.com/p/zaproxy/wiki/ApiD etails  Ajax spider in ZAP  https://code.google.com/p/zaproxy/wiki/GSo C2012_PluginACT 39