SlideShare a Scribd company logo
1 of 39
Download to read offline
Roberto Suggi Liverani - @malerisch
Hamburg
AppSec Research 2013 OWASP
HackPra AllStars
Who am I?
 A guy who likes to find bugs 
 Speaker at various cons/events:
 Hack in the Box, DefCON, EUSecWest,
OWASP, HackPra
 OWASP New Zealand Chapter Founder
 Twitter: @malerisch
 Research blog: blog.malerisch.net
2
Outline
 Challenges / Solutions
 Introducing Burp CSJ / DEMOs
 Stories from the automation world
 Conclusions / Future plans
3
Traditional testing approach
4
Web Proxy Web AppBrowser
The concept of proxy suite
5
Web Proxy
Suite
Web App
Intruder
Spider
Scanner
Repeater
The problem is…
6
Web App Web Proxy
Web App Browser
Web proxy originally design to focus on
server-side technology
Client-side technology shift
A web app is designed to be used by a browser
Combining technologies
 How can we get a browser close to a
web proxy or vice versa?
7
Browser
Automation
Framework
Web Proxy
API
So what do we achieve?
8
Web Proxy Web AppBrowser
Web Proxy Web AppBrowser
1
2
3
Browser automation options…
 Selenium
 Browser automation framework
 Crawljax
 Crawler for Ajax apps based on Selenium
 JUnit
 Testing framework
9
Selenium Server
 Integrates Selenium RC
 Launches and kills browsers
 Interprets and runs Selenese commands
 Supports Grid and nodes
 Known as:
 selenium-server-standalone
 selenium-server
10
Selenium Client & WebDriver
 Based on WebDriver wire protocol –
RESTful + JSON
 Direct calls to browser
 Multiple drivers available:
Chrome, IE, Opera, Android, iPhone
 Known as selenium-java
11
Selenium IDE & JUnit
 Create/Repeat/
Execute Test
case
 Firefox addon
 Export to
JUnit
WebDriver
12
Crawljax
 Based on Selenium WebDriver APIs
 State-flow interpretation of DOM states
13
Crawljax
14
Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
Web proxy options…
 Burp Extender API
 Java/Python/Ruby
 Scanner, Proxy, Repeater, Cookie, Target
Session handling, HTTP requests/responses
 ZAP API
 RESTful interface
 Spider, core, params, ascan, context
auth, acsrf, autoupdate, pscan
15
Crawljax - Pros
 Why integrate Crawljax?
 Augmented reality in your proxy
 Increased coverage for complex web apps
 Scalability with big/dynamic apps
 Integrated in ZAP - Ajax Spider
@GuifreRuiz - very cool work! 
16
JUnit - Pros
17
 Why use JUnit?
 Increase chances to discover hard-to-find
bugs
 Easily create repeatable sequence of steps
 Reuse existing JUnit test-case
 Leverage Burp session handling/macro
So how to combine all this?
 Created a burp extension (Burp CSJ)
 Integrates Crawljax
 Integrates JUnit test-case created via
Selenium IDE
18
Source: https://github.com/malerisch/burp-csj
Coded in Java using google, stackoverflow, a mix of
guessing , luck and a lot of swearing…
How it works…
19
Burp CSJ Web AppBrowser
Crawljax
Selenium
IDE
Selenium
WebDriver
Junit
JDK
Crawljax integration
 Key Features
 Support for Burp cookie jar
 Support for multiple browsers, including
remote webdriver
 Support for multiple HTML elements
 Exclusion list for crawling
 Support for CrawlOverview plugin
20
Crawljax Tab (1/3)
21
Crawljax Tab (2/3)
22
Crawljax Tab (3/3)
23
DEMO
 Crawling a site with auth
 Crawling a site with auth + remote web
driver
 DEMO
24
JUnit Integration
 Key Features
 Import compiled Selenium IDE JUnit Test
cases
 Register test-case into Burp session
handling
 Test case can be invoked in the Macro editor
 Interface to execute Junit test case
25
JUnit Tab
26
DEMO
 Launching JUnit test-case via Burp
Proxy
 Registering Junit Test-case via Burp and
setting a macro
 DEMO
27
Burp CSJ Tips
 Use Burp Spider + Crawljax for crawling
and after scanning/attacking application
 Create JUnit test cases for sequence which
takes long time to repeat
 Set Burp macro to use JUnit test case
 When using JUnit with Burp CSJ, set the
Cookie: header with Burp
28
Stories from the automation world…
29
base64 and command injection
 Crawljax clicked on some pages with
base64 encoded data
 A scan was run before
 Some of those pages content was
decoded
 Trace of ping command output were
found
 An indirect OS command injection was
found!
30
jQuery, toggle() and XSS
 Complex app – use of jQuery
 Lot of clickable elements which would
invoke toggle()
 Crawljax clicked element
 New page added to Burp Target
 Page vulnerable to XSS
31
A nice deal…
 Internet banking web app
 Create a new payee (8 steps)
 Perform money transfer (3 steps)
 E.g. transfer 10000 JPY (=~ 76 EUR)
 Attack: change currency but keep same
amount
 10k JPY deducted -> 10k EUR sent to
other side!
32
A nice shopping cart!
 Vulnerable shopping cart
 Special product item would decrease
amount
 Sequence of steps had to be performed
before
 JUnit test-cases made the difference
33
Burp CSJ future
 Expand Crawljax integration
 Support plugin import feature
 Expand JUnit Integration
 Compile from Java Source directly…
 Also change browser set in Junit test case…
 Support for Burp cookie jar
34
Conclusions
 Combining automation is a different type
of testing
 Time for preparation needed
 Not ideal for testers looking for quick wins
 ROI is always in bugs discovery
 … especially bugs with critical severity
35
Questions?
Roberto Suggi Liverani - @malerisch
blog.malerisch.net
 Source Code:
https://github.com/malerisch/burp-csj
 Tutorial: soon on blog.malerisch.net
36
References
 Blog – Roberto Suggi Liverani
 http://blog.malerisch.net/
 Twitter account - @malerisch
 https://twitter.com/malerisch
 Crawling AJAX-Based Web Applications
through Dynamic Analysis of User
Interface State Changes
 http://www.ece.ubc.ca/~amesbah/docs/t
web-final.pdf
37
References
 Crawljax
 http://crawljax.com/
 Selenium
 http://docs.seleniumhq.org/
 JUnit
 http://junit.org/
38
References
 Burp Extender API
 http://portswigger.net/burp/extender/api/inde
x.html
 ZAP API
 https://code.google.com/p/zaproxy/wiki/ApiD
etails
 Ajax spider in ZAP
 https://code.google.com/p/zaproxy/wiki/GSo
C2012_PluginACT
39

More Related Content

What's hot

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?Ciaran McNally
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Tw noche geek quito webappsec
Tw noche geek quito   webappsecTw noche geek quito   webappsec
Tw noche geek quito webappsecThoughtworks
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 

What's hot (20)

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Tw noche geek quito webappsec
Tw noche geek quito   webappsecTw noche geek quito   webappsec
Tw noche geek quito webappsec
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 

Viewers also liked

Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"Defcon Moscow
 
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...Defcon Moscow
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow
 
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"Defcon Moscow
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris SavkovOWASP Russia
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Application security? Firewall it!
Application security? Firewall it!Application security? Firewall it!
Application security? Firewall it!Positive Hack Days
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 

Viewers also liked (12)

XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
 
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
 
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Application security? Firewall it!
Application security? Firewall it!Application security? Firewall it!
Application security? Firewall it!
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 

Similar to Augmented reality in your web proxy

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Building a full-stack app with Golang and Google Cloud Platform in one week
Building a full-stack app with Golang and Google Cloud Platform in one weekBuilding a full-stack app with Golang and Google Cloud Platform in one week
Building a full-stack app with Golang and Google Cloud Platform in one weekDr. Felix Raab
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017ElifTech
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Matt Raible
 
Javascript toolkit-2.0
Javascript toolkit-2.0Javascript toolkit-2.0
Javascript toolkit-2.0Thoughtworks
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...Matt Raible
 
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)Yuriy Silvestrov
 
StrongLoop Overview
StrongLoop OverviewStrongLoop Overview
StrongLoop OverviewShubhra Kar
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Matt Raible
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAndrii Skrypnychenko
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Matt Raible
 
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKJavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKDavid Wesst
 
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynoteQuo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynoteChristian Heilmann
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakSigma Software
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deckAlexey Bokov
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
 

Similar to Augmented reality in your web proxy (20)

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Building a full-stack app with Golang and Google Cloud Platform in one week
Building a full-stack app with Golang and Google Cloud Platform in one weekBuilding a full-stack app with Golang and Google Cloud Platform in one week
Building a full-stack app with Golang and Google Cloud Platform in one week
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
 
Javascript toolkit-2.0
Javascript toolkit-2.0Javascript toolkit-2.0
Javascript toolkit-2.0
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
 
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
 
StrongLoop Overview
StrongLoop OverviewStrongLoop Overview
StrongLoop Overview
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
 
Gwt Deep Dive
Gwt Deep DiveGwt Deep Dive
Gwt Deep Dive
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-apps
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
 
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKJavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
 
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynoteQuo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr Sugak
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deck
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
 

More from Roberto Suggi Liverani

More from Roberto Suggi Liverani (7)

None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 

Recently uploaded

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 

Recently uploaded (20)

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 

Augmented reality in your web proxy

  • 1. Roberto Suggi Liverani - @malerisch Hamburg AppSec Research 2013 OWASP HackPra AllStars
  • 2. Who am I?  A guy who likes to find bugs   Speaker at various cons/events:  Hack in the Box, DefCON, EUSecWest, OWASP, HackPra  OWASP New Zealand Chapter Founder  Twitter: @malerisch  Research blog: blog.malerisch.net 2
  • 3. Outline  Challenges / Solutions  Introducing Burp CSJ / DEMOs  Stories from the automation world  Conclusions / Future plans 3
  • 4. Traditional testing approach 4 Web Proxy Web AppBrowser
  • 5. The concept of proxy suite 5 Web Proxy Suite Web App Intruder Spider Scanner Repeater
  • 6. The problem is… 6 Web App Web Proxy Web App Browser Web proxy originally design to focus on server-side technology Client-side technology shift A web app is designed to be used by a browser
  • 7. Combining technologies  How can we get a browser close to a web proxy or vice versa? 7 Browser Automation Framework Web Proxy API
  • 8. So what do we achieve? 8 Web Proxy Web AppBrowser Web Proxy Web AppBrowser 1 2 3
  • 9. Browser automation options…  Selenium  Browser automation framework  Crawljax  Crawler for Ajax apps based on Selenium  JUnit  Testing framework 9
  • 10. Selenium Server  Integrates Selenium RC  Launches and kills browsers  Interprets and runs Selenese commands  Supports Grid and nodes  Known as:  selenium-server-standalone  selenium-server 10
  • 11. Selenium Client & WebDriver  Based on WebDriver wire protocol – RESTful + JSON  Direct calls to browser  Multiple drivers available: Chrome, IE, Opera, Android, iPhone  Known as selenium-java 11
  • 12. Selenium IDE & JUnit  Create/Repeat/ Execute Test case  Firefox addon  Export to JUnit WebDriver 12
  • 13. Crawljax  Based on Selenium WebDriver APIs  State-flow interpretation of DOM states 13
  • 14. Crawljax 14 Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
  • 15. Web proxy options…  Burp Extender API  Java/Python/Ruby  Scanner, Proxy, Repeater, Cookie, Target Session handling, HTTP requests/responses  ZAP API  RESTful interface  Spider, core, params, ascan, context auth, acsrf, autoupdate, pscan 15
  • 16. Crawljax - Pros  Why integrate Crawljax?  Augmented reality in your proxy  Increased coverage for complex web apps  Scalability with big/dynamic apps  Integrated in ZAP - Ajax Spider @GuifreRuiz - very cool work!  16
  • 17. JUnit - Pros 17  Why use JUnit?  Increase chances to discover hard-to-find bugs  Easily create repeatable sequence of steps  Reuse existing JUnit test-case  Leverage Burp session handling/macro
  • 18. So how to combine all this?  Created a burp extension (Burp CSJ)  Integrates Crawljax  Integrates JUnit test-case created via Selenium IDE 18 Source: https://github.com/malerisch/burp-csj Coded in Java using google, stackoverflow, a mix of guessing , luck and a lot of swearing…
  • 19. How it works… 19 Burp CSJ Web AppBrowser Crawljax Selenium IDE Selenium WebDriver Junit JDK
  • 20. Crawljax integration  Key Features  Support for Burp cookie jar  Support for multiple browsers, including remote webdriver  Support for multiple HTML elements  Exclusion list for crawling  Support for CrawlOverview plugin 20
  • 24. DEMO  Crawling a site with auth  Crawling a site with auth + remote web driver  DEMO 24
  • 25. JUnit Integration  Key Features  Import compiled Selenium IDE JUnit Test cases  Register test-case into Burp session handling  Test case can be invoked in the Macro editor  Interface to execute Junit test case 25
  • 27. DEMO  Launching JUnit test-case via Burp Proxy  Registering Junit Test-case via Burp and setting a macro  DEMO 27
  • 28. Burp CSJ Tips  Use Burp Spider + Crawljax for crawling and after scanning/attacking application  Create JUnit test cases for sequence which takes long time to repeat  Set Burp macro to use JUnit test case  When using JUnit with Burp CSJ, set the Cookie: header with Burp 28
  • 29. Stories from the automation world… 29
  • 30. base64 and command injection  Crawljax clicked on some pages with base64 encoded data  A scan was run before  Some of those pages content was decoded  Trace of ping command output were found  An indirect OS command injection was found! 30
  • 31. jQuery, toggle() and XSS  Complex app – use of jQuery  Lot of clickable elements which would invoke toggle()  Crawljax clicked element  New page added to Burp Target  Page vulnerable to XSS 31
  • 32. A nice deal…  Internet banking web app  Create a new payee (8 steps)  Perform money transfer (3 steps)  E.g. transfer 10000 JPY (=~ 76 EUR)  Attack: change currency but keep same amount  10k JPY deducted -> 10k EUR sent to other side! 32
  • 33. A nice shopping cart!  Vulnerable shopping cart  Special product item would decrease amount  Sequence of steps had to be performed before  JUnit test-cases made the difference 33
  • 34. Burp CSJ future  Expand Crawljax integration  Support plugin import feature  Expand JUnit Integration  Compile from Java Source directly…  Also change browser set in Junit test case…  Support for Burp cookie jar 34
  • 35. Conclusions  Combining automation is a different type of testing  Time for preparation needed  Not ideal for testers looking for quick wins  ROI is always in bugs discovery  … especially bugs with critical severity 35
  • 36. Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net  Source Code: https://github.com/malerisch/burp-csj  Tutorial: soon on blog.malerisch.net 36
  • 37. References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes  http://www.ece.ubc.ca/~amesbah/docs/t web-final.pdf 37
  • 38. References  Crawljax  http://crawljax.com/  Selenium  http://docs.seleniumhq.org/  JUnit  http://junit.org/ 38
  • 39. References  Burp Extender API  http://portswigger.net/burp/extender/api/inde x.html  ZAP API  https://code.google.com/p/zaproxy/wiki/ApiD etails  Ajax spider in ZAP  https://code.google.com/p/zaproxy/wiki/GSo C2012_PluginACT 39