DenimGroup Auth ExampleUsing TruClient in WebInspect 9.2 Technical study to show WebInspect capabilitiesHans Enders, HP Pr...
Background•   This document details how to use the WebInspect 9.20 new TruClient    Web Macro Recorder (WMR) against a sim...
Background•   Vendor Challenge:    •   http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html• ...
Agenda:    Overview & Configuration   Demo app walk-through   Macro for demo app   Customized demo app   Macro for customi...
Overview•   Auth example application provided by DenimGroup    –   All Responses are “apple”    –   Hosting app to local i...
Demo app - Authexampleshttps://github.com/denimgroup/authexamples•   What - A simple Challenge-Response app in PHP, using ...
Demo app – posting to XAMPPhttp://www.apachefriends.org/en/xampp-windows.html•   What - A simple web server suite for Wind...
Demo app – posting to XAMPPhttp://www.apachefriends.org/en/xampp-windows.html•   Extracted AuthExample to XAMPP htdocs fol...
Agenda:    Overview & Configuration   Demo app walk-through   Macro for demo app   Customized demo app   Macro for customi...
Demo app – normal walk throughLogin screens
Demo app – default AnswersC:Websitesxampphtdocsdenimgroup-authexamples-5059b6floginplusquestionlogin.php•   Answers are al...
Demo app – normal walk throughChallenge screens – all “apple”
Demo app – normal walk throughLogin, browse, logout
Agenda:    Overview & Configuration   Demo app walk-through   Macro for demo app   Customized demo app   Macro for customi...
TruClient WMRWeb Macro Recorder for WebInspect 9.20•    HP TruClient is the latest iteration of HP WebInspect’s Web Macro ...
WMR – simple recordingRaw recorded steps16   Enterprise Security – HP Confidential
WMR – simple recordingPlayback successfulNotice that Step #8 is the Challenge-Response (Q&A) session.17   Enterprise Secur...
WMR - simple recordingOnce Playback is successful, browse to get logged out                                         1     ...
WMR – simple recordingOnce logged out, click Select button – highlight identifying element                                ...
WMR – simple recordingReview the Logout Condition20   Enterprise Security – HP Confidential
WMR – simple recording is DoneWorks out-of-the-box21   Enterprise Security – HP Confidential
Agenda:    Overview & Configuration   Demo app walk-through   Macro for demo app   Customized demo app   Macro for customi...
Demo app – custom AnswersC:Websitesxampphtdocsdenimgroup-authexamples-5059b6floginplusquestionlogin.php•   Edited the answ...
Demo app – custom AnswersChallenge screens – now different
Agenda:    Overview & Configuration   Demo app walk-through   Macro for demo app   Customized demo app   Macro for customi...
WMR – custom AnswersInitial recording. Press Stop, ignore the follow-up Play button, we will needsome Q&A code added26   E...
WMR – custom AnswersFinal Goal•    To manage dynamic Challenge-Response, the TruClient user will need to     insert three ...
WMR – custom AnswersSneak peek - Final Goal28   Enterprise Security – HP Confidential
WMR - custom AnswersInsert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar29   Enterprise Security – HP Confident...
Code – Dynamic Security QuestionOpen the JavaScript Editor window•    Expand the new Javascript step > click on “[Code]” >...
Code – Dynamic Security QuestionSample code•    Build your raw JS, or steal this basic script framework shown below.     –...
Code – Dynamic Security QuestionSample code32   Enterprise Security – HP Confidential
Code – Dynamic Security QuestionSample code•    User simply pastes in this code sample, then edits the “questionAnswer”   ...
Code – Dynamic Security QuestionSample code•    Here is what Step #7 has become.34   Enterprise Security – HP Confidential
Code – setSecurityQuestionInsert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar35   Enterprise Security – HP C...
Code – setSecurityQuestionChoose the Question object•    Play this step alone, then high-light the JavaScript Object in th...
Code – setSecurityQuestionChoose the Question object•    For this example app, we cannot just select the Question text bec...
Code – setSecurityQuestionIdentify the Question object•    Sample of the raw text offered:     –   Hint: apple is a pretty...
Code – setSecurityQuestionIdentify the Question object•    Useful test code to verify proper regex working in JS:     –   ...
Code – setSecurityQuestionIdentify the Question object•    With the Alert pop-up verification, we are secure our regex wor...
Code – element locationQuick edit for the setSecurityQuestion step•    TruClient by default will locate a text object by d...
Code – element locationQuick edit for the setSecurityQuestion step•    Expand the drop down menu for "XPath:" and choose t...
Code – getDynamicAnswerConnect the Question back to the Javascript Q&A code•    We have now added to the macro our Q&A cod...
Code – getDynamicAnswerConnect the Answer back to the Javascript Q&A code in Step #7•    Open the JS Editor windows for St...
Agenda:    Overview & Configuration   Demo app walk-through   Macro for demo app   Customized demo app   Macro for customi...
WMR final stepsPlay the finished macro from the beginning46   Enterprise Security – HP Confidential
WMR final stepsPlayback successful, select Logout Condition for WebInspect47   Enterprise Security – HP Confidential
Logout ConditionsWait, what are these again?•       A logout condition is an indicator for WebInspect to know when it has ...
WMR final stepsBrowse to Logout, then click Select button – highlight element                                             ...
WMR final stepsReview the Logout Condition – add more as needed50   Enterprise Security – HP Confidential
WMR – custom AnswersFinal Macro51   Enterprise Security – HP Confidential
WMR – custom AnswersFinal Macro - closer52   Enterprise Security – HP Confidential
WMR – custom AnswersFinal Macro – with Comments added from the Toolbox sidebar53   Enterprise Security – HP Confidential
Denouement•    Apologies for the length of this study. This technology is sufficiently new     that I wanted our customers...
Outcomes That MatterEnterprise Security – HP Confidential  55
Upcoming SlideShare
Loading in …5
×

WebInspect 9.20 Web Macro Recording with TruClient 2012

5,024 views

Published on

This presentation goes through the steps to configure HP WebInspect 9.20 to make it handle challenge/response authentication schemes.

[Please note that this is HP-copyrighted content and we're just hosting it here for convenience. If we need to pull it down just email me: dan _at_ denimgroup dot com.

The original HP Security Laboratory blog post presenting the content is here:
http://h30499.www3.hp.com/t5/The-HP-Security-Laboratory-Blog/Challenge-Response-Authentication-No-Problem/ba-p/5644803
And the original PDF can be downloaded from HP here:
http://h30499.www3.hp.com/hpeb/attachments/hpeb/sws-22/589/1/WebInspect%209.20%20Web%20Macro%20Recording%20with%20TruClient%202012.pdf]

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,024
On SlideShare
0
From Embeds
0
Number of Embeds
660
Actions
Shares
0
Downloads
53
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

WebInspect 9.20 Web Macro Recording with TruClient 2012

  1. 1. DenimGroup Auth ExampleUsing TruClient in WebInspect 9.2 Technical study to show WebInspect capabilitiesHans Enders, HP Presales May 1, 2012©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  2. 2. Background• This document details how to use the WebInspect 9.20 new TruClient Web Macro Recorder (WMR) against a simple Challenge-Response authentication app.• This document is meant to demonstrate that WebInspect can manage these scenarios out-of-the-box as well as to show the user many advanced capabilities it offers to maintain session state.• Since TruClient records user actions and not simple sessions, it includes the ability to handle advanced Q&A without needing changes to the application under test.
  3. 3. Background• Vendor Challenge: • http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html• Discussion centered around this DenimGroup blog entry: • http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning- handling-complicated-logins-with-appscan-and-burp-suite.html• The sample app was provided by DenimGroup: – https://github.com/denimgroup/authexamples
  4. 4. Agenda: Overview & Configuration Demo app walk-through Macro for demo app Customized demo app Macro for customized app Finalizing the macro©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  5. 5. Overview• Auth example application provided by DenimGroup – All Responses are “apple” – Hosting app to local instance of XAMPP• Initial recording• Editing the example app for differing Answers: “apple, CEO, White”
  6. 6. Demo app - Authexampleshttps://github.com/denimgroup/authexamples• What - A simple Challenge-Response app in PHP, using a single answer for all questions.• Description: – This is a simple project that is intended to demonstrate a couple of different non-standard authentication scenarios for folks to train their scanners and scanner operators on. Currently based on a single scenario in PHP, wed love to add more scenarios. Questions/comments/updates? Please contact dan _at_ denimgroup.com
  7. 7. Demo app – posting to XAMPPhttp://www.apachefriends.org/en/xampp-windows.html• What - A simple web server suite for Windows.• OS used – Windows 7 64-bit• Installed path: C:Websitesxampp• XAMPP 1.7.7, including: – Apache 2.2.21 – MySQL 5.5.16 – PHP 5.3.8 – phpMyAdmin 3.4.5 – FileZilla FTP Server 0.9.39 – Tomcat 7.0.21 (with mod_proxy_ajp as connector)
  8. 8. Demo app – posting to XAMPPhttp://www.apachefriends.org/en/xampp-windows.html• Extracted AuthExample to XAMPP htdocs folder: – C:Websitesxampphtdocsdenimgroup-authexamples-5059b6f – URL: http://localhost/denimgroup-authexamples-5059b6f/index.php
  9. 9. Agenda: Overview & Configuration Demo app walk-through Macro for demo app Customized demo app Macro for customized app Finalizing the macro©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  10. 10. Demo app – normal walk throughLogin screens
  11. 11. Demo app – default AnswersC:Websitesxampphtdocsdenimgroup-authexamples-5059b6floginplusquestionlogin.php• Answers are all set to “apple” inside login.php// Set up some page data$second_stage_questions[0] = array( 1234, What is your favorite fruit, apple );$second_stage_questions[1] = array( 817, What is your favorite Jobs job, apple );$second_stage_questions[2] = array( 423, What is your favorite Beatles record label, apple );
  12. 12. Demo app – normal walk throughChallenge screens – all “apple”
  13. 13. Demo app – normal walk throughLogin, browse, logout
  14. 14. Agenda: Overview & Configuration Demo app walk-through Macro for demo app Customized demo app Macro for customized app Finalizing the macro©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  15. 15. TruClient WMRWeb Macro Recorder for WebInspect 9.20• HP TruClient is the latest iteration of HP WebInspect’s Web Macro Recorder tool (WMR).• TruClient is an Event-based UI recorder.• The two prior WMR tools are still present in WebInspect: • Event-based WMR • Session-based (Traffic-based) WMR.15 Enterprise Security – HP Confidential
  16. 16. WMR – simple recordingRaw recorded steps16 Enterprise Security – HP Confidential
  17. 17. WMR – simple recordingPlayback successfulNotice that Step #8 is the Challenge-Response (Q&A) session.17 Enterprise Security – HP Confidential
  18. 18. WMR - simple recordingOnce Playback is successful, browse to get logged out 1 2 318 Enterprise Security – HP Confidential
  19. 19. WMR – simple recordingOnce logged out, click Select button – highlight identifying element 1 2 3a 3b19 Enterprise Security – HP Confidential
  20. 20. WMR – simple recordingReview the Logout Condition20 Enterprise Security – HP Confidential
  21. 21. WMR – simple recording is DoneWorks out-of-the-box21 Enterprise Security – HP Confidential
  22. 22. Agenda: Overview & Configuration Demo app walk-through Macro for demo app Customized demo app Macro for customized app Finalizing the macro©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  23. 23. Demo app – custom AnswersC:Websitesxampphtdocsdenimgroup-authexamples-5059b6floginplusquestionlogin.php• Edited the answers to “apple”, “CEO”, and “White” inside login.php.// Set up some page data$second_stage_questions[0] = array( 1234, What is your favorite fruit, apple );$second_stage_questions[1] = array( 817, What is your favorite Jobs job, ‘CEO );$second_stage_questions[2] = array( 423, What is your favorite Beatles record label, ‘White );
  24. 24. Demo app – custom AnswersChallenge screens – now different
  25. 25. Agenda: Overview & Configuration Demo app walk-through Macro for demo app Customized demo app Macro for customized app Finalizing the macro©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  26. 26. WMR – custom AnswersInitial recording. Press Stop, ignore the follow-up Play button, we will needsome Q&A code added26 Enterprise Security – HP Confidential
  27. 27. WMR – custom AnswersFinal Goal• To manage dynamic Challenge-Response, the TruClient user will need to insert three new steps into the recorded steps. 1. Evaluate JavaScript code – Dynamic Security Questions 2. Evaluate JavaScript – setSecurityQuestion 3. Evaluate JavaScript - getDynamicAnswer• For Q&A involving more than one field, each field will need its own pair of setSecurityQuestion and getDynamicAnswer steps, but may be able to all share a single step for the Dynamic Security Questions.27 Enterprise Security – HP Confidential
  28. 28. WMR – custom AnswersSneak peek - Final Goal28 Enterprise Security – HP Confidential
  29. 29. WMR - custom AnswersInsert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar29 Enterprise Security – HP Confidential
  30. 30. Code – Dynamic Security QuestionOpen the JavaScript Editor window• Expand the new Javascript step > click on “[Code]” > expand “Arguments” > “JS” button30 Enterprise Security – HP Confidential
  31. 31. Code – Dynamic Security QuestionSample code• Build your raw JS, or steal this basic script framework shown below. – Edit the questionAnswer lines to match your situation. – Note that variable names created here must be kept the same elsewhere as we continue. //dynamic security questions var questionAnswer = []; questionAnswer["What is your favorite fruit"] = "apple"; questionAnswer["What is your favorite Jobs job"] = "CEO"; questionAnswer["What is your favorite Beatles record label"] = "White"; var currentQ; function setSecurityQuestion(q) { currentQ = q.replace(/^ss*/, ).replace(/ss*$/, ); } function getDynamicAnswer() { return questionAnswer[currentQ]; }31 Enterprise Security – HP Confidential
  32. 32. Code – Dynamic Security QuestionSample code32 Enterprise Security – HP Confidential
  33. 33. Code – Dynamic Security QuestionSample code• User simply pastes in this code sample, then edits the “questionAnswer” lines to match their situation. • Update the question inside quotes • Update the answer at the end, also in quotes• Note that variable names used in this script will be used elsewhere, so the user must keep them the same.33 Enterprise Security – HP Confidential
  34. 34. Code – Dynamic Security QuestionSample code• Here is what Step #7 has become.34 Enterprise Security – HP Confidential
  35. 35. Code – setSecurityQuestionInsert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar35 Enterprise Security – HP Confidential
  36. 36. Code – setSecurityQuestionChoose the Question object• Play this step alone, then high-light the JavaScript Object in the browser. – Right-click step, or high-light and press F7 – “!” icon simply indicates an error on Playback, offering details with mouseover.36 Enterprise Security – HP Confidential
  37. 37. Code – setSecurityQuestionChoose the Question object• For this example app, we cannot just select the Question text because the text is not contained within an element of its own (see green block below). Because of this we need to do some additional regular expression parsing. On most sites this step would not be necessary.37 Enterprise Security – HP Confidential
  38. 38. Code – setSecurityQuestionIdentify the Question object• Sample of the raw text offered: – Hint: apple is a pretty good choice for all the questions – Question: What is your favorite fruit• Used included Regular Expression Editor tool to work up regex: – Question:s(.*)• Open the JavaScript Editor for this new step38 Enterprise Security – HP Confidential
  39. 39. Code – setSecurityQuestionIdentify the Question object• Useful test code to verify proper regex working in JS: – basic >> window.alert(object.textContent) – This test app >> window.alert(object.textContent.match(/Question:s(.*)/)[1])• Play this Step to check pop-up – does it match your desired Question text? yes39 Enterprise Security – HP Confidential
  40. 40. Code – setSecurityQuestionIdentify the Question object• With the Alert pop-up verification, we are secure our regex works.• Here is our regex inserted into our standard setSecurityQuestion code: – setSecurityQuestion(object.textContent.match(/Question:s(.*)/)[1])• Paste this into the JS Editor window – Recall that this variable name “setSecurityQuestion” must match what we created for the Q&A code back in Step #7.40 Enterprise Security – HP Confidential
  41. 41. Code – element locationQuick edit for the setSecurityQuestion step• TruClient by default will locate a text object by doing an exact match on the text. For security questions, we want to locate the text object by position instead. To do this we must change the ID Method from "Automatic" to "XPath".41 Enterprise Security – HP Confidential
  42. 42. Code – element locationQuick edit for the setSecurityQuestion step• Expand the drop down menu for "XPath:" and choose the second XPath expression “/html/body/width” to find the question by its position. – Verify this new entry in the browser by using the Highlight button42 Enterprise Security – HP Confidential
  43. 43. Code – getDynamicAnswerConnect the Question back to the Javascript Q&A code• We have now added to the macro our Q&A code and code to identify the Question.• Now to edit Step #9 so the Answer matches the Question…43 Enterprise Security – HP Confidential
  44. 44. Code – getDynamicAnswerConnect the Answer back to the Javascript Q&A code in Step #7• Open the JS Editor windows for Step #9’s Argument and enter in our standard code: – getDynamicAnswer()44 Enterprise Security – HP Confidential
  45. 45. Agenda: Overview & Configuration Demo app walk-through Macro for demo app Customized demo app Macro for customized app Finalizing the macro©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
  46. 46. WMR final stepsPlay the finished macro from the beginning46 Enterprise Security – HP Confidential
  47. 47. WMR final stepsPlayback successful, select Logout Condition for WebInspect47 Enterprise Security – HP Confidential
  48. 48. Logout ConditionsWait, what are these again?• A logout condition is an indicator for WebInspect to know when it has gotten logged out while scanning• Every Login Macro must have one or more logout conditions • Whether or not it involved Challenge-Response questions• Three Types of logout conditions • Regular Expression - Supported for all three Web Macro Recorders • Object - TruClient, UI event-based WMR only • URL - TruClient, UI event-based WMR only
  49. 49. WMR final stepsBrowse to Logout, then click Select button – highlight element 1 2 3a 3b49 Enterprise Security – HP Confidential
  50. 50. WMR final stepsReview the Logout Condition – add more as needed50 Enterprise Security – HP Confidential
  51. 51. WMR – custom AnswersFinal Macro51 Enterprise Security – HP Confidential
  52. 52. WMR – custom AnswersFinal Macro - closer52 Enterprise Security – HP Confidential
  53. 53. WMR – custom AnswersFinal Macro – with Comments added from the Toolbox sidebar53 Enterprise Security – HP Confidential
  54. 54. Denouement• Apologies for the length of this study. This technology is sufficiently new that I wanted our customers to fully understand the steps. – Future studies should be able to skip well-known steps.• My thanks go to:• Steve Hardeman for his JS coaching and internal training• Jeremy Brooks for guidance in setting up this study and the optimal macro• The HP Fortify Dev team for their tremendous work on this new WMR tool54 Enterprise Security – HP Confidential
  55. 55. Outcomes That MatterEnterprise Security – HP Confidential 55

×