Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BURPKIT Using WebKit to Own the Web 1 2015-07-15 Presented by: Nadeem Douba
INTRODUCTION • Nadeem Douba • Founder of Red Canari, Inc. • Based out of Ottawa, ON. • Hacker • Interests: • Exploiting st...
OVERVIEW • WebKit • What is it? • Why use it? • How can we use it? • BurpKit • Design Considerations • Implementation • De...
THE WEB PEN-TESTER’S CONUNDRUM • Today’s web applications are complex beasts • Heavy use of JavaScript for: • Rendering pa...
OUR TOOLKIT 2015-07-15BurpKit - UsingWebKit to Own the Web 5 • Reconnaissance & Scanning: • Most tools (nikto, cewl, etc.)...
MODERN TOOLKIT REQUIREMENTS 2015-07-15BurpKit - UsingWebKit to Own the Web 6 • Web penetration testing tools that: • Have ...
WEBKIT What is it good for? - Lots of things! 2015-07-15BurpKit - UsingWebKit to Own the Web 7
WHAT IS WEBKIT? “WebKit is a layout engine software component for rendering web pages in web browsers. It powers Apple's S...
(UN)OFFICIAL DEFINITION… 2015-07-15BurpKit - UsingWebKit to Own the Web 9
WEBKIT API • Made up of two major components. • JavaScriptCore - responsible for everything JavaScript: • JavaScript/JSON ...
KNOWN IMPLEMENTATIONS & FORKS 2015-07-15BurpKit - UsingWebKit to Own the Web 11 • Apple’s Safari • Android’s web browser •...
WHY USE WEBKIT? Pros "Widespread adoption "Lots of language support: Java, Python, C/C++, JavaScript, etc. "Portable acros...
HOW CAN YOU USE WEBKIT? Language • JavaScript (NodeJS) • Python • JAVA • Swift/ObjC • Ruby • C/C++ Libraries • Node WebKit...
BURPKIT How we used WebKit. 2015-07-15BurpKit - UsingWebKit to Own the Web 14 + =
WHAT IS BURPKIT? • BurpKit = BurpSuite + WebKit • Used JavaFX’s implementation of WebKit • WebView & Debugger • WebEngine ...
DESIGN DECISIONS • Chose to go with JavaFX over JxBrowser – why? • Redistribution: • JavaFX comes with Java 1.8+. • JxBrow...
JAVAFX: PROS AND CONS Pros "Easy-to-use & clean API "Complete JavaScript bridge "Portable across many platforms "Leverages...
IMPLEMENTATION Nerd Rage 2015-07-15BurpKit - UsingWebKit to Own the Web 18
CHALLENGES • Burp uses Swing for its GUI • WebView and WebEngine need to run on FX event loop • WebEngine does not have a ...
CHALLENGE: SWING/FX INTEROP • Solution: javafx.embed.swing.JFXPanel • Gotchas: • Must avoid interweaving blocking calls • ...
CHALLENGE: LOADING CONTENT WITH A BASE URL 2015-07-15BurpKit - UsingWebKit to Own the Web 21 Credit: http://media.techtarg...
CHALLENGE: REPEATER 2015-07-15BurpKit - UsingWebKit to Own the Web 22 • Background: did not want to reissue a live request...
CHALLENGE: JAVASCRIPT BRIDGE • Background: need to be able to query and manipulate DOM • Solution: inject JAVA objects int...
THE FINAL PRODUCT Google: Before & After 2015-07-15BurpKit - UsingWebKit to Own the Web 24
WELL? 2015-07-15BurpKit - UsingWebKit to Own the Web 25
BURPKIT DEMOS There’s lots to see! 2015-07-15BurpKit - UsingWebKit to Own the Web 26
DEMO: GUI WALKTHROUGH Feature set 2015-07-15BurpKit - UsingWebKit to Own the Web 27
XSS TRACKER Tainting applications 2015-07-15BurpKit - UsingWebKit to Own the Web 28
DEMO: DOM INTERACTION Analyzing Twitter Followers 2015-07-15BurpKit - UsingWebKit to Own the Web 29
DEMO: BURP EXTENSIONS Proxy Listeners, Message Editors, and Context Menus 2015-07-15BurpKit - UsingWebKit to Own the Web 30
CONCLUSION • Let’s stop scraping and let’s start DOMinating the web! • Our security tools need to evolve just like the web...
KUDOS • My Lovely Wife $ • Justin Seitz • http://automatingosint.com/ • Dirk Lemmermann • http://dlsc.com/ • Tomas Mikula ...
¿QUESTIONS? We aim to please… 2015-07-15BurpKit - UsingWebKit to Own the Web 33
Upcoming SlideShare
Loading in …5
×

DEFCON 23 - Nadeem Douba - Using WebKit to Own the Web

42 views

Published on

DEFCON 23 - Nadeem Douba - Using WebKit to Own the Web

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

DEFCON 23 - Nadeem Douba - Using WebKit to Own the Web

  1. 1. BURPKIT Using WebKit to Own the Web 1 2015-07-15 Presented by: Nadeem Douba
  2. 2. INTRODUCTION • Nadeem Douba • Founder of Red Canari, Inc. • Based out of Ottawa, ON. • Hacker • Interests: • Exploiting stuff • Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune 100s) • PyMiProxy (used by Internet Archive) BurpKit - UsingWebKit to Own the Web 2 2015-07-15
  3. 3. OVERVIEW • WebKit • What is it? • Why use it? • How can we use it? • BurpKit • Design Considerations • Implementation • Demos! • Conclusion • Questions? 2015-07-15BurpKit - UsingWebKit to Own the Web 3
  4. 4. THE WEB PEN-TESTER’S CONUNDRUM • Today’s web applications are complex beasts • Heavy use of JavaScript for: • Rendering pages • Rendering page elements • Performing web service requests • ¿But our security tools are still scraping HTML!? 2015-07-15BurpKit - UsingWebKit to Own the Web 4
  5. 5. OUR TOOLKIT 2015-07-15BurpKit - UsingWebKit to Own the Web 5 • Reconnaissance & Scanning: • Most tools (nikto, cewl, etc.) just scrape HTML • Attack: • BurpSuite Pro/Community • Lobo-based Renderer tab (Burp’s neglected child) ! • No JavaScript/HTML5 support • Charles & Zed are just proxies • WebSecurify’s Proxy.app only has a web view
  6. 6. MODERN TOOLKIT REQUIREMENTS 2015-07-15BurpKit - UsingWebKit to Own the Web 6 • Web penetration testing tools that: • Have modern web browser capabilities • Parse and interpret JavaScript • Dynamically render and inspect content • Most importantly: • Our tools need to be able to interact with the DOM!
  7. 7. WEBKIT What is it good for? - Lots of things! 2015-07-15BurpKit - UsingWebKit to Own the Web 7
  8. 8. WHAT IS WEBKIT? “WebKit is a layout engine software component for rendering web pages in web browsers. It powers Apple's Safari web browser, and a fork of the project is used by Google's Chrome web browser.” - Wikipedia (https://en.wikipedia.org/wiki/WebKit) 2015-07-15BurpKit - UsingWebKit to Own the Web 8 Image credit: Smashing Magazine
  9. 9. (UN)OFFICIAL DEFINITION… 2015-07-15BurpKit - UsingWebKit to Own the Web 9
  10. 10. WEBKIT API • Made up of two major components. • JavaScriptCore - responsible for everything JavaScript: • JavaScript/JSON parsing & execution • Garbage collection • Debugger • Etc. • WebCore – responsible for everything else: • Resource loading • Content parsing & rendering • Web Inspector • Etc. 2015-07-15BurpKit - UsingWebKit to Own the Web 10
  11. 11. KNOWN IMPLEMENTATIONS & FORKS 2015-07-15BurpKit - UsingWebKit to Own the Web 11 • Apple’s Safari • Android’s web browser • Nokia QT • JavaFX WebView • WebKitGTK+ • PhantomJS • Google Chromium • Node WebKit • Many more… (https://trac.webkit.org/wiki/Applicatio ns%20using%20WebKit) Image credit: http://bitergia.com/public/reports/webkit/2013_01/
  12. 12. WHY USE WEBKIT? Pros "Widespread adoption "Lots of language support: Java, Python, C/C++, JavaScript, etc. "Portable across many platforms "Can interact with the DOM and JS Engine. Cons ✗ Your code will be susceptible to the same bugs that plague modern browsers ✗ Tools will be hungrier for system resources (i.e. RAM, CPU). 2015-07-15BurpKit - UsingWebKit to Own the Web 12
  13. 13. HOW CAN YOU USE WEBKIT? Language • JavaScript (NodeJS) • Python • JAVA • Swift/ObjC • Ruby • C/C++ Libraries • Node WebKit • WebKitGTK+, PyQt • FX WebView, Qt Jambi, JxBrowser • UIWebView • WebKitGTK+, Qt • Chromium, WebKit 2015-07-15BurpKit - UsingWebKit to Own the Web 13
  14. 14. BURPKIT How we used WebKit. 2015-07-15BurpKit - UsingWebKit to Own the Web 14 + =
  15. 15. WHAT IS BURPKIT? • BurpKit = BurpSuite + WebKit • Used JavaFX’s implementation of WebKit • WebView & Debugger • WebEngine • Provides a real rendering tab (that’s right… no more lobo) • Has a bidirectional bridge between BurpSuite & WebKit! • And more! BurpSuite Extender- API Java4based- WebKit API Rendering- engine 2015-07-15BurpKit - UsingWebKit to Own the Web 15 BurpKit
  16. 16. DESIGN DECISIONS • Chose to go with JavaFX over JxBrowser – why? • Redistribution: • JavaFX comes with Java 1.8+. • JxBrowser needs bundling (>250MB) • Cost: • JavaFX is FREE! • JxBrowser is not! • API: • JavaFX has a cleaner API • JxBrowser’s is a bit ¿clunky? 2015-07-15BurpKit - UsingWebKit to Own the Web 16
  17. 17. JAVAFX: PROS AND CONS Pros "Easy-to-use & clean API "Complete JavaScript bridge "Portable across many platforms "Leverages the Java URL framework (hookable) "Does provide debugging/profiling information (with some hacking) "Bundled with Java 1.8+ Cons ✗ API is incomplete – under development ✗ No GUI components for WebInspector and friends ✗ Little documentation on advanced features (must look at code) ✗ Still a bit buggy 2015-07-15BurpKit - UsingWebKit to Own the Web 17
  18. 18. IMPLEMENTATION Nerd Rage 2015-07-15BurpKit - UsingWebKit to Own the Web 18
  19. 19. CHALLENGES • Burp uses Swing for its GUI • WebView and WebEngine need to run on FX event loop • WebEngine does not have a loadContentWithBaseUrl(content,6url) method - only has: • loadContent(content,6type); and • load(url) • BurpSuite had to be able to interact with JavaScript and vice-versa 2015-07-15BurpKit - UsingWebKit to Own the Web 19
  20. 20. CHALLENGE: SWING/FX INTEROP • Solution: javafx.embed.swing.JFXPanel • Gotchas: • Must avoid interweaving blocking calls • i.e. Swing # JavaFX # Swing = ¡DEADLOCK! • Always check if you’re on the right event loop! • Workarounds: • Eagerly initializing resources sometimes necessary • Lots of wrapping code! 2015-07-15BurpKit - UsingWebKit to Own the Web 20
  21. 21. CHALLENGE: LOADING CONTENT WITH A BASE URL 2015-07-15BurpKit - UsingWebKit to Own the Web 21 Credit: http://media.techtarget.com/tss/static/articles/content/dm_protocolHandlers/j ava_protocol.pdf • Why? • Required to render responses for repeated requests • Solution: hook java.net.URL protocol handling framework • WebView uses framework to issue HTTP(S) requests • Challenge: • Our new handlers would have to support both live and repeated requests.
  22. 22. CHALLENGE: REPEATER 2015-07-15BurpKit - UsingWebKit to Own the Web 22 • Background: did not want to reissue a live request because content may change. • Solution: overrode HTTP(s) handlers and used User4Agent to “tag” repeated requests. • If User4Agent contains SHA1 hash, give URL handler fake output stream • Else, continue with live request • See BurpKit Java package com.redcanari.net.http for code.
  23. 23. CHALLENGE: JAVASCRIPT BRIDGE • Background: need to be able to query and manipulate DOM • Solution: inject JAVA objects into JS engine! • Gotchas: • Funky reflection algorithm in WebEngine prevented straight-forward JAVA object interaction. • Lots of deadlock scenarios • Workarounds: • Wrapper classes galore! • Eager instantiation of Swing components. 2015-07-15BurpKit - UsingWebKit to Own the Web 23
  24. 24. THE FINAL PRODUCT Google: Before & After 2015-07-15BurpKit - UsingWebKit to Own the Web 24
  25. 25. WELL? 2015-07-15BurpKit - UsingWebKit to Own the Web 25
  26. 26. BURPKIT DEMOS There’s lots to see! 2015-07-15BurpKit - UsingWebKit to Own the Web 26
  27. 27. DEMO: GUI WALKTHROUGH Feature set 2015-07-15BurpKit - UsingWebKit to Own the Web 27
  28. 28. XSS TRACKER Tainting applications 2015-07-15BurpKit - UsingWebKit to Own the Web 28
  29. 29. DEMO: DOM INTERACTION Analyzing Twitter Followers 2015-07-15BurpKit - UsingWebKit to Own the Web 29
  30. 30. DEMO: BURP EXTENSIONS Proxy Listeners, Message Editors, and Context Menus 2015-07-15BurpKit - UsingWebKit to Own the Web 30
  31. 31. CONCLUSION • Let’s stop scraping and let’s start DOMinating the web! • Our security tools need to evolve just like the web. • We have the tools/libraries at our disposal • Please contribute your ideas and code to BurpKit! • We need to make it the standard! 2015-07-15BurpKit - UsingWebKit to Own the Web 31
  32. 32. KUDOS • My Lovely Wife $ • Justin Seitz • http://automatingosint.com/ • Dirk Lemmermann • http://dlsc.com/ • Tomas Mikula • https://github.com/TomasMikula/Ri chTextFX • Java/JavaFX team • The Noun Project • All the contributors! 2015-07-15BurpKit - UsingWebKit to Own the Web 32
  33. 33. ¿QUESTIONS? We aim to please… 2015-07-15BurpKit - UsingWebKit to Own the Web 33

×