Augmented reality in your web proxy

2,328 views

Published on

This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.

The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.

The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,328
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
25
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Augmented reality in your web proxy

  1. 1. Roberto Suggi Liverani - @malerisch Hamburg AppSec Research 2013 OWASP HackPra AllStars
  2. 2. Who am I?  A guy who likes to find bugs   Speaker at various cons/events:  Hack in the Box, DefCON, EUSecWest, OWASP, HackPra  OWASP New Zealand Chapter Founder  Twitter: @malerisch  Research blog: blog.malerisch.net 2
  3. 3. Outline  Challenges / Solutions  Introducing Burp CSJ / DEMOs  Stories from the automation world  Conclusions / Future plans 3
  4. 4. Traditional testing approach 4 Web Proxy Web AppBrowser
  5. 5. The concept of proxy suite 5 Web Proxy Suite Web App Intruder Spider Scanner Repeater
  6. 6. The problem is… 6 Web App Web Proxy Web App Browser Web proxy originally design to focus on server-side technology Client-side technology shift A web app is designed to be used by a browser
  7. 7. Combining technologies  How can we get a browser close to a web proxy or vice versa? 7 Browser Automation Framework Web Proxy API
  8. 8. So what do we achieve? 8 Web Proxy Web AppBrowser Web Proxy Web AppBrowser 1 2 3
  9. 9. Browser automation options…  Selenium  Browser automation framework  Crawljax  Crawler for Ajax apps based on Selenium  JUnit  Testing framework 9
  10. 10. Selenium Server  Integrates Selenium RC  Launches and kills browsers  Interprets and runs Selenese commands  Supports Grid and nodes  Known as:  selenium-server-standalone  selenium-server 10
  11. 11. Selenium Client & WebDriver  Based on WebDriver wire protocol – RESTful + JSON  Direct calls to browser  Multiple drivers available: Chrome, IE, Opera, Android, iPhone  Known as selenium-java 11
  12. 12. Selenium IDE & JUnit  Create/Repeat/ Execute Test case  Firefox addon  Export to JUnit WebDriver 12
  13. 13. Crawljax  Based on Selenium WebDriver APIs  State-flow interpretation of DOM states 13
  14. 14. Crawljax 14 Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
  15. 15. Web proxy options…  Burp Extender API  Java/Python/Ruby  Scanner, Proxy, Repeater, Cookie, Target Session handling, HTTP requests/responses  ZAP API  RESTful interface  Spider, core, params, ascan, context auth, acsrf, autoupdate, pscan 15
  16. 16. Crawljax - Pros  Why integrate Crawljax?  Augmented reality in your proxy  Increased coverage for complex web apps  Scalability with big/dynamic apps  Integrated in ZAP - Ajax Spider @GuifreRuiz - very cool work!  16
  17. 17. JUnit - Pros 17  Why use JUnit?  Increase chances to discover hard-to-find bugs  Easily create repeatable sequence of steps  Reuse existing JUnit test-case  Leverage Burp session handling/macro
  18. 18. So how to combine all this?  Created a burp extension (Burp CSJ)  Integrates Crawljax  Integrates JUnit test-case created via Selenium IDE 18 Source: https://github.com/malerisch/burp-csj Coded in Java using google, stackoverflow, a mix of guessing , luck and a lot of swearing…
  19. 19. How it works… 19 Burp CSJ Web AppBrowser Crawljax Selenium IDE Selenium WebDriver Junit JDK
  20. 20. Crawljax integration  Key Features  Support for Burp cookie jar  Support for multiple browsers, including remote webdriver  Support for multiple HTML elements  Exclusion list for crawling  Support for CrawlOverview plugin 20
  21. 21. Crawljax Tab (1/3) 21
  22. 22. Crawljax Tab (2/3) 22
  23. 23. Crawljax Tab (3/3) 23
  24. 24. DEMO  Crawling a site with auth  Crawling a site with auth + remote web driver  DEMO 24
  25. 25. JUnit Integration  Key Features  Import compiled Selenium IDE JUnit Test cases  Register test-case into Burp session handling  Test case can be invoked in the Macro editor  Interface to execute Junit test case 25
  26. 26. JUnit Tab 26
  27. 27. DEMO  Launching JUnit test-case via Burp Proxy  Registering Junit Test-case via Burp and setting a macro  DEMO 27
  28. 28. Burp CSJ Tips  Use Burp Spider + Crawljax for crawling and after scanning/attacking application  Create JUnit test cases for sequence which takes long time to repeat  Set Burp macro to use JUnit test case  When using JUnit with Burp CSJ, set the Cookie: header with Burp 28
  29. 29. Stories from the automation world… 29
  30. 30. base64 and command injection  Crawljax clicked on some pages with base64 encoded data  A scan was run before  Some of those pages content was decoded  Trace of ping command output were found  An indirect OS command injection was found! 30
  31. 31. jQuery, toggle() and XSS  Complex app – use of jQuery  Lot of clickable elements which would invoke toggle()  Crawljax clicked element  New page added to Burp Target  Page vulnerable to XSS 31
  32. 32. A nice deal…  Internet banking web app  Create a new payee (8 steps)  Perform money transfer (3 steps)  E.g. transfer 10000 JPY (=~ 76 EUR)  Attack: change currency but keep same amount  10k JPY deducted -> 10k EUR sent to other side! 32
  33. 33. A nice shopping cart!  Vulnerable shopping cart  Special product item would decrease amount  Sequence of steps had to be performed before  JUnit test-cases made the difference 33
  34. 34. Burp CSJ future  Expand Crawljax integration  Support plugin import feature  Expand JUnit Integration  Compile from Java Source directly…  Also change browser set in Junit test case…  Support for Burp cookie jar 34
  35. 35. Conclusions  Combining automation is a different type of testing  Time for preparation needed  Not ideal for testers looking for quick wins  ROI is always in bugs discovery  … especially bugs with critical severity 35
  36. 36. Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net  Source Code: https://github.com/malerisch/burp-csj  Tutorial: soon on blog.malerisch.net 36
  37. 37. References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes  http://www.ece.ubc.ca/~amesbah/docs/t web-final.pdf 37
  38. 38. References  Crawljax  http://crawljax.com/  Selenium  http://docs.seleniumhq.org/  JUnit  http://junit.org/ 38
  39. 39. References  Burp Extender API  http://portswigger.net/burp/extender/api/inde x.html  ZAP API  https://code.google.com/p/zaproxy/wiki/ApiD etails  Ajax spider in ZAP  https://code.google.com/p/zaproxy/wiki/GSo C2012_PluginACT 39

×