Download - Augmented reality in your web proxy
![Page 1: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/1.jpg)
Roberto Suggi Liverani - @malerisch
Hamburg
AppSec Research 2013 OWASP
HackPra AllStars
![Page 2: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/2.jpg)
Who am I?
A guy who likes to find bugs
Speaker at various cons/events:
Hack in the Box, DefCON, EUSecWest, OWASP, HackPra
OWASP New Zealand Chapter Founder
Twitter: @malerisch
Research blog: blog.malerisch.net
2
![Page 3: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/3.jpg)
Outline
Challenges / Solutions
Introducing Burp CSJ / DEMOs
Stories from the automation world
Conclusions / Future plans
3
![Page 4: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/4.jpg)
Traditional testing approach
4
Web Proxy Web App Browser
![Page 5: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/5.jpg)
The concept of proxy suite
5
Web Proxy
Suite Web App
Intruder
Spider
Scanner
Repeater
![Page 6: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/6.jpg)
The problem is…
6
Web App Web Proxy
Web App Browser
Web proxy originally design to focus on
server-side technology
Client-side technology shift
A web app is designed to be used by a browser
![Page 7: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/7.jpg)
Combining technologies
How can we get a browser close to a
web proxy or vice versa?
7
Browser
Automation
Framework
Web Proxy
API
![Page 8: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/8.jpg)
So what do we achieve?
8
Web Proxy Web App Browser
Web Proxy Web App Browser
1
2
3
![Page 9: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/9.jpg)
Browser automation options…
Selenium
Browser automation framework
Crawljax
Crawler for Ajax apps based on Selenium
JUnit
Testing framework
9
![Page 10: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/10.jpg)
Selenium Server
Integrates Selenium RC
Launches and kills browsers
Interprets and runs Selenese commands
Supports Grid and nodes
Known as:
selenium-server-standalone
selenium-server
10
![Page 11: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/11.jpg)
Selenium Client & WebDriver
Based on WebDriver wire protocol –
RESTful + JSON
Direct calls to browser
Multiple drivers available:
Chrome, IE, Opera, Android, iPhone
Known as selenium-java
11
![Page 12: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/12.jpg)
Selenium IDE & JUnit
Create/Repeat/
Execute Test
case
Firefox addon
Export to
JUnit
WebDriver
12
![Page 13: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/13.jpg)
Crawljax
Based on Selenium WebDriver APIs
State-flow interpretation of DOM states
13
![Page 14: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/14.jpg)
Crawljax
14 Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
![Page 15: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/15.jpg)
Web proxy options…
Burp Extender API
Java/Python/Ruby
Scanner, Proxy, Repeater, Cookie, Target
Session handling, HTTP requests/responses
ZAP API
RESTful interface
Spider, core, params, ascan, context
auth, acsrf, autoupdate, pscan
15
![Page 16: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/16.jpg)
Crawljax - Pros
Why integrate Crawljax?
Augmented reality in your proxy
Increased coverage for complex web apps
Scalability with big/dynamic apps
Integrated in ZAP - Ajax Spider
@GuifreRuiz - very cool work!
16
![Page 17: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/17.jpg)
JUnit - Pros
17
Why use JUnit?
Increase chances to discover hard-to-find
bugs
Easily create repeatable sequence of steps
Reuse existing JUnit test-case
Leverage Burp session handling/macro
![Page 18: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/18.jpg)
So how to combine all this?
Created a burp extension (Burp CSJ)
Integrates Crawljax
Integrates JUnit test-case created via
Selenium IDE
18
Source: https://github.com/malerisch/burp-csj
Coded in Java using google, stackoverflow, a mix of
guessing , luck and a lot of swearing…
![Page 19: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/19.jpg)
How it works…
19
Burp CSJ Web App Browser
Crawljax
Selenium
IDE
Selenium
WebDriver
Junit
JDK
![Page 20: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/20.jpg)
Crawljax integration
Key Features
Support for Burp cookie jar
Support for multiple browsers, including
remote webdriver
Support for multiple HTML elements
Exclusion list for crawling
Support for CrawlOverview plugin
20
![Page 21: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/21.jpg)
Crawljax Tab (1/3)
21
![Page 22: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/22.jpg)
Crawljax Tab (2/3)
22
![Page 23: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/23.jpg)
Crawljax Tab (3/3)
23
![Page 24: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/24.jpg)
DEMO
Crawling a site with auth
Crawling a site with auth + remote web
driver
DEMO
24
![Page 25: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/25.jpg)
JUnit Integration
Key Features
Import compiled Selenium IDE JUnit Test
cases
Register test-case into Burp session
handling
Test case can be invoked in the Macro editor
Interface to execute Junit test case
25
![Page 26: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/26.jpg)
JUnit Tab
26
![Page 27: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/27.jpg)
DEMO
Launching JUnit test-case via Burp
Proxy
Registering Junit Test-case via Burp and
setting a macro
DEMO
27
![Page 28: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/28.jpg)
Burp CSJ Tips
Use Burp Spider + Crawljax for crawling and after scanning/attacking application
Create JUnit test cases for sequence which takes long time to repeat
Set Burp macro to use JUnit test case
When using JUnit with Burp CSJ, set the Cookie: header with Burp
28
![Page 29: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/29.jpg)
Stories from the automation world…
29
![Page 30: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/30.jpg)
base64 and command injection
Crawljax clicked on some pages with base64 encoded data
A scan was run before
Some of those pages content was decoded
Trace of ping command output were found
An indirect OS command injection was found!
30
![Page 31: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/31.jpg)
jQuery, toggle() and XSS
Complex app – use of jQuery
Lot of clickable elements which would
invoke toggle()
Crawljax clicked element
New page added to Burp Target
Page vulnerable to XSS
31
![Page 32: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/32.jpg)
A nice deal…
Internet banking web app
Create a new payee (8 steps)
Perform money transfer (3 steps)
E.g. transfer 10000 JPY (=~ 76 EUR)
Attack: change currency but keep same
amount
10k JPY deducted -> 10k EUR sent to
other side!
32
![Page 33: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/33.jpg)
A nice shopping cart!
Vulnerable shopping cart
Special product item would decrease
amount
Sequence of steps had to be performed
before
JUnit test-cases made the difference
33
![Page 34: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/34.jpg)
Burp CSJ future
Expand Crawljax integration
Support plugin import feature
Expand JUnit Integration
Compile from Java Source directly…
Also change browser set in Junit test case…
Support for Burp cookie jar
34
![Page 35: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/35.jpg)
Conclusions
Combining automation is a different type
of testing
Time for preparation needed
Not ideal for testers looking for quick wins
ROI is always in bugs discovery
… especially bugs with critical severity
35
![Page 36: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/36.jpg)
Questions?
Roberto Suggi Liverani - @malerisch
blog.malerisch.net
Source Code: https://github.com/malerisch/burp-csj
Tutorial: soon on blog.malerisch.net
36
![Page 37: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/37.jpg)
References
Blog – Roberto Suggi Liverani
http://blog.malerisch.net/
Twitter account - @malerisch
https://twitter.com/malerisch
Crawling AJAX-Based Web Applications
through Dynamic Analysis of User
Interface State Changes
http://www.ece.ubc.ca/~amesbah/docs/t
web-final.pdf
37
![Page 38: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/38.jpg)
References
Crawljax
http://crawljax.com/
Selenium
http://docs.seleniumhq.org/
JUnit
http://junit.org/
38
![Page 39: Augmented reality in your web proxy](https://reader031.vdocuments.us/reader031/viewer/2022020207/557cc448d8b42a43438b482d/html5/thumbnails/39.jpg)
References
Burp Extender API
http://portswigger.net/burp/extender/api/inde
x.html
ZAP API
https://code.google.com/p/zaproxy/wiki/ApiD
etails
Ajax spider in ZAP
https://code.google.com/p/zaproxy/wiki/GSo
C2012_PluginACT
39