Øredev 2006

Web application testing using a proxy

Lucas Nelson, Symantec Inc.

Agenda

� What is a proxy?

� Setting up your environment

� Pre-login tests

� Post-login tests

� Conclusion

A man in the middle proxy

� The proxy sits between the client and the server

� Here we can modify all requests and replies to and from the

server

Advantages

� More powerful than ‘save-n-edit’ attacks

– Proxies are effective on AJAX sites

� We receive requests after the browser completes

JavaScript routines and validation

� Transparent to both the client and server

WebScarab

� WebScarab is an OpenSource proxy provided by

OWASP

� http://www.owasp.org/index.php/Category:OWASP_

Project

� Written in Java with Swing interface

Setup

How to setup WebScarab

WebScarab start page

Setting up FireFox

Sample Application: Broken Brokerage

� Demo application written in Java with several

common classes of vulnerabilities

� Simulates a brokerage service with stock trading

Pre-Login testing

Broken Brokerage Login

Pre-Login testing

Test: Account Enumeration

� Check if it is possible to enumerate valid account

names using the system

– Login error messages

– Forgotten password pages

Known bad login

� Start with a login that will

not exist

– 31337Haxor

Attempt valid logins

� Try a login that does exist

– Any login you know is valid

– Admin/Administrator

– Test

Check for differences

� Any difference between error messages is enough

to enumerate logins.

– Even a missing period!

� Password recovery tools often tell if the username is

known

Test: Input validation

� Check to ensure input validation checks are taking

place on the server

� Use meta characters

– < > ( ‘ “ ;

� Common test string

– <script>alert(“XSS”);</script>

View page source

What to look for

� Note the Admin username we inserted is not in a

quoted section

– If it were we might have to close the quotes in our

string.

– For example: “<script>alert(“XSS”);</script>

Cross-site Scripting explained

� Phishing attacks often use the ability to inject code

into a web page.

� A cookie can represent a logged in session

� If we can send the cookie to another site then we

can hijack a session

How to test

� Edit the request before it is sent to the server

� Add in a string with JavaScript as a test

Setup a regex in WebScarab

Input the username ‘testme’

Change to our test string

<script>alert(“XSS”);</script>

The result

Stealing the cookie

� <script>alert(document.coo

kie);</script>

� An attacker could send this

cookie to another server as

an image name

Test: SQL Injection

� It may be possible to inject code that will run on the

database SQL Interpreter

� Classic example

– ‘or 1=1; --

How to test

� Use Manual Requests to send injection strings

� View server replies in WebScarab

Manual Request page

Encode test string

� Under tools there is a transcoder

Modify a request

� Insert our encoded string into the username

� UserName=Admin&Password=test

Fetch response

The result

� The results show the attacker has been logged in

without a valid password

� This attack will often result in the attacker being

logged in as the first user in the DB, which is

commonly the admin account

Spider the site

� Look for functionality that shouldn’t be exposed

– Admin pages

– Default content for the web server

The Spider tool

� Before

The Spider tool

� After

Create user page

Post-Login testing

Analyze cookies

� Collect large number of tokens (>1k)

� Visually analyze for patterns

� Will likely yield results against homebrew tokens

Collection

Test regex

� Only one cookie being

returned (JSESSIONID)

� Regex = .*

Capture large number

Look for patterns

Analysis of JSESSIONID

� The Java framework provides JSESSIONID

� There are no patterns to be found in this case

Exploit hidden variables

� Programmers may store sensitive data in hidden

variables

� WebScarab allows inline editing

Allow editing of hidden vars

What it looks like

Results

� By increasing the ‘shares’ value we are able to sell

stock we don’t own

Using the fuzzer

� Create a set of fuzz strings

– XSS, Format strings, long strings, unusual characters

� Supply malicious input to program

� Look for interesting errors or system crashes

Adding a fuzz template

Create fuzz strings

� Create a file of strings that could cause issues

� Here we create a simple test of 200 A’s

The Fuzzer

Add your sources

The result

Summary

� Fuzzing is an efficient way to test a large number of

inputs

� It is not as precise as manual testing and should be

used in conjunction with other techniques