©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Technical study to show WebInspect capabilities
Hans Enders, HP Presales
May 1, 2012
DenimGroup Auth Example
Using TruClient in WebInspect 9.2
Background
• This document details how to use the WebInspect 9.20 new TruClient
Web Macro Recorder (WMR) against a simple Challenge-Response
authentication app.
• This document is meant to demonstrate that WebInspect can manage
these scenarios out-of-the-box as well as to show the user many
advanced capabilities it offers to maintain session state.
• Since TruClient records user actions and not simple sessions, it includes
the ability to handle advanced Q&A without needing changes to the
application under test.
Background
• Vendor Challenge:
• http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html
• Discussion centered around this DenimGroup blog entry:
• http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-
handling-complicated-logins-with-appscan-and-burp-suite.html
• The sample app was provided by DenimGroup:
– https://github.com/denimgroup/authexamples
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Overview & Configuration
Demo app walk-through
Macro for demo app
Customized demo app
Macro for customized app
Finalizing the macro
Overview
• Auth example application provided by DenimGroup
– All Responses are “apple”
– Hosting app to local instance of XAMPP
• Initial recording
• Editing the example app for differing Answers: “apple, CEO, White”
https://github.com/denimgroup/authexamples
Demo app - Authexamples
• What - A simple Challenge-Response app in PHP, using a single answer
for all questions.
• Description:
– This is a simple project that is intended to demonstrate a couple of different non-standard
authentication scenarios for folks to train their scanners and scanner operators on.
Currently based on a single scenario in PHP, we'd love to add more scenarios.
Questions/comments/updates? Please contact dan _at_ denimgroup.com
http://www.apachefriends.org/en/xampp-windows.html
Demo app – posting to XAMPP
• What - A simple web server suite for Windows.
• OS used – Windows 7 64-bit
• Installed path: C:\Websites\xampp\
• XAMPP 1.7.7, including:
– Apache 2.2.21
– MySQL 5.5.16
– PHP 5.3.8
– phpMyAdmin 3.4.5
– FileZilla FTP Server 0.9.39
– Tomcat 7.0.21 (with mod_proxy_ajp as connector)
http://www.apachefriends.org/en/xampp-windows.html
Demo app – posting to XAMPP
• Extracted AuthExample to XAMPP htdocs folder:
– C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\
– URL: http://localhost/denimgroup-authexamples-5059b6f/index.php
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Overview & Configuration
Demo app walk-through
Macro for demo app
Customized demo app
Macro for customized app
Finalizing the macro
Login screens
Demo app – normal walk through
C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\loginplusquestion\login.php
Demo app – default Answers
• Answers are all set to “apple” inside login.php
// Set up some page data
$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',
'apple' );
$second_stage_questions[1] = array( '817', 'What is your favorite Jobs
job', 'apple' );
$second_stage_questions[2] = array( '423', 'What is your favorite Beatles
record label', 'apple' );
Challenge screens – all “apple”
Demo app – normal walk through
Login, browse, logout
Demo app – normal walk through
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Overview & Configuration
Demo app walk-through
Macro for demo app
Customized demo app
Macro for customized app
Finalizing the macro
Web Macro Recorder for WebInspect 9.20
TruClient WMR
15 Enterprise Security – HP Confidential
• HP TruClient is the latest iteration of HP WebInspect’s Web Macro
Recorder tool (WMR).
• TruClient is an Event-based UI recorder.
• The two prior WMR tools are still present in WebInspect:
• Event-based WMR
• Session-based (Traffic-based) WMR.
Raw recorded steps
WMR – simple recording
16 Enterprise Security – HP Confidential
Playback successful
Notice that Step #8 is the Challenge-Response (Q&A) session.
WMR – simple recording
17 Enterprise Security – HP Confidential
Once Playback is successful, browse to get logged out
WMR - simple recording
18 Enterprise Security – HP Confidential
1
2
3
Once logged out, click Select button – highlight identifying element
WMR – simple recording
19 Enterprise Security – HP Confidential
1 2
3a
3b
Review the Logout Condition
WMR – simple recording
20 Enterprise Security – HP Confidential
Works out-of-the-box
WMR – simple recording is Done
21 Enterprise Security – HP Confidential
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Overview & Configuration
Demo app walk-through
Macro for demo app
Customized demo app
Macro for customized app
Finalizing the macro
C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\loginplusquestion\login.php
Demo app – custom Answers
• Edited the answers to “apple”, “CEO”, and “White” inside login.php.
// Set up some page data
$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',
'apple' );
$second_stage_questions[1] = array( '817', 'What is your favorite Jobs
job', ‘CEO' );
$second_stage_questions[2] = array( '423', 'What is your favorite Beatles
record label', ‘White' );
Challenge screens – now different
Demo app – custom Answers
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Overview & Configuration
Demo app walk-through
Macro for demo app
Customized demo app
Macro for customized app
Finalizing the macro
Initial recording. Press Stop, ignore the follow-up Play button, we will need some Q&A code added
WMR – custom Answers
26 Enterprise Security – HP Confidential
Final Goal
WMR – custom Answers
27 Enterprise Security – HP Confidential
• To manage dynamic Challenge-Response, the TruClient user will need to
insert three new steps into the recorded steps.
1. Evaluate JavaScript code – Dynamic Security Questions
2. Evaluate JavaScript – setSecurityQuestion
3. Evaluate JavaScript - getDynamicAnswer
• For Q&A involving more than one field, each field will need its own pair
of setSecurityQuestion and getDynamicAnswer steps, but may be able to
all share a single step for the Dynamic Security Questions.
Sneak peek - Final Goal
WMR – custom Answers
28 Enterprise Security – HP Confidential
Insert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar
WMR - custom Answers
29 Enterprise Security – HP Confidential
Open the JavaScript Editor window
Code – Dynamic Security Question
30 Enterprise Security – HP Confidential
• Expand the new Javascript step > click on “[Code]” > expand
“Arguments” > “JS” button
Sample code
Code – Dynamic Security Question
31 Enterprise Security – HP Confidential
• Build your raw JS, or steal this basic script framework shown below.
– Edit the questionAnswer lines to match your situation.
– Note that variable names created here must be kept the same elsewhere as we continue.
//dynamic security questions
var questionAnswer = [];
questionAnswer["What is your favorite fruit"] = "apple";
questionAnswer["What is your favorite Jobs job"] = "CEO";
questionAnswer["What is your favorite Beatles record label"] = "White";
var currentQ;
function setSecurityQuestion(q)
{
currentQ = q.replace(/^\s\s*/, '').replace(/\s\s*$/, '');
}
function getDynamicAnswer()
{
return questionAnswer[currentQ];
}
Sample code
Code – Dynamic Security Question
32 Enterprise Security – HP Confidential
Sample code
Code – Dynamic Security Question
33 Enterprise Security – HP Confidential
• User simply pastes in this code sample, then edits the “questionAnswer”
lines to match their situation.
• Update the question inside quotes
• Update the answer at the end, also in quotes
• Note that variable names used in this script will be used elsewhere, so
the user must keep them the same.
Sample code
Code – Dynamic Security Question
34 Enterprise Security – HP Confidential
• Here is what Step #7 has become.
Insert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar
Code – setSecurityQuestion
35 Enterprise Security – HP Confidential
Choose the Question object
Code – setSecurityQuestion
36 Enterprise Security – HP Confidential
• Play this step alone, then high-light the JavaScript Object in the browser.
– Right-click step, or high-light and press F7
– “!” icon simply indicates an error on Playback, offering details with mouseover.
Choose the Question object
Code – setSecurityQuestion
37 Enterprise Security – HP Confidential
• For this example app, we cannot just select the Question text because
the text is not contained within an element of its own (see green block
below). Because of this we need to do some additional regular
expression parsing. On most sites this step would not be necessary.
Identify the Question object
Code – setSecurityQuestion
38 Enterprise Security – HP Confidential
• Sample of the raw text offered:
– Hint: apple is a pretty good choice for all the questions
– Question: What is your favorite fruit
• Used included Regular Expression Editor tool to work up regex:
– Question:\s(.*)
• Open the JavaScript Editor for this new step
Identify the Question object
Code – setSecurityQuestion
39 Enterprise Security – HP Confidential
• Useful test code to verify proper regex working in JS:
– basic >> window.alert(object.textContent)
– This test app >> window.alert(object.textContent.match(/Question:\s(.*)/)[1])
• Play this Step to check pop-up – does it match your desired Question
text? yes
Identify the Question object
Code – setSecurityQuestion
40 Enterprise Security – HP Confidential
• With the Alert pop-up verification, we are secure our regex works.
• Here is our regex inserted into our standard setSecurityQuestion code:
– setSecurityQuestion(object.textContent.match(/Question:\s(.*)/)[1])
• Paste this into the JS Editor window
– Recall that this variable name “setSecurityQuestion” must match what we created for the
Q&A code back in Step #7.
Quick edit for the setSecurityQuestion step
Code – element location
41 Enterprise Security – HP Confidential
• TruClient by default will locate a text object by doing an exact match on
the text. For security questions, we want to locate the text object by
position instead. To do this we must change the ID Method from
"Automatic" to "XPath".
Quick edit for the setSecurityQuestion step
Code – element location
42 Enterprise Security – HP Confidential
• Expand the drop down menu for "XPath:" and choose the second XPath
expression “/html/body/width” to find the question by its position.
– Verify this new entry in the browser by using the Highlight button
Connect the Question back to the Javascript Q&A code
Code – getDynamicAnswer
43 Enterprise Security – HP Confidential
• We have now added to the macro our Q&A code and code to identify
the Question.
• Now to edit Step #9 so the Answer matches the Question…
Connect the Answer back to the Javascript Q&A code in Step #7
Code – getDynamicAnswer
44 Enterprise Security – HP Confidential
• Open the JS Editor windows for Step #9’s Argument and enter in our
standard code:
– getDynamicAnswer()
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Agenda: Overview & Configuration
Demo app walk-through
Macro for demo app
Customized demo app
Macro for customized app
Finalizing the macro
Play the finished macro from the beginning
WMR final steps
46 Enterprise Security – HP Confidential
Playback successful, select Logout Condition for WebInspect
WMR final steps
47 Enterprise Security – HP Confidential
Wait, what are these again?
Logout Conditions
• A logout condition is an indicator for WebInspect to know when it has
gotten logged out while scanning
• Every Login Macro must have one or more logout conditions • Whether or not it involved Challenge-Response questions
• Three Types of logout conditions • Regular Expression - Supported for all three Web Macro Recorders
• Object - TruClient, UI event-based WMR only
• URL - TruClient, UI event-based WMR only
Browse to Logout, then click Select button – highlight element
WMR final steps
49 Enterprise Security – HP Confidential
1 2
3a
3b
Review the Logout Condition – add more as needed
WMR final steps
50 Enterprise Security – HP Confidential
Final Macro
WMR – custom Answers
51 Enterprise Security – HP Confidential
Final Macro - closer
WMR – custom Answers
52 Enterprise Security – HP Confidential
Final Macro – with Comments added from the Toolbox sidebar
WMR – custom Answers
53 Enterprise Security – HP Confidential
Denouement
54 Enterprise Security – HP Confidential
• Apologies for the length of this study. This technology is sufficiently new
that I wanted our customers to fully understand the steps.
– Future studies should be able to skip well-known steps.
• My thanks go to:
• Steve Hardeman for his JS coaching and internal training
• Jeremy Brooks for guidance in setting up this study and the optimal macro
• The HP Fortify Dev team for their tremendous work on this new WMR tool
Outcomes That Matter
55 Enterprise Security – HP Confidential