The 3 Top Techniques for Web Security Testing Using a Proxy

Three Techniquesfor

Web Security TestingUsing a

ProxyPaco Hope, [email protected]

Twitter: @pacohope

About Me• Consultant 13 years

• Software security: code, design, risk• Financial, gaming, retail• Source code, architecture, security testing

• (ISC)² European Advisory Council• CISSP and CSSLP exam item author

• Author: 2 books + 1 chapter• OWASP Mobile Top Ten contributor• BS and MS in Computer Science• Passionate about software testers as an untapped

resource in software security

Goals• Understand the proxy

• HTTP and HTTPS• How to configure and run it

• Intercept some requests and modify them• Intercept some replies and modify them

Functional Testing vs. Security TestingTesting against the design/requirements is not enough:

Stories, Requirements,

Features, DesignActual

implementation

Missing features(found in functional testing)

Potential security vulnerabilities(not found in functional tests)

Boundary condition analysis (edge and corner cases) Security testers

must think “outside the box”

HTTPIN A NUTSHELL

Requests and Responses

GET / HTTP/1.1

Host: www.cigital.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-gb,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 10:24:38 GMT

Server: Apache

X-Powered-By: PHP/5.5.10

X-Pingback: http://www.cigital.com/xmlrpc.php

Link: <http://www.cigital.com/>; rel=shortlink

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Content-Length: 27893

[HTML document]

Client¹ Sends Server Responds

¹ ”client” can be a browser, mobile device,or anything making HTTP requests

HTTP Requests GET /training/ HTTP/1.1

Host: www.cigital.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-gb,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.cigital.com/

Cookie: __utma=269626595.872944553.1402325345.1402909557.1404383087.3; [truncated...]

Connection: keep-alive

Structureo Method/path/protocol

versiono Headers

• User-agent and referrer may not always be there

• Browser includes all the cookies it has for the site to which it connects

HTTP/1.1 200 OK

Date: Thu, 20 Mar 2014 17:05:51 GMT

Server: Apache/1.2.34 (Debian)

X-Powered-By: PHP/1.2.3-4+deb7u7

X-Pingback: http://www.cigital.com/xmlrpc.php

Link: <http://www.cigital.com/?p=4370>; rel=shortlink

Vary: Accept-Encoding

Content-Type: text/html; charset=UTF-8

Set-Cookie: name=value

Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT

Connection: Keep-Alive

[HTML document]

Structure:• Headers first• Blank line• ContentResponse codes:• 200 OK• 404 Not Found

HTTP Responses

URL Encoding

http://example.com/test?url=http://www.cigital.com/ àhttp://example.com/test?url=http%3A%2F%2Fwww.cigital.com%2FImportant to consider when modifying requests in web security tests:

http://www.example.com/request.php?param1=abc+123&param2=A&B

param1 = param2 =

URL encoding is applied in HTTP messages to URL parameters and HTML form data.

“abc 123” “A”

RESTful Web Services

• Parameters are usually a part of the path:http://example.com/customers/1234

• HTTP methods used:

RESTful web services use HTTP in a slightly different way to normal web pages:

Method Resource collection Resource itemGET List items in collection Get representation of itemPUT Replace collection Update/replace itemPOST Create item in collection Create sub-item under current item

DELETE Delete entire collection Delete item

Resource collectionResource item

Cookies• Are sent back with all requests to the domain from

which they were set• Are stored by client (mobile phone, browser, etc.) and

used until they expire• Survive browser/computer/device restart

• Session cookies have no expiration and live as long as the browser process is running

Server response

HTTP/1.1 200 OK

…

Set-Cookie: session=id; secure; httpOnly

Set-Cookie: cookie2=persistent; Expires=Wed, 09 Jun 2021 10:18:14 GMT

Subsequent client request

GET /index.html HTTP/1.1

…

Cookie: session=id; cookie2=persistent

Cookies

Detour into HTTPS (TLS/SSL)• Simply protects the channel from eavesdroppers• Modest authenticity check on web server• If the app is buggy/vulnerable, then TLS just makes

connections opaque• Example:

• 4 people in a coffee shoppe/at the office on the same wifi• One goes to a web site• What can the others see?

Standard HTTP

GET /office/document.html


HTTP

With HTTPS


VG9wIDMgV2ViIFNlY3VyaXR5IFRlc3Rpbmcg

HTTPS

Vulnerabilities and HTTPS

GET /vulnerable/thing

HTTP

GET /vulnerable/thing

HTTPS

PROXIES

HTTP Proxies

• Speed up Internet access• Filter undesirable or malicious

content• Prevent data leakage• Provide anonymity

Intermediaries between clients and servers and may be used for several good reasons:

HTTP Proxy TypesThree main types of HTTP proxies:

Forward proxy

Reverse proxy

Open proxy

What We’re Doing: Local Proxy

Your Browser

Proxy

The Network /Internet

Web Site to Test

Inside YourComputer / Laptop

Another Possibility

Your Browser

Proxy

The Network /Internet

Web Site to Test

Inside YourComputer / Laptop

MobileDevice

ROADMAP• INSTALL• CONFIGURE• PITFALLS• RUN

Installing• Two proxies worth considering

• ZAP (“Zed Attack Proxy”) from OWASP• 100% Free• https://www.owasp.org/index.php/OWASP_Zed_Atta

ck_Proxy_Project• Burp Suite: commercial• Free Version (lacks advanced security tools)• £239 / $349 / €329 per user per year• https://www.portswigger.net/

We’ll look at Burp today

BUILDING SECURITY IN

Demo 1WebGoat and Burp

Config

1. Start WebGoat

2. Start Burp3. Disable

Intercept4. Change

Burp Port5. Configure

Firefox6. Do a

couple requests

7. Examine them

• Most software uses your operating system proxy settings• You might not have rights

to change it• It’s a pain to test when

EVERYTHING YOU DO goes through the proxy

Why I Use Firefox for Proxy-Based Testing

• Lots of apps use port 8080• Tomcat•WebGoat• Specialist software

• Proxy (Burp/ZAP) is often easier to change

• Setting the OS proxy is disruptive

• Might need to set “upstream proxy” to use your corporate proxy

Other Possible Pitfalls

What Is Proxying Good For?• Bypassing client-side protections• Exploring client-side behaviour• Examining data in transit


Demo 2Intercept

and Tamper With a

Request

1. Improper Error Handling Lesson

2. Intercept the Login Request

3. Remove the Password Parameter


Demo 3Intercept

a Response

1. WebGoat AJAX -> XML

2. Load Lesson3. Turn on

Intercept4. Submit

Account Number

5. Intercept Request

6. Intercept Response

7. Edit Response8. Forward

Edited Response

CONCLUSIONS• INSTALL• CONFIGURE• PITFALLS• RUN

• This is way off the “happy path”

• Allows better coverage of errors, edge cases, etc.

• Bypasses client-side checks

The Value of A Proxy

• Manual testing• Can spend a lot of

time for few (spectac-ular) results

• May require deep insight into the app

Disadvantages

Resources in This WebinarResource URLBurp Suite https://portswigger.net/OWASP WebGoat https://github.com/WebGoatOWASP Zed Attack Proxy (ZAP)

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Firefox Web Browser https://mozilla.com/

The best time to plant an oak tree was twenty years ago.

The next best time is now.—Ancient Proverb

Paco Hope, CISSP, CSSLP

[email protected]: @pacohope