WebInspect 9.20 Web Macro Recording with TruClient 2012

©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Technical study to show WebInspect capabilities

Hans Enders, HP Presales

May 1, 2012

DenimGroup Auth Example

Using TruClient in WebInspect 9.2

Background

• This document details how to use the WebInspect 9.20 new TruClient

Web Macro Recorder (WMR) against a simple Challenge-Response

authentication app.

• This document is meant to demonstrate that WebInspect can manage

these scenarios out-of-the-box as well as to show the user many

advanced capabilities it offers to maintain session state.

• Since TruClient records user actions and not simple sessions, it includes

the ability to handle advanced Q&A without needing changes to the

application under test.

Background

• Vendor Challenge:

• http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html

• Discussion centered around this DenimGroup blog entry:

• http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-

handling-complicated-logins-with-appscan-and-burp-suite.html

• The sample app was provided by DenimGroup:

– https://github.com/denimgroup/authexamples

http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html













http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated-logins-with-appscan-and-burp-suite.html





















https://github.com/denimgroup/authexamples



Agenda: Overview & Configuration

Demo app walk-through

Macro for demo app

Customized demo app

Macro for customized app

Finalizing the macro

Overview

• Auth example application provided by DenimGroup

– All Responses are “apple”

– Hosting app to local instance of XAMPP

• Initial recording

• Editing the example app for differing Answers: “apple, CEO, White”


Demo app - Authexamples

• What - A simple Challenge-Response app in PHP, using a single answer

for all questions.

• Description:

– This is a simple project that is intended to demonstrate a couple of different non-standard

authentication scenarios for folks to train their scanners and scanner operators on.

Currently based on a single scenario in PHP, we'd love to add more scenarios.

Questions/comments/updates? Please contact dan _at_ denimgroup.com

http://www.apachefriends.org/en/xampp-windows.html

Demo app – posting to XAMPP

• What - A simple web server suite for Windows.

• OS used – Windows 7 64-bit

• Installed path: C:\Websites\xampp\

• XAMPP 1.7.7, including:

– Apache 2.2.21

– MySQL 5.5.16

– PHP 5.3.8

– phpMyAdmin 3.4.5

– FileZilla FTP Server 0.9.39

– Tomcat 7.0.21 (with mod_proxy_ajp as connector)

http://www.apachefriends.org/en/xampp-windows.html

Demo app – posting to XAMPP

• Extracted AuthExample to XAMPP htdocs folder:

– C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\

– URL: http://localhost/denimgroup-authexamples-5059b6f/index.php




Macro for demo app

Customized demo app



Login screens

Demo app – normal walk through

C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\loginplusquestion\login.php

Demo app – default Answers

• Answers are all set to “apple” inside login.php

// Set up some page data

$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',

'apple' );

$second_stage_questions[1] = array( '817', 'What is your favorite Jobs

job', 'apple' );

$second_stage_questions[2] = array( '423', 'What is your favorite Beatles

record label', 'apple' );

Challenge screens – all “apple”


Login, browse, logout





Macro for demo app

Customized demo app



Web Macro Recorder for WebInspect 9.20

TruClient WMR

15 Enterprise Security – HP Confidential

• HP TruClient is the latest iteration of HP WebInspect’s Web Macro

Recorder tool (WMR).

• TruClient is an Event-based UI recorder.

• The two prior WMR tools are still present in WebInspect:

• Event-based WMR

• Session-based (Traffic-based) WMR.

Raw recorded steps

WMR – simple recording


Playback successful

Notice that Step #8 is the Challenge-Response (Q&A) session.



Once Playback is successful, browse to get logged out

WMR - simple recording


1

2

3

Once logged out, click Select button – highlight identifying element



1 2

3a

3b

Review the Logout Condition



Works out-of-the-box

WMR – simple recording is Done





Macro for demo app

Customized demo app



C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\loginplusquestion\login.php

Demo app – custom Answers

• Edited the answers to “apple”, “CEO”, and “White” inside login.php.

// Set up some page data

$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',

'apple' );

$second_stage_questions[1] = array( '817', 'What is your favorite Jobs

job', ‘CEO' );

$second_stage_questions[2] = array( '423', 'What is your favorite Beatles

record label', ‘White' );

Challenge screens – now different

Demo app – custom Answers




Macro for demo app

Customized demo app



Initial recording. Press Stop, ignore the follow-up Play button, we will need some Q&A code added

WMR – custom Answers


Final Goal



• To manage dynamic Challenge-Response, the TruClient user will need to

insert three new steps into the recorded steps.

1. Evaluate JavaScript code – Dynamic Security Questions

2. Evaluate JavaScript – setSecurityQuestion

3. Evaluate JavaScript - getDynamicAnswer

• For Q&A involving more than one field, each field will need its own pair

of setSecurityQuestion and getDynamicAnswer steps, but may be able to

all share a single step for the Dynamic Security Questions.

Sneak peek - Final Goal



Insert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar

WMR - custom Answers


Open the JavaScript Editor window

Code – Dynamic Security Question


• Expand the new Javascript step > click on “[Code]” > expand

“Arguments” > “JS” button

Sample code



• Build your raw JS, or steal this basic script framework shown below.

– Edit the questionAnswer lines to match your situation.

– Note that variable names created here must be kept the same elsewhere as we continue.

//dynamic security questions

var questionAnswer = [];

questionAnswer["What is your favorite fruit"] = "apple";

questionAnswer["What is your favorite Jobs job"] = "CEO";

questionAnswer["What is your favorite Beatles record label"] = "White";

var currentQ;

function setSecurityQuestion(q)

{

currentQ = q.replace(/^\s\s*/, '').replace(/\s\s*$/, '');

}

function getDynamicAnswer()

{

return questionAnswer[currentQ];

}

Sample code



Sample code



• User simply pastes in this code sample, then edits the “questionAnswer”

lines to match their situation.

• Update the question inside quotes

• Update the answer at the end, also in quotes

• Note that variable names used in this script will be used elsewhere, so

the user must keep them the same.

Sample code



• Here is what Step #7 has become.

Insert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar

Code – setSecurityQuestion


Choose the Question object



• Play this step alone, then high-light the JavaScript Object in the browser.

– Right-click step, or high-light and press F7

– “!” icon simply indicates an error on Playback, offering details with mouseover.

Choose the Question object



• For this example app, we cannot just select the Question text because

the text is not contained within an element of its own (see green block

below). Because of this we need to do some additional regular

expression parsing. On most sites this step would not be necessary.

Identify the Question object



• Sample of the raw text offered:

– Hint: apple is a pretty good choice for all the questions

– Question: What is your favorite fruit

• Used included Regular Expression Editor tool to work up regex:

– Question:\s(.*)

• Open the JavaScript Editor for this new step




• Useful test code to verify proper regex working in JS:

– basic >> window.alert(object.textContent)

– This test app >> window.alert(object.textContent.match(/Question:\s(.*)/)[1])

• Play this Step to check pop-up – does it match your desired Question

text? yes




• With the Alert pop-up verification, we are secure our regex works.

• Here is our regex inserted into our standard setSecurityQuestion code:

– setSecurityQuestion(object.textContent.match(/Question:\s(.*)/)[1])

• Paste this into the JS Editor window

– Recall that this variable name “setSecurityQuestion” must match what we created for the

Q&A code back in Step #7.

Quick edit for the setSecurityQuestion step

Code – element location


• TruClient by default will locate a text object by doing an exact match on

the text. For security questions, we want to locate the text object by

position instead. To do this we must change the ID Method from

"Automatic" to "XPath".

Quick edit for the setSecurityQuestion step

Code – element location


• Expand the drop down menu for "XPath:" and choose the second XPath

expression “/html/body/width” to find the question by its position.

– Verify this new entry in the browser by using the Highlight button

Connect the Question back to the Javascript Q&A code

Code – getDynamicAnswer


• We have now added to the macro our Q&A code and code to identify

the Question.

• Now to edit Step #9 so the Answer matches the Question…

Connect the Answer back to the Javascript Q&A code in Step #7

Code – getDynamicAnswer


• Open the JS Editor windows for Step #9’s Argument and enter in our

standard code:

– getDynamicAnswer()




Macro for demo app

Customized demo app



Play the finished macro from the beginning

WMR final steps


Playback successful, select Logout Condition for WebInspect

WMR final steps


Wait, what are these again?

Logout Conditions

• A logout condition is an indicator for WebInspect to know when it has

gotten logged out while scanning

• Every Login Macro must have one or more logout conditions • Whether or not it involved Challenge-Response questions

• Three Types of logout conditions • Regular Expression - Supported for all three Web Macro Recorders

• Object - TruClient, UI event-based WMR only

• URL - TruClient, UI event-based WMR only

Browse to Logout, then click Select button – highlight element

WMR final steps


1 2

3a

3b

Review the Logout Condition – add more as needed

WMR final steps


Final Macro



Final Macro - closer



Final Macro – with Comments added from the Toolbox sidebar



Denouement


• Apologies for the length of this study. This technology is sufficiently new

that I wanted our customers to fully understand the steps.

– Future studies should be able to skip well-known steps.

• My thanks go to:

• Steve Hardeman for his JS coaching and internal training

• Jeremy Brooks for guidance in setting up this study and the optimal macro

• The HP Fortify Dev team for their tremendous work on this new WMR tool

Outcomes That Matter


Technology

WebInspect 9.20 Web Macro Recording with TruClient 2012