This presentation goes through the steps to configure HP WebInspect 9.20 to make it handle challenge/response authentication schemes.
[Please note that this is HP-copyrighted content and we're just hosting it here for convenience. If we need to pull it down just email me: dan _at_ denimgroup dot com.
The original HP Security Laboratory blog post presenting the content is here:
http://h30499.www3.hp.com/t5/The-HP-Security-Laboratory-Blog/Challenge-Response-Authentication-No-Problem/ba-p/5644803
And the original PDF can be downloaded from HP here:
http://h30499.www3.hp.com/hpeb/attachments/hpeb/sws-22/589/1/WebInspect%209.20%20Web%20Macro%20Recording%20with%20TruClient%202012.pdf]
2. Background
• This document details how to use the WebInspect 9.20 new TruClient
Web Macro Recorder (WMR) against a simple Challenge-Response
authentication app.
• This document is meant to demonstrate that WebInspect can manage
these scenarios out-of-the-box as well as to show the user many
advanced capabilities it offers to maintain session state.
• Since TruClient records user actions and not simple sessions, it includes
the ability to handle advanced Q&A without needing changes to the
application under test.
3. Background
• Vendor Challenge:
• http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html
• Discussion centered around this DenimGroup blog entry:
• http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-
handling-complicated-logins-with-appscan-and-burp-suite.html
• The sample app was provided by DenimGroup:
– https://github.com/denimgroup/authexamples
5. Overview
• Auth example application provided by DenimGroup
– All Responses are “apple”
– Hosting app to local instance of XAMPP
• Initial recording
• Editing the example app for differing Answers: “apple, CEO, White”
6. Demo app - Authexamples
https://github.com/denimgroup/authexamples
• What - A simple Challenge-Response app in PHP, using a single answer
for all questions.
• Description:
– This is a simple project that is intended to demonstrate a couple of different non-standard
authentication scenarios for folks to train their scanners and scanner operators on.
Currently based on a single scenario in PHP, we'd love to add more scenarios.
Questions/comments/updates? Please contact dan _at_ denimgroup.com
7. Demo app – posting to XAMPP
http://www.apachefriends.org/en/xampp-windows.html
• What - A simple web server suite for Windows.
• OS used – Windows 7 64-bit
• Installed path: C:Websitesxampp
• XAMPP 1.7.7, including:
– Apache 2.2.21
– MySQL 5.5.16
– PHP 5.3.8
– phpMyAdmin 3.4.5
– FileZilla FTP Server 0.9.39
– Tomcat 7.0.21 (with mod_proxy_ajp as connector)
8. Demo app – posting to XAMPP
http://www.apachefriends.org/en/xampp-windows.html
• Extracted AuthExample to XAMPP htdocs folder:
– C:Websitesxampphtdocsdenimgroup-authexamples-5059b6f
– URL: http://localhost/denimgroup-authexamples-5059b6f/index.php
11. Demo app – default Answers
C:Websitesxampphtdocsdenimgroup-authexamples-
5059b6floginplusquestionlogin.php
• Answers are all set to “apple” inside login.php
// Set up some page data
$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',
'apple' );
$second_stage_questions[1] = array( '817', 'What is your favorite Jobs
job', 'apple' );
$second_stage_questions[2] = array( '423', 'What is your favorite Beatles
record label', 'apple' );
12. Demo app – normal walk through
Challenge screens – all “apple”
13. Demo app – normal walk through
Login, browse, logout
15. TruClient WMR
Web Macro Recorder for WebInspect 9.20
• HP TruClient is the latest iteration of HP WebInspect’s Web Macro
Recorder tool (WMR).
• TruClient is an Event-based UI recorder.
• The two prior WMR tools are still present in WebInspect:
• Event-based WMR
• Session-based (Traffic-based) WMR.
15 Enterprise Security – HP Confidential
16. WMR – simple recording
Raw recorded steps
16 Enterprise Security – HP Confidential
17. WMR – simple recording
Playback successful
Notice that Step #8 is the Challenge-Response (Q&A) session.
17 Enterprise Security – HP Confidential
18. WMR - simple recording
Once Playback is successful, browse to get logged out
1
2
3
18 Enterprise Security – HP Confidential
19. WMR – simple recording
Once logged out, click Select button – highlight identifying element
1 2
3a
3b
19 Enterprise Security – HP Confidential
20. WMR – simple recording
Review the Logout Condition
20 Enterprise Security – HP Confidential
21. WMR – simple recording is Done
Works out-of-the-box
21 Enterprise Security – HP Confidential
23. Demo app – custom Answers
C:Websitesxampphtdocsdenimgroup-authexamples-
5059b6floginplusquestionlogin.php
• Edited the answers to “apple”, “CEO”, and “White” inside login.php.
// Set up some page data
$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',
'apple' );
$second_stage_questions[1] = array( '817', 'What is your favorite Jobs
job', ‘CEO' );
$second_stage_questions[2] = array( '423', 'What is your favorite Beatles
record label', ‘White' );
24. Demo app – custom Answers
Challenge screens – now different
26. WMR – custom Answers
Initial recording. Press Stop, ignore the follow-up Play button, we will need
some Q&A code added
26 Enterprise Security – HP Confidential
27. WMR – custom Answers
Final Goal
• To manage dynamic Challenge-Response, the TruClient user will need to
insert three new steps into the recorded steps.
1. Evaluate JavaScript code – Dynamic Security Questions
2. Evaluate JavaScript – setSecurityQuestion
3. Evaluate JavaScript - getDynamicAnswer
• For Q&A involving more than one field, each field will need its own pair
of setSecurityQuestion and getDynamicAnswer steps, but may be able to
all share a single step for the Dynamic Security Questions.
27 Enterprise Security – HP Confidential
28. WMR – custom Answers
Sneak peek - Final Goal
28 Enterprise Security – HP Confidential
29. WMR - custom Answers
Insert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar
29 Enterprise Security – HP Confidential
30. Code – Dynamic Security Question
Open the JavaScript Editor window
• Expand the new Javascript step > click on “[Code]” > expand
“Arguments” > “JS” button
30 Enterprise Security – HP Confidential
31. Code – Dynamic Security Question
Sample code
• Build your raw JS, or steal this basic script framework shown below.
– Edit the questionAnswer lines to match your situation.
– Note that variable names created here must be kept the same elsewhere as we continue.
//dynamic security questions
var questionAnswer = [];
questionAnswer["What is your favorite fruit"] = "apple";
questionAnswer["What is your favorite Jobs job"] = "CEO";
questionAnswer["What is your favorite Beatles record label"] = "White";
var currentQ;
function setSecurityQuestion(q)
{
currentQ = q.replace(/^ss*/, '').replace(/ss*$/, '');
}
function getDynamicAnswer()
{
return questionAnswer[currentQ];
}
31 Enterprise Security – HP Confidential
33. Code – Dynamic Security Question
Sample code
• User simply pastes in this code sample, then edits the “questionAnswer”
lines to match their situation.
• Update the question inside quotes
• Update the answer at the end, also in quotes
• Note that variable names used in this script will be used elsewhere, so
the user must keep them the same.
33 Enterprise Security – HP Confidential
34. Code – Dynamic Security Question
Sample code
• Here is what Step #7 has become.
34 Enterprise Security – HP Confidential
35. Code – setSecurityQuestion
Insert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar
35 Enterprise Security – HP Confidential
36. Code – setSecurityQuestion
Choose the Question object
• Play this step alone, then high-light the JavaScript Object in the browser.
– Right-click step, or high-light and press F7
– “!” icon simply indicates an error on Playback, offering details with mouseover.
36 Enterprise Security – HP Confidential
37. Code – setSecurityQuestion
Choose the Question object
• For this example app, we cannot just select the Question text because
the text is not contained within an element of its own (see green block
below). Because of this we need to do some additional regular
expression parsing. On most sites this step would not be necessary.
37 Enterprise Security – HP Confidential
38. Code – setSecurityQuestion
Identify the Question object
• Sample of the raw text offered:
– Hint: apple is a pretty good choice for all the questions
– Question: What is your favorite fruit
• Used included Regular Expression Editor tool to work up regex:
– Question:s(.*)
• Open the JavaScript Editor for this new step
38 Enterprise Security – HP Confidential
39. Code – setSecurityQuestion
Identify the Question object
• Useful test code to verify proper regex working in JS:
– basic >> window.alert(object.textContent)
– This test app >> window.alert(object.textContent.match(/Question:s(.*)/)[1])
• Play this Step to check pop-up – does it match your desired Question
text? yes
39 Enterprise Security – HP Confidential
40. Code – setSecurityQuestion
Identify the Question object
• With the Alert pop-up verification, we are secure our regex works.
• Here is our regex inserted into our standard setSecurityQuestion code:
– setSecurityQuestion(object.textContent.match(/Question:s(.*)/)[1])
• Paste this into the JS Editor window
– Recall that this variable name “setSecurityQuestion” must match what we created for the
Q&A code back in Step #7.
40 Enterprise Security – HP Confidential
41. Code – element location
Quick edit for the setSecurityQuestion step
• TruClient by default will locate a text object by doing an exact match on
the text. For security questions, we want to locate the text object by
position instead. To do this we must change the ID Method from
"Automatic" to "XPath".
41 Enterprise Security – HP Confidential
42. Code – element location
Quick edit for the setSecurityQuestion step
• Expand the drop down menu for "XPath:" and choose the second XPath
expression “/html/body/width” to find the question by its position.
– Verify this new entry in the browser by using the Highlight button
42 Enterprise Security – HP Confidential
43. Code – getDynamicAnswer
Connect the Question back to the Javascript Q&A code
• We have now added to the macro our Q&A code and code to identify
the Question.
• Now to edit Step #9 so the Answer matches the Question…
43 Enterprise Security – HP Confidential
44. Code – getDynamicAnswer
Connect the Answer back to the Javascript Q&A code in Step #7
• Open the JS Editor windows for Step #9’s Argument and enter in our
standard code:
– getDynamicAnswer()
44 Enterprise Security – HP Confidential
46. WMR final steps
Play the finished macro from the beginning
46 Enterprise Security – HP Confidential
47. WMR final steps
Playback successful, select Logout Condition for WebInspect
47 Enterprise Security – HP Confidential
48. Logout Conditions
Wait, what are these again?
• A logout condition is an indicator for WebInspect to know when it has
gotten logged out while scanning
• Every Login Macro must have one or more logout conditions
• Whether or not it involved Challenge-Response questions
• Three Types of logout conditions
• Regular Expression - Supported for all three Web Macro Recorders
• Object - TruClient, UI event-based WMR only
• URL - TruClient, UI event-based WMR only
49. WMR final steps
Browse to Logout, then click Select button – highlight element
1 2
3a
3b
49 Enterprise Security – HP Confidential
50. WMR final steps
Review the Logout Condition – add more as needed
50 Enterprise Security – HP Confidential
51. WMR – custom Answers
Final Macro
51 Enterprise Security – HP Confidential
52. WMR – custom Answers
Final Macro - closer
52 Enterprise Security – HP Confidential
53. WMR – custom Answers
Final Macro – with Comments added from the Toolbox sidebar
53 Enterprise Security – HP Confidential
54. Denouement
• Apologies for the length of this study. This technology is sufficiently new
that I wanted our customers to fully understand the steps.
– Future studies should be able to skip well-known steps.
• My thanks go to:
• Steve Hardeman for his JS coaching and internal training
• Jeremy Brooks for guidance in setting up this study and the optimal macro
• The HP Fortify Dev team for their tremendous work on this new WMR tool
54 Enterprise Security – HP Confidential