WebInspect 9.20 Web Macro Recording with TruClient 2012

DenimGroup Auth Example

Using TruClient in WebInspect 9.2

Technical study to show WebInspect capabilities

Hans Enders, HP Presales
May 1, 2012

©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice

Background

• This document details how to use the WebInspect 9.20 new TruClient
Web Macro Recorder (WMR) against a simple Challenge-Response
authentication app.

• This document is meant to demonstrate that WebInspect can manage
these scenarios out-of-the-box as well as to show the user many
advanced capabilities it offers to maintain session state.

• Since TruClient records user actions and not simple sessions, it includes
the ability to handle advanced Q&A without needing changes to the
application under test.

Background

• Vendor Challenge:
• http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html

• Discussion centered around this DenimGroup blog entry:
• http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-
handling-complicated-logins-with-appscan-and-burp-suite.html

• The sample app was provided by DenimGroup:
– https://github.com/denimgroup/authexamples

Agenda:
Overview & Configuration

Demo app walk-through
Macro for demo app

Customized demo app
Macro for customized app
Finalizing the macro

©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice

Overview

• Auth example application provided by DenimGroup
– All Responses are “apple”
– Hosting app to local instance of XAMPP

• Initial recording

• Editing the example app for differing Answers: “apple, CEO, White”

Demo app - Authexamples
https://github.com/denimgroup/authexamples

• What - A simple Challenge-Response app in PHP, using a single answer
for all questions.

• Description:
– This is a simple project that is intended to demonstrate a couple of different non-standard
authentication scenarios for folks to train their scanners and scanner operators on.
Currently based on a single scenario in PHP, we'd love to add more scenarios.
Questions/comments/updates? Please contact dan _at_ denimgroup.com

Demo app – posting to XAMPP
http://www.apachefriends.org/en/xampp-windows.html

• What - A simple web server suite for Windows.
• OS used – Windows 7 64-bit
• Installed path: C:Websitesxampp

• XAMPP 1.7.7, including:
– Apache 2.2.21
– MySQL 5.5.16
– PHP 5.3.8
– phpMyAdmin 3.4.5
– FileZilla FTP Server 0.9.39
– Tomcat 7.0.21 (with mod_proxy_ajp as connector)

Demo app – posting to XAMPP
http://www.apachefriends.org/en/xampp-windows.html

• Extracted AuthExample to XAMPP htdocs folder:
– C:Websitesxampphtdocsdenimgroup-authexamples-5059b6f
– URL: http://localhost/denimgroup-authexamples-5059b6f/index.php

Demo app – normal walk through
Login screens

Demo app – default Answers
C:Websitesxampphtdocsdenimgroup-authexamples-
5059b6floginplusquestionlogin.php

• Answers are all set to “apple” inside login.php

// Set up some page data
$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',
'apple' );
$second_stage_questions[1] = array( '817', 'What is your favorite Jobs
job', 'apple' );
$second_stage_questions[2] = array( '423', 'What is your favorite Beatles
record label', 'apple' );

Challenge screens – all “apple”

Login, browse, logout

TruClient WMR
Web Macro Recorder for WebInspect 9.20

• HP TruClient is the latest iteration of HP WebInspect’s Web Macro
Recorder tool (WMR).

• TruClient is an Event-based UI recorder.

• The two prior WMR tools are still present in WebInspect:
• Event-based WMR
• Session-based (Traffic-based) WMR.

15 Enterprise Security – HP Confidential

WMR – simple recording
Raw recorded steps


Playback successful
Notice that Step #8 is the Challenge-Response (Q&A) session.


WMR - simple recording
Once Playback is successful, browse to get logged out

1

2

3

Once logged out, click Select button – highlight identifying element
1 2

3a

3b


Review the Logout Condition


WMR – simple recording is Done
Works out-of-the-box


Demo app – custom Answers
C:Websitesxampphtdocsdenimgroup-authexamples-
5059b6floginplusquestionlogin.php

• Edited the answers to “apple”, “CEO”, and “White” inside login.php.

// Set up some page data
$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',
'apple' );
$second_stage_questions[1] = array( '817', 'What is your favorite Jobs
job', ‘CEO' );
$second_stage_questions[2] = array( '423', 'What is your favorite Beatles
record label', ‘White' );

Demo app – custom Answers
Challenge screens – now different

WMR – custom Answers
Initial recording. Press Stop, ignore the follow-up Play button, we will need
some Q&A code added


Final Goal

• To manage dynamic Challenge-Response, the TruClient user will need to
insert three new steps into the recorded steps.

1. Evaluate JavaScript code – Dynamic Security Questions
2. Evaluate JavaScript – setSecurityQuestion
3. Evaluate JavaScript - getDynamicAnswer

• For Q&A involving more than one field, each field will need its own pair
of setSecurityQuestion and getDynamicAnswer steps, but may be able to
all share a single step for the Dynamic Security Questions.


Sneak peek - Final Goal


WMR - custom Answers
Insert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar


Code – Dynamic Security Question
Open the JavaScript Editor window

• Expand the new Javascript step > click on “[Code]” > expand
“Arguments” > “JS” button


Sample code

• Build your raw JS, or steal this basic script framework shown below.
– Edit the questionAnswer lines to match your situation.
– Note that variable names created here must be kept the same elsewhere as we continue.

//dynamic security questions

var questionAnswer = [];
questionAnswer["What is your favorite fruit"] = "apple";
questionAnswer["What is your favorite Jobs job"] = "CEO";
questionAnswer["What is your favorite Beatles record label"] = "White";

var currentQ;
function setSecurityQuestion(q)
{
currentQ = q.replace(/^ss*/, '').replace(/ss*$/, '');
}

function getDynamicAnswer()
{
return questionAnswer[currentQ];
}


Sample code


Sample code

• User simply pastes in this code sample, then edits the “questionAnswer”
lines to match their situation.
• Update the question inside quotes
• Update the answer at the end, also in quotes

• Note that variable names used in this script will be used elsewhere, so
the user must keep them the same.


Sample code

• Here is what Step #7 has become.


Code – setSecurityQuestion
Insert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar


Choose the Question object

• Play this step alone, then high-light the JavaScript Object in the browser.
– Right-click step, or high-light and press F7
– “!” icon simply indicates an error on Playback, offering details with mouseover.


Choose the Question object

• For this example app, we cannot just select the Question text because
the text is not contained within an element of its own (see green block
below). Because of this we need to do some additional regular
expression parsing. On most sites this step would not be necessary.


Identify the Question object

• Sample of the raw text offered:
– Hint: apple is a pretty good choice for all the questions
– Question: What is your favorite fruit
• Used included Regular Expression Editor tool to work up regex:
– Question:s(.*)

• Open the JavaScript Editor for this new step



• Useful test code to verify proper regex working in JS:
– basic >> window.alert(object.textContent)
– This test app >> window.alert(object.textContent.match(/Question:s(.*)/)[1])
• Play this Step to check pop-up – does it match your desired Question
text? yes



• With the Alert pop-up verification, we are secure our regex works.

• Here is our regex inserted into our standard setSecurityQuestion code:
– setSecurityQuestion(object.textContent.match(/Question:s(.*)/)[1])

• Paste this into the JS Editor window
– Recall that this variable name “setSecurityQuestion” must match what we created for the
Q&A code back in Step #7.


Code – element location
Quick edit for the setSecurityQuestion step

• TruClient by default will locate a text object by doing an exact match on
the text. For security questions, we want to locate the text object by
position instead. To do this we must change the ID Method from
"Automatic" to "XPath".


Code – element location
Quick edit for the setSecurityQuestion step

• Expand the drop down menu for "XPath:" and choose the second XPath
expression “/html/body/width” to find the question by its position.
– Verify this new entry in the browser by using the Highlight button


Code – getDynamicAnswer
Connect the Question back to the Javascript Q&A code

• We have now added to the macro our Q&A code and code to identify
the Question.
• Now to edit Step #9 so the Answer matches the Question…


Code – getDynamicAnswer
Connect the Answer back to the Javascript Q&A code in Step #7

• Open the JS Editor windows for Step #9’s Argument and enter in our
standard code:
– getDynamicAnswer()


WMR final steps
Play the finished macro from the beginning


WMR final steps
Playback successful, select Logout Condition for WebInspect


Logout Conditions
Wait, what are these again?

• A logout condition is an indicator for WebInspect to know when it has
gotten logged out while scanning

• Every Login Macro must have one or more logout conditions
• Whether or not it involved Challenge-Response questions

• Three Types of logout conditions
• Regular Expression - Supported for all three Web Macro Recorders
• Object - TruClient, UI event-based WMR only
• URL - TruClient, UI event-based WMR only

WMR final steps
Browse to Logout, then click Select button – highlight element
1 2

3a

3b


WMR final steps
Review the Logout Condition – add more as needed


Final Macro


Final Macro - closer


Final Macro – with Comments added from the Toolbox sidebar


Denouement

• Apologies for the length of this study. This technology is sufficiently new
that I wanted our customers to fully understand the steps.
– Future studies should be able to skip well-known steps.

• My thanks go to:

• Steve Hardeman for his JS coaching and internal training
• Jeremy Brooks for guidance in setting up this study and the optimal macro
• The HP Fortify Dev team for their tremendous work on this new WMR tool


Outcomes That Matter

Enterprise Security – HP Confidential
55

WebInspect 9.20 Web Macro Recording with TruClient 2012

Recomendados

Recomendados

Más contenido relacionado

Más de Denim Group

Más de Denim Group (20)

Último

Último (20)

WebInspect 9.20 Web Macro Recording with TruClient 2012