SlideShare una empresa de Scribd logo

Augmented reality in your web proxy

Roberto Suggi Liverani
Roberto Suggi Liverani

This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API. The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology. The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.

Tecnología
1 de 39
Descargar para leer sin conexión
Roberto Suggi Liverani - @malerisch Hamburg AppSec Research 2013 OWASP HackPra AllStars
Who am I?  A guy who likes to find bugs   Speaker at various cons/events:  Hack in the Box, DefCON, EUSecWest, OWASP, HackPra  OWASP New Zealand Chapter Founder  Twitter: @malerisch  Research blog: blog.malerisch.net 2
Outline  Challenges / Solutions  Introducing Burp CSJ / DEMOs  Stories from the automation world  Conclusions / Future plans 3
Traditional testing approach 4 Web Proxy Web AppBrowser
The concept of proxy suite 5 Web Proxy Suite Web App Intruder Spider Scanner Repeater
The problem is… 6 Web App Web Proxy Web App Browser Web proxy originally design to focus on server-side technology Client-side technology shift A web app is designed to be used by a browser
Combining technologies  How can we get a browser close to a web proxy or vice versa? 7 Browser Automation Framework Web Proxy API
So what do we achieve? 8 Web Proxy Web AppBrowser Web Proxy Web AppBrowser 1 2 3
Browser automation options…  Selenium  Browser automation framework  Crawljax  Crawler for Ajax apps based on Selenium  JUnit  Testing framework 9
Selenium Server  Integrates Selenium RC  Launches and kills browsers  Interprets and runs Selenese commands  Supports Grid and nodes  Known as:  selenium-server-standalone  selenium-server 10
Selenium Client & WebDriver  Based on WebDriver wire protocol – RESTful + JSON  Direct calls to browser  Multiple drivers available: Chrome, IE, Opera, Android, iPhone  Known as selenium-java 11
Selenium IDE & JUnit  Create/Repeat/ Execute Test case  Firefox addon  Export to JUnit WebDriver 12
Crawljax  Based on Selenium WebDriver APIs  State-flow interpretation of DOM states 13
Crawljax 14 Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
Web proxy options…  Burp Extender API  Java/Python/Ruby  Scanner, Proxy, Repeater, Cookie, Target Session handling, HTTP requests/responses  ZAP API  RESTful interface  Spider, core, params, ascan, context auth, acsrf, autoupdate, pscan 15
Crawljax - Pros  Why integrate Crawljax?  Augmented reality in your proxy  Increased coverage for complex web apps  Scalability with big/dynamic apps  Integrated in ZAP - Ajax Spider @GuifreRuiz - very cool work!  16
JUnit - Pros 17  Why use JUnit?  Increase chances to discover hard-to-find bugs  Easily create repeatable sequence of steps  Reuse existing JUnit test-case  Leverage Burp session handling/macro
So how to combine all this?  Created a burp extension (Burp CSJ)  Integrates Crawljax  Integrates JUnit test-case created via Selenium IDE 18 Source: https://github.com/malerisch/burp-csj Coded in Java using google, stackoverflow, a mix of guessing , luck and a lot of swearing…
How it works… 19 Burp CSJ Web AppBrowser Crawljax Selenium IDE Selenium WebDriver Junit JDK
Crawljax integration  Key Features  Support for Burp cookie jar  Support for multiple browsers, including remote webdriver  Support for multiple HTML elements  Exclusion list for crawling  Support for CrawlOverview plugin 20
Crawljax Tab (1/3) 21
Crawljax Tab (2/3) 22
Crawljax Tab (3/3) 23
DEMO  Crawling a site with auth  Crawling a site with auth + remote web driver  DEMO 24
JUnit Integration  Key Features  Import compiled Selenium IDE JUnit Test cases  Register test-case into Burp session handling  Test case can be invoked in the Macro editor  Interface to execute Junit test case 25
JUnit Tab 26
DEMO  Launching JUnit test-case via Burp Proxy  Registering Junit Test-case via Burp and setting a macro  DEMO 27
Burp CSJ Tips  Use Burp Spider + Crawljax for crawling and after scanning/attacking application  Create JUnit test cases for sequence which takes long time to repeat  Set Burp macro to use JUnit test case  When using JUnit with Burp CSJ, set the Cookie: header with Burp 28
Stories from the automation world… 29
base64 and command injection  Crawljax clicked on some pages with base64 encoded data  A scan was run before  Some of those pages content was decoded  Trace of ping command output were found  An indirect OS command injection was found! 30
jQuery, toggle() and XSS  Complex app – use of jQuery  Lot of clickable elements which would invoke toggle()  Crawljax clicked element  New page added to Burp Target  Page vulnerable to XSS 31
A nice deal…  Internet banking web app  Create a new payee (8 steps)  Perform money transfer (3 steps)  E.g. transfer 10000 JPY (=~ 76 EUR)  Attack: change currency but keep same amount  10k JPY deducted -> 10k EUR sent to other side! 32
A nice shopping cart!  Vulnerable shopping cart  Special product item would decrease amount  Sequence of steps had to be performed before  JUnit test-cases made the difference 33
Burp CSJ future  Expand Crawljax integration  Support plugin import feature  Expand JUnit Integration  Compile from Java Source directly…  Also change browser set in Junit test case…  Support for Burp cookie jar 34
Conclusions  Combining automation is a different type of testing  Time for preparation needed  Not ideal for testers looking for quick wins  ROI is always in bugs discovery  … especially bugs with critical severity 35
Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net  Source Code: https://github.com/malerisch/burp-csj  Tutorial: soon on blog.malerisch.net 36
References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes  http://www.ece.ubc.ca/~amesbah/docs/t web-final.pdf 37
References  Crawljax  http://crawljax.com/  Selenium  http://docs.seleniumhq.org/  JUnit  http://junit.org/ 38
References  Burp Extender API  http://portswigger.net/burp/extender/api/inde x.html  ZAP API  https://code.google.com/p/zaproxy/wiki/ApiD etails  Ajax spider in ZAP  https://code.google.com/p/zaproxy/wiki/GSo C2012_PluginACT 39

Recomendados

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 

Recomendados

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
Abraham Aranguren
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
Netsparker
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
Thoughtworks
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
Mikhail Egorov
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Abraham Aranguren
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
Roberto Suggi Liverani
 
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow
 

Más contenido relacionado

La actualidad más candente

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
Thoughtworks
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 

La actualidad más candente (20)

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 

Destacado

Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow
 
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow
 
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
OWASP Russia
 
Application security? Firewall it!
Application security? Firewall it!Application security? Firewall it!
Application security? Firewall it!
Positive Hack Days
 

Destacado (12)

XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
Defcon Moscow #0x0A - Nikita Kislitsin APT "Advanced Persistent Threats"
 
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
Defcon Moscow #0x0A - Sergey Golovanov "Вредоносные программы для финансовых ...
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
 
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
Defcon Moscow #0x0A - Dmitry Nedospasov "WTFPGA?!"
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Application security? Firewall it!
Application security? Firewall it!Application security? Firewall it!
Application security? Firewall it!
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 

Similar a Augmented reality in your web proxy

Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Matt Raible
 
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Yuriy Silvestrov
 
Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015
Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Matt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Matt Raible
 

Similar a Augmented reality in your web proxy (20)

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Building a full-stack app with Golang and Google Cloud Platform in one week
Building a full-stack app with Golang and Google Cloud Platform in one weekBuilding a full-stack app with Golang and Google Cloud Platform in one week
Building a full-stack app with Golang and Google Cloud Platform in one week
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
 
Javascript toolkit-2.0
Javascript toolkit-2.0Javascript toolkit-2.0
Javascript toolkit-2.0
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
 
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)Prototyping app using JS and HTML5 (Ciklum Kharkiv)
Prototyping app using JS and HTML5 (Ciklum Kharkiv)
 
StrongLoop Overview
StrongLoop OverviewStrongLoop Overview
StrongLoop Overview
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
 
Gwt Deep Dive
Gwt Deep DiveGwt Deep Dive
Gwt Deep Dive
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-apps
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
 
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKJavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
 
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynoteQuo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr Sugak
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deck
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
 

Más de Roberto Suggi Liverani

None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
Roberto Suggi Liverani
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
Roberto Suggi Liverani
 

Más de Roberto Suggi Liverani (7)

None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Augmented reality in your web proxy

  • 1. Roberto Suggi Liverani - @malerisch Hamburg AppSec Research 2013 OWASP HackPra AllStars
  • 2. Who am I?  A guy who likes to find bugs   Speaker at various cons/events:  Hack in the Box, DefCON, EUSecWest, OWASP, HackPra  OWASP New Zealand Chapter Founder  Twitter: @malerisch  Research blog: blog.malerisch.net 2
  • 3. Outline  Challenges / Solutions  Introducing Burp CSJ / DEMOs  Stories from the automation world  Conclusions / Future plans 3
  • 4. Traditional testing approach 4 Web Proxy Web AppBrowser
  • 5. The concept of proxy suite 5 Web Proxy Suite Web App Intruder Spider Scanner Repeater
  • 6. The problem is… 6 Web App Web Proxy Web App Browser Web proxy originally design to focus on server-side technology Client-side technology shift A web app is designed to be used by a browser
  • 7. Combining technologies  How can we get a browser close to a web proxy or vice versa? 7 Browser Automation Framework Web Proxy API
  • 8. So what do we achieve? 8 Web Proxy Web AppBrowser Web Proxy Web AppBrowser 1 2 3
  • 9. Browser automation options…  Selenium  Browser automation framework  Crawljax  Crawler for Ajax apps based on Selenium  JUnit  Testing framework 9
  • 10. Selenium Server  Integrates Selenium RC  Launches and kills browsers  Interprets and runs Selenese commands  Supports Grid and nodes  Known as:  selenium-server-standalone  selenium-server 10
  • 11. Selenium Client & WebDriver  Based on WebDriver wire protocol – RESTful + JSON  Direct calls to browser  Multiple drivers available: Chrome, IE, Opera, Android, iPhone  Known as selenium-java 11
  • 12. Selenium IDE & JUnit  Create/Repeat/ Execute Test case  Firefox addon  Export to JUnit WebDriver 12
  • 13. Crawljax  Based on Selenium WebDriver APIs  State-flow interpretation of DOM states 13
  • 14. Crawljax 14 Paper: Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes
  • 15. Web proxy options…  Burp Extender API  Java/Python/Ruby  Scanner, Proxy, Repeater, Cookie, Target Session handling, HTTP requests/responses  ZAP API  RESTful interface  Spider, core, params, ascan, context auth, acsrf, autoupdate, pscan 15
  • 16. Crawljax - Pros  Why integrate Crawljax?  Augmented reality in your proxy  Increased coverage for complex web apps  Scalability with big/dynamic apps  Integrated in ZAP - Ajax Spider @GuifreRuiz - very cool work!  16
  • 17. JUnit - Pros 17  Why use JUnit?  Increase chances to discover hard-to-find bugs  Easily create repeatable sequence of steps  Reuse existing JUnit test-case  Leverage Burp session handling/macro
  • 18. So how to combine all this?  Created a burp extension (Burp CSJ)  Integrates Crawljax  Integrates JUnit test-case created via Selenium IDE 18 Source: https://github.com/malerisch/burp-csj Coded in Java using google, stackoverflow, a mix of guessing , luck and a lot of swearing…
  • 19. How it works… 19 Burp CSJ Web AppBrowser Crawljax Selenium IDE Selenium WebDriver Junit JDK
  • 20. Crawljax integration  Key Features  Support for Burp cookie jar  Support for multiple browsers, including remote webdriver  Support for multiple HTML elements  Exclusion list for crawling  Support for CrawlOverview plugin 20
  • 24. DEMO  Crawling a site with auth  Crawling a site with auth + remote web driver  DEMO 24
  • 25. JUnit Integration  Key Features  Import compiled Selenium IDE JUnit Test cases  Register test-case into Burp session handling  Test case can be invoked in the Macro editor  Interface to execute Junit test case 25
  • 27. DEMO  Launching JUnit test-case via Burp Proxy  Registering Junit Test-case via Burp and setting a macro  DEMO 27
  • 28. Burp CSJ Tips  Use Burp Spider + Crawljax for crawling and after scanning/attacking application  Create JUnit test cases for sequence which takes long time to repeat  Set Burp macro to use JUnit test case  When using JUnit with Burp CSJ, set the Cookie: header with Burp 28
  • 29. Stories from the automation world… 29
  • 30. base64 and command injection  Crawljax clicked on some pages with base64 encoded data  A scan was run before  Some of those pages content was decoded  Trace of ping command output were found  An indirect OS command injection was found! 30
  • 31. jQuery, toggle() and XSS  Complex app – use of jQuery  Lot of clickable elements which would invoke toggle()  Crawljax clicked element  New page added to Burp Target  Page vulnerable to XSS 31
  • 32. A nice deal…  Internet banking web app  Create a new payee (8 steps)  Perform money transfer (3 steps)  E.g. transfer 10000 JPY (=~ 76 EUR)  Attack: change currency but keep same amount  10k JPY deducted -> 10k EUR sent to other side! 32
  • 33. A nice shopping cart!  Vulnerable shopping cart  Special product item would decrease amount  Sequence of steps had to be performed before  JUnit test-cases made the difference 33
  • 34. Burp CSJ future  Expand Crawljax integration  Support plugin import feature  Expand JUnit Integration  Compile from Java Source directly…  Also change browser set in Junit test case…  Support for Burp cookie jar 34
  • 35. Conclusions  Combining automation is a different type of testing  Time for preparation needed  Not ideal for testers looking for quick wins  ROI is always in bugs discovery  … especially bugs with critical severity 35
  • 36. Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net  Source Code: https://github.com/malerisch/burp-csj  Tutorial: soon on blog.malerisch.net 36
  • 37. References  Blog – Roberto Suggi Liverani  http://blog.malerisch.net/  Twitter account - @malerisch  https://twitter.com/malerisch  Crawling AJAX-Based Web Applications through Dynamic Analysis of User Interface State Changes  http://www.ece.ubc.ca/~amesbah/docs/t web-final.pdf 37
  • 38. References  Crawljax  http://crawljax.com/  Selenium  http://docs.seleniumhq.org/  JUnit  http://junit.org/ 38
  • 39. References  Burp Extender API  http://portswigger.net/burp/extender/api/inde x.html  ZAP API  https://code.google.com/p/zaproxy/wiki/ApiD etails  Ajax spider in ZAP  https://code.google.com/p/zaproxy/wiki/GSo C2012_PluginACT 39