Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

AppSec2005DC-Rogan_Dawes-WebScarab

advertisement 
Advanced WebScarab
OWASP
AppSec
DC
October 2005
Rogan Dawes, WebScarab project lead
Senior Consultant, Deloitte South Africa
rdawes@deloitte.co.za
+27 82 784 9498
Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org/
Who am I?
Day job
Senior Consultant, Deloitte South Africa, ERS
 Security Assessments
 Security Consulting
Night job
Self-taught Java programmer
 Exodus
 WebScarab
OWASP AppSec DC 2005
2
What is WebScarab?
A tool for anyone involved with HTTP-based
applications (e.g. web applications)
Key features
Full visibility into the HTTP protocol
Also supports HTTPS (incl client certs)
Persistent audit trail can easily be reviewed
Primary uses
Security analysis
Application debugging
OWASP AppSec DC 2005
3
What does WebScarab do?
Allows user to view HTTP(S) conversations
between browser and server
Allows user to review those conversations
Allows user to intercept and modify on the fly
Allows user to replay previous requests
Allows user to script conversations with full
access to the the request and response object
models
And much more!
OWASP AppSec DC 2005
4
Obtaining WebScarab
Hosted on Sourceforge
https://sourceforge.net/projects/owasp
Various package formats
webscarab-installer-<date>.jar
webscarab-selfcontained-<date>.jar
webscarab-src-<date>.jar
Windows IE Integration library
W32WinInet.dll
JavaHelp support
OWASP AppSec DC 2005
5
Setting up the environment
Upstream Proxies
Internet Explorer integration - “Get IE settings”
Exclusion list uses IE format
Certificates
PKCS#12 format files
Store password and key password usually identical
Server cert loaded from the .jar
MS CAPI integration coming (IE cert store)
Settings saved in properties file
${user.home}/WebScarab.properties
OWASP AppSec DC 2005
6
Useful Tools
Shared Cookies
List of cookies seen by various plugins
Maintains history of previous cookies
Can add and delete cookies
Can be used by Manual Request and Spider plugins
Transcoder
URL {en,de}code
BASE64 {en,de}code
Hashing
OWASP AppSec DC 2005
7
Conversation viewer
Remembers size and placement
Splitpanes allow resizing Request / Response
Different “editors” for various Content-Type
Hex
Text
Image
HTML
XML
URL Encoded
Multi-part
OWASP AppSec DC 2005
8
Configuring Proxy Listeners
Listens on 127.0.0.1:8008 by default
Supports multiple listeners if required
“Uses plugins” optional
Internet Explorer Integration
Primary listener hijacks IE proxy settings on startup
Reverse proxy support
For hard-coded applications
Cannot be primary!
Network simulators
Latency and bandwidth
OWASP AppSec DC 2005
9
Manual Request
Creating from scratch
Based on previous request via drop-down
Automatic Content-Length adjustment
Only if the header already exists
Change to the “Raw” tab to get new editors
Checks Content-Type header
“Get Cookies” updates from “Shared Cookies”
“Update CookieJar” adds to “Shared Cookies”
OWASP AppSec DC 2005
10
Session ID Analysis
Quickly collect a large sample of cookies
Convert String to a (BIG) number
Default Calculator – per position character set
Various calculation algorithms possible
Changing calculators requires recompilation
Table shows calculations and differences
Graph allows visual identification of patterns
OWASP AppSec DC 2005
11
Session ID Analysis
Based on previous request from drop-down
Manual editing if necessary (e.g. HEAD vs GET)
Choose location of Session ID, and Name
Regex describes substring to extract
Default regex is (.*)
“Test” to see what is extracted
Specify number of samples
OWASP AppSec DC 2005
12
Demonstration
Collecting and graphing sessionids from
WebGoat
OWASP AppSec DC 2005
13
Scripting support
Proxy beanshell
public Response fetchResponse(HTTPClient nextPlugin, Request request)
throws IOException {
// your request modifications here
response = nextPlugin.fetchResponse(request);
// your response modifications here
return response;
}
Tools -> Script Manager
Plugins export hooks
 Framework hook
 Proxy hooks
OWASP AppSec DC 2005
14
Scripting support continued
Scripted Plugin
Multiple language support via BSF
 BeanShell (tested)
 Javascript, Jython, Groovy, etc (untested)
Documentation in the source code
 ScriptedObjectModel.java
Most useful methods
public Request getRequest(int id)
public Response fetchResponse(Request request)
public ConversationID addConversation(Response response)
public void submitAsyncRequest(Request request)
public Response getAsyncResponse()
OWASP AppSec DC 2005
15
Demonstration
Brute forcing a session ID
OWASP AppSec DC 2005
16
New plugins
Fuzzer
Search
Compare
Web Services
OWASP AppSec DC 2005
17
Fuzzer
Specify the method, URL and Version
Add any additional headers
Specify the parameters
Location (Path, Fragment, Query, Cookie, Body)
Name
Type (only String)
Value (used if not fuzzing this parameter)
Priority (controls the permutation algorithm)
Fuzz Source (a named list of fuzz strings)
GO!
OWASP AppSec DC 2005
18
Creating fuzz sources
Description
File name and location
Internal interface also supports programmatic
generation of strings (e.g. length related), but
this requires some coding
Fuzzer is extremely stupid
Only stops on errors (400 or exception)
Just hit Start again if it stops
OWASP AppSec DC 2005
19
Demonstration
Fuzzing for SQL injection errors
OWASP AppSec DC 2005
20
Search plugin
How do we find interesting results then?
Search plugin performs arbitrary matches
against conversations
Description
Search expression
E.g:
new String(response.getContent()).matches("(?is).*(error|exception).*")
(?is) matches multi-line, case-insensitive
OWASP AppSec DC 2005
21
Demonstration
Finding conversations with SQL injection errors
OWASP AppSec DC 2005
22
Compare
Compares the body of various responses
Select a baseline to compare against
Conversation list shows the “distance” from
baseline (# words)
Can be sorted on any (combination of ) columns
Select a conversation to show both bodies
OWASP AppSec DC 2005
23
Web Services
Identifies WSDL in conversations
Can load from a file
Parses WSDL
Parses Schema (complex types!)
Presents Services and Operations
Constructs an Object hierarchy for editing
Converts to SOAP message
Invoke!
Currently RPC/encoded only
OWASP AppSec DC 2005
24
Questions?
OWASP
AppSec
DC
October 2005
Rogan Dawes, WebScarab project lead
Senior Consultant, Deloitte South Africa
rdawes@deloitte.co.za
+27 82 784 9498
Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org/
Related documents
Tell me stories about your appsec, let's skip the pentest
Tell me stories about your appsec, let's skip the pentest
Application Security 101
Application Security 101
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
Common Web Vulnerabilities
Common Web Vulnerabilities
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
File:SAMPLE Training Instructor Agreement
File:SAMPLE Training Instructor Agreement
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
OWASP Plan - Strawman - OWASP AppSec USA 2011
OWASP Plan - Strawman - OWASP AppSec USA 2011
Download
advertisement