We are already very close to the EOY and we are all expecting the Christmas break in a few days. Tonight, the last OWASP Belgium chapter meeting for 2013 was organised with the help of another local chapter which was created in 2013: the ISC2 one. Thanks to the F5 Belgium team who sponsored the pizzas! Two very interesting presentations tonight about browser or more precisely, how to use them otherwise. Of course, the classic intro by Seba with the local chapter and global OWASP news.
So, two speakers were scheduled today. The first one was Roberto Suggi Liverani. His talk was called “Augmented reality in your web proxy”. The topic was about a BurpSuite extension developed by Roberto and called “CSJ”. He started with some facts about a classic web testing approach. We use an intercepting proxy like BurpSuite or Zap.
A classic testing flow is like this:
Roberto used BurpSuite in his examples. Its core components are:
In fact, we have to be closer to the client side. How to automate this? They are different browser automation tools available like Selenium, Crawljax or JUnit. To be able to use them with the proxy, it must of course also allow extensions. BurpSuite comes with an API, available in Java, Ruby or Python, which can interact with most of its components (see the list above). Which framework to integrate with BurpSuite? All have pros, Roberto chose Crawljax & JUnit. His extension integrates Crawljax and the JUnit test cases created by Selenium IDE.
The second demo was based on phantomjs (a headless browser). It’s a very convenient way to quickly browse a complex website (no need to render objects).
Then, Roberto explained how JUnit was also integrated into BurpSuite. The next demo was based on a shopping cart. Via Selenium IDE, a test case is created to add one item into the basket. Then the test case is exported. The complete process is more complex because the exported code must be compiled into a Java class. But once the class is loaded and registered, it’s easy to automate complex testing scenarios. Roberto ended his presentation with some interesting findings made with CSJ during his research:
- Command injection via base64 encoded data
- Pages vulnerable to XSS that were clickable elements which would invoke toggle().
- A shopping cart with a special item which decreased the amount 😉 (found via JUnit)
Conclusion to the talk: combining classic and automation is a new way of testing (and to gain time). Roberto’s extension is available on here.
After a short break, the second speaker was a local player: Bart Leppens who talked about his baby: BeEF or “The Browser Exploitation Framework“. Bart is one of the developers who’s working on this project and his talk was called “If you tolerate this, your child processes will be next”. In fact, Bart wrote some modules for BeEF. But what’s BeEF? It can be defined as a professional security tool which focus on client side attack vectors based on real attack scenarios. The original version was developed by Wade Alcorn.
Once installed, BeEF proposes two URL:
- The hook URL (hook.js, to be included via XSS by example
- The UI url to control the browsers from remote
Bart demonstrated the basic features of BeEF:
- Social engineering: BeEF inject fake login pages into the browser (Facebook, Google, LastPass or …)
- Exploits (XSS, DoS, network, webcam, etc)
Then, the second part of the presentation focused on IPC (“Inter Protocol Communications”). The idea is to generate some traffic from the victim’s browser to a third-party application. To achieve this, the protocol must be very tolerant: HTTP headers are ignored and the HTTP body is used to send payload. A good example is the old fax server called ActiveFax. Bart demonstrated an attack called “XSF” or “Cross Site Faxing”. The goal was to send (from a compromised browser), fake faxes to an ActiveFax server. Which types of attacks could be performed?
- Sending fax to premium-rate fax numbers
- Flooding the fax server (DoS)
The two presentations of today were very valuable and demonstrate that, again, the browser is the “new operating system”. It can be (ab)used in multiple ways for the good and the bad. A great evening!