MITM Proxies - and other tools
LinkRSnake was letting us all know that Portswigger is taking requests for new features for Burp. Burp proxy is one of a handful of tools that you must have in your toolbelt for doing manual assessments. Funny how I've never shared what I have in my manual assessment toolbelt:
- MITM proxy - my standard is Paros, but also keep installs of Burp and WebScarab. What you need first and foremost is a proxy that works. Each of them have pros and cons as far as being able to reliably connect under various circumstances. If you're consulting or dealing with vendor apps, you'll probably use all of them at different times to deal with different proxy configurations (I mean corporate proxy, not MITM proxy), host authentication methods, SSL, etc. If the site is SSL and has applets, you'll need one that you can easily modify (this is why I use Paros) so you can change which keystore it uses and make a hacked self-signed cert. Next time I have to do something like this, I'll write a blog post about it. It's not hard, but it's not obvious, either.
- Scripting language - I prefer groovy now. Some assessors I know never once write a single line of script. I can't do a single assessment without writing some amount of it. Some people prefer Python, and I just stopped using Perl a year or so ago. I don't know if Ruby has the libraries it needs to make it through various authentication and proxy schemes yet, but I'm sure it will be soon. I switched to Java-based languages because of all the different hoops I have to go through for assessments - Commons HTTPClient can get me there, no matter the circumstances. The Java API's for HTML parsing are less than snappy, but adequate (maybe another post on that), but lately I've started using NekoHTML which balances HTML tags and such to turn it into something you can use XML parsing on, and this weekend finally got around to playing with HTMLUnit (which uses Commons HTTPClient and NekoHTML) - and it makes a lot of tasks a lot easier. It even parses and executes JavaScript, but I've had issues with a few sites (sites with Google Ads in particular), with the Javascript parsing, so I just disable it there.
- A good text editor. A "good" text editor is critical just because my editor ends up being my "landing zone" for everything. So you want your text editor to have some of the following features: regex search and replace (absolute must), macro ability (you never know when you need to just cobble something together), tabbed interface, column editing (you'd be surprised how many times I use just this one feature in an assessment). Right now, I'm pretty well stuck with jEdit, but prior to that I used UltraEdit exclusively. I tend to like JEdit now simply because of one feature - Beanshell is built in. This is handy in two places - the first is for encoding and decoding - I've written a handful of macros for doing encoding and decoding (hex->binary, binary->hex, digests, HTML encoding, URL encoding, Base-64, etc.) - but your proxy may also provide this - just nice not to have to switch. And you can make the results of a search and make the replacement the evaluation of a beanshell script, which is handy when dealing with obfuscated code.
- Firefox with at least LiveHTTPHeaders, SwitchProxy, User Agent Switcher, and Firebug. What I ended up doing is using a hacked up Portable Firefox for doing assessments, and my primary day-to-day firefox doesn't include all the extensions.
- The Gimp. May seem live overkill when you just need screenshots, but you also needs something that can do a really good Gaussian Blur or similar for redacting. With a normal desktop paintbrush, redacting means putting an ugly black bar in front, which for a finalized report doesn't look that great. You want something you can annotate with and make pretty red circles.
- I've thought about desktop recording software, and I've seen some really nice ones with voice recording and graphical annotations, but you can't put a video in a printed document, so it's not something I've used a great deal.
- The XSS Cheat Sheet. I wish there were SQL Injection (or LDAP Injection, or name that Injection) equivalent for all the various RDMBS out there, but doing a little research on the specific RDBMS and a good set of encoders will get you far.
- There's just no substitute for being able to figure out what's going on in the backend. The more opportunity you have to turn your blackbox test into a graybox test, the better your chances of getting a really good exploit. There's not a tool for that, but just know that it's hard to train somebody to be a truly 1337 hacker who doesn't understand a lot about the systems it runs on - application level or OS level. So that being said, there's no substitute for research.
my standard is Paros
ReplyDeletewhy? i don't get the keytool/keystore SSL self-signed stuff. there are many ways around ssl complaining.
i currently use webscarab + proxmon almost exclusively now (with python). i used to use burpproxy (not the suite, i think it's bloated speaking of new features) and set it to log requests/responses, parse it in perl, and run parameter and cookie tampering with LWP based on the burp logs. i often switched between perl/LWP and bash/curl because i'm often faster in shell than any other scripting language. i hear www::mechanize for perl is also a great replacement to LWP.
i am keeping an eye on suru and meant to download the latest version to check it out (it just came out last week and has integration with aura, the google api search proxy from sensepost research). this article got me really intrigued:
http://blog.clearnetsec.com/articles/2007/04/13/an-example-of-why-human-effort-is-needed-when-assessing-web-applications
another interesting approach would be to go completely with bookmarklets. this may work in the future when IE7 overtakes IE5/6, but i often still load IE3/4, Netscape, and old versions of Opera and Firefox just to see if I can catch anything with my proxy. it's almost an imperative to test with multiple browsers, moreso than testing with multiple proxies.
I prefer groovy now... Python, and I just stopped using Perl a year or so ago. I don't know if Ruby
i honestly think ruby and groovy are both great for web application manual assessment work. i would like to use both more, if i had the time. some of my favorite tools and ideas seem to work well with ruby especially. for example - http://wtr.rubyforge.org/
http://rfuzz.rubyforge.org/
http://scrubyt.org/
http://www.devx.com/security/Article/33559?trk=DXRSS_LATEST
Commons HTTPClient... NekoHTML... HTMLUnit (which uses Commons HTTPClient and NekoHTML) - and it makes a lot of tasks a lot easier. It even parses and executes JavaScript
I have seen people using Watir (first Ruby link above) to do similar things with Ruby and IE, especially for crawling javascript. There are also the other Watir-alikes (Java, .NET, Firefox):
http://watij.com/
http://watin.sf.net/
http://code.google.com/p/firewatir/
A good text editor... regex search and replace... encoding and decoding hex->binary, binary->hex
i use vi, sed, dc and other Unix commands for this
digests, HTML encoding, URL encoding, Base-64... your proxy may also provide this - just nice not to have to switch
Huh. I mostly do all of that using Firefox extensions:
NF-Tools - http://www.net-force.nl/library/downloads/
HackBar - https://addons.mozilla.org/firefox/3899/
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
https://addons.mozilla.org/firefox/3208/
or various websites
http://www.serversniff.net/
http://h4k.in/encoding
Firefox with at least LiveHTTPHeaders, SwitchProxy, User Agent Switcher, and Firebug
DOM-Inspector and InspectThis are invaluable to me in addition to Firebug. I often use CookiePie to support multiple cookies in multiple tabs, along with CookieCuller (to protect cookies) and Add 'N Edit Cookies for additional cookie poisoning / tampering.
I don't even know how you failed to mention Web Developer Toolbar. The PrefBar and All-in-One-Sidebar are also nice to play with when trying to do lots of things at once and stay organized.
What I ended up doing is using a hacked up Portable Firefox for doing assessments, and my primary day-to-day firefox doesn't include all the extensions
I set the environmental variable MOZ_NO_REMOTE=1 and then create an assessment profile using `firefox -profilemanager' and then launch it with `firefox -P wava'. my other profiles will run in different processes. this works under windows and linux for me.
The Gimp may seem live overkill when you just need screenshots
Yeah, i use the Firefox extension, Pearl Cresent Page Saver Basic - and just take screenshots with my browser and re-size it to hide things i don't want people to see. For outlining stuff, I just use Web Developer Toolbar. These two extensions work incredibly well together.
The XSS Cheat Sheet. I wish there were SQL Injection
WhiteAcid's XSSAssistant and CAL9000 do some great automated tests with browser-level interaction and work great when combined with Firefox extensions, especially the tampering ones. CAL9000 seems to work best in Opera for me. I've used both to find XSS in many an assessment and they seem to work best. I think all the cool kids use these two. The only other that I've seen that even closely compares is HTMangLE.
For open-source scanners, Grabber is interesting (and rgaucher is working on a new version according to his blog today), as well as Wapiti. Probably the newest and latest would be Wfuzz and w3af. I have found a lot of SQL injection vectors with `perl SQLiX.pl -crawl http://hostname -export -all -v=2' but you're wrong about cheat sheets... a simple search revealed at least ten to twenty of these in existence.
So that being said, there's no substitute for research.What tools did I miss (besides Telnet?)
pretty much everything on this list -
http://owasp.org/index.php/Phoenix/Tools
but i'll add the NekoHTML and HTTPUnit tools if you think they would make good additions to the list?
@dre - wow - what a great list. With your permission, I'll just make the whole comment a new repost with all the credit back to you.
ReplyDeleteTwo notes for the rest of you - I have not yet checked all of dre's links to make sure they're safe or valuable, but I will at least check that they're functional before the repost. And the second item - dre shows us again that there are just a truckload of free/almost free tools out there.