Automating Customized Attacks

  • Focuses on the use of automation to speed up customized attacks

Uses for Customized Automation

  • Three main situations:
    • Enumerating identifiers
      • Most apps use names and identifiers that refer to data and resources.
        • UIDs
        • Usernames
        • Document IDs
    • Harvesting data
      • May be able to access useful or sensitive data.
      • Automatically harvest data on various users, profiles, etc.
    • Web application fuzzing
      • Fuzzing : Quickly generate a large amount of requests with common attack strings and assess the application's responses.

Enumerating Valid Identifiers

The Basic Approach

  • Locate request/response pair such that
    • Request includes parameter with a target identifier
    • Response varies in a systematic way based on the value of the identifier

Detecting Hits

  • HTTP Status Code
    • 200 - OK
    • 301 or 302 - Redirection
    • 401 or 403 - Not authorized or allowed
    • 404 - Not found
    • 500 - Server error
  • Response Length
    • Apps commonly use page templates and insert responses based on content in it.
    • If the response does not exist or is invalid, it may just return a short/empty template.
  • Response Body
    • Can look for specific strings or patterns to detect hits.
    • Invalid document:
      • May contain string "Invalid Document ID"
  • Location Header
    • Can look at the HTTP redirection target
      • Sent to error page: Not a hit
      • Sent to content page: hit!
  • Set-Cookie Header
    • The application might only set the cookie in certain cases.
  • Time Delays
    • Content might be identical, but time differences between valid and invalid parameters may greatly vary.

Scripting the Attack

  • At this point, a URL with a given identifier has been found.
    • Can not enumerate valid IDs!

JAttack

  • A simple, versatile tool demonstrating how, with basic programming knowledge, a user can automate customized attacks.
  • This is pretty granularly described in the text, and in fact it just references the book's website to download the source code.
  • General tool overview:
    • Parameter class
    • Payload source interface
    • Class for payload source numbers implementing the payload source interface
    • JAttack class
      • Instantiates objects with the previously described definitions
      • Boolean method to recognize if more requests remain
      • Build request method
      • Issue request method
      • Parse response method
      • Attack method
        • While there is a next response
          • Parse the next response
          • Print out the request and its corresponding response

Harvesting Useful Data(

  • Similar process to enumerating valid identifiers
  • Not just interested in a hit or miss though.
  • General tool, JAttack, extending current functionalities:
    • Extract string method returning strings corresponding to interesting data
    • Extraction method that searches for strings from the extract string method and appends the corresponding data to the output

Fuzzing for Common Vulnerabilities

  • Probing the app using many common attack strings to cause odd behavior if vulnerabilities relating to those strings exist.
    • Submit same attack payload relating to the parameters on every app page.
    • Hard to identify hits.
      • Capture details from each request/response
  • Examples:
    • ' → Error in some instances of SQLi
    • ;/bin/ls → Unexpected command injection behavior
    • ./../../../../etc/passwd → odd path traversal flaw behavior
    • xsstest → if copies to server, XSS vulnerability might exist
  • Further extension of JAttack functionalities:
    • Payload source fuzzing strings method implementing the payload source interface
      • Iterate through list of fuzzing strings
    • Function containing strings to grep for
    • Referencing the grep strings function and searching for them in some added code in the parse response function.

Putting It All Together: Burp Intruder

  • May need more versatility in a fuzzing tool like the JAttack example.
    • SSL
    • HTTP authentication
    • Multithreading requests
    • Following redirects
    • Encoding unusual characters
  • Burp Intruder implements all of this functionality!

Positioning Payloads

  • Positioning payloads in a subpart of a parameter value, at a parameter, a parameter name, or in a header or body.

Choosing Payloads

  • Includes many built-in functions for creating attack payloads
    • Lists of presets
    • Custom iteration payloads
    • Character/case substitution
    • Numbers
    • Dates
    • Illegal Unicode encodings
    • Character blocks
    • Brute-forcer function

Configuring Response Analysis

  • Identify attributes of server response that are interesting to analyze.
  • Burp Intruder can do this, as well as it does store some information by default.

Examples:

  • Enumerating Identifiers
    • Looking for SessionID's returned in a response containing a Cookie
    • Now use a valid one and enumerate through via a payload position that is the last part of the cookie.
  • Harvesting Information
    • Index number used in a URL parameter
    • Can generate payloads from 00 to 99, iterating through a pageid parameter.
  • Application Fuzzing
    • To test if an application has decent coverage, just use an auto button that will run a quick fuzz test.

Barriers to Automation

  • Two barriers exist
    • Session-handling mechanisms
    • CAPTCHA controls

Session-Handling Mechanisms

  • Examples:
    • App terminates session used for testing
    • App employs changing token
    • Request is in a multistage process
  • Circumvent by refining the automation techniques.

Session-Handling Support in Burp Suite

  • Burp Suite does support:
    • Cookie jar
      • Tracks app cookies
    • Request macros
      • Predefined sequence of one or more requests
        • Fetch a page
        • Perform login for new session
        • Obtain token or nonce
    • Session-handling rules
      • Based on:
        • Burp tool making the request
        • URL of the request
        • Names of parameters
      • Actions:
        • Add cookies from cookie jar
        • Set cookie/parameter value
        • Run macros
        • Prompt user for in-browser session recovery

CAPTCHA Controls

  • Prevent app functions from being used in an automated way
  • Stands for:
    • Completely Automated Public Turing test to tell Computers and Humans Apart

Attacking Captcha Implementations

  • Examples of poor implementations:
    • Puzzle image loaded via a URL includes solution as parameter or image name
    • Puzzle solution is stored in hidden form field
    • Puzzle solution appears within an HTML comment or other location for debugging purposes.

Automatically Solving CAPTCHA Puzzles

  • Process:
    • Remove noise from image
    • Segment image into individual letters
    • Recognition of the letter in each segment

Using Human Solvers

  • Examples:
    • Use website for human CAPTCHA proxies to solve puzzles
    • Pay human CAPTCHA 'drones' in developing countries to solve many puzzles

results matching ""

    No results matching ""