BSidesMCR 2018: Burp Replicator: Automate Reproduction Of Complex Vulnerabilities by Paul Johnston

good afternoon everyone and now this is a tool that helps web app testers work together with developers and triage and security operations people who have to like fix with fit the vulnerabilities of these pen testers fine now just so I understand his head does anyone here work as a web app pen tester that's pretty good show does anyone work as a developer or security operations have we got in the audience have we got a book bounty triage yeah well Steve fantastic come and toast me at the end great now and anyone who this works in these roles probably has at some time Oliver had the difficulty of trying to communicate a conflict vulnerability with a developer

so you've done your pen test you've found this difficult corner of the app you're three steps into a multi stage login form it will only accept your post request if the tokens already been through those first two stages and this JavaScript unless you've got a bypass and trying to explain all this to a developer does not know security is really difficult and what I found almost universally with developers is they want to reproduce the problem on their computer you can give them a log so you can give them screenshots you can give them all the proof you will but until it reproduces on their computer at some level they just don't believe it's a real thing and sometimes it gets really

hard to do this and a few common approaches people have used to deal with this have got major shortcomings so I've worked at places where they say that every finding has got to have a complete HTTP request and response and the idea is that it doesn't matter how difficult the come the thing is they just copy that HTTP request put it into a tool like Bert repeater and send it off but this is faithfully full because in that request you've got all sorts of session token' CSRF tokens and while they're all still valid well the pen test is working on it three days later by the time someone's reading this report the tokens have expired so it doesn't reproduce now

because of the difficulty of this this led me to think why if reproducing vulnerabilities was as easy as saying tea Earl Grey hot and that led me to design this extension called replicator now the key feature is that all the pen testers findings are embedded in a single file so this can be sent from the developer for the from the pen tester here's a developing isn't whatever secure report delivery mechanism you have in place and once the developer has this they forgot one-click replication so I'm going to go through in this talk and what the developer will see I'm going to go through the pen tester side of this and and if we've still got time

at the end I'm going to talk a little bit about coding burp extensions and some of the subtleties in coding this

can I just check can every we're gonna read the text the book triage is right at the back fantastic now so and once you've installed the replicator from the App Store and by the way if there are any book muses here who have not yet found this map tab within burp you are really missing out is the best tab in the whole program once you install it you get up here oh I'm just gonna put this stone and I've developed with you now so we've had this pen test commissioned this bleep ancestors found loads of interesting stuff they've sent us the report and they've sent us the replicator fo which we are now going to

load now we've just got a little security warning here because this flower opening can update our Berk config maybe I could have those that update something we didn't want it to update however in this case I know this file has come from a trusted source so I'm quite happy to say yes so we've got three vulnerabilities here cross-site scripting SQL injection and unauthorized access to the admin panel now each one of these has got a probe request that's associated with the vulnerability and what we can do if we hit the test button here this is going to send this probe to the target application and figure out if we're still vulnerable or not and in

this case as we'd expect us we're not yet done any remediation still vulnerable in fact we can save in place and we can just hit tax door and we can see they're all still vulnerable now one of the first subtleties that you hit when you start doing remediation it's normally developers don't have access to the exact same system that the pen tester was doing on so in this particular example the pen tests have been performed on my demo staging comm which is a little bit away from where we're working however we have access to my demo dev calm now I can go in here

and I can update this and yes we do want to change the target for all the macros and section handling rules now you might notice that the status there disappeared so we just run tests all again just to check that my demo dev is in the same state as my demo stage it ah and we've got something unusual mmm we'll do that in a minute and so cross-site scripting let's have a look at this now I've got the code and just here now the path was slash name so if I look through the code and this is a Python and flask app so we're looking for these things say this is app top rate which connects um HTTP URLs to

control the methods and if we look down there is the root for name now we look at the code and I know most pen testers are pretty good at doing a quick code or if we can see the name has been fetched from the request and then it is used in the HTML without any escaping so this is the simplest possible kind of exercise come in hosts I can just keep this right now if we I've got nothing if there's one in my back some what is it just route through it is black do anything else right now I've just for expediency I've left in a line which is going to sanitize our input so we can either and you restart

our app we can test this again well this looks promising it said it said it's resolved but there is a little weasel word there next to resolved this is resolved tentatively now what replicates that has shown here is that the exact same attack that the pen tester used no longer works but there's always the risk that someone's gonna come along and use a different attack and this approach doesn't prove that you fix the root cause of the vulnerability I imagine the testers here have had a number of experiences of creative ways that your clients of fix vulnerabilities for instance perhaps doing a check for the exact payload you included in the report and just rejecting that and

thing else to confirm that you fix the root cause of the vulnerability you really need a person to look at it so that's why we say resolve tentative and in a commercial environment what you do is you'd say that is the end of the dev teams but they've proven that that that that's no longer words it's time to pass it back to the professional pen test team to fully confirm resolution now if we do an active scan there's no just you're not gonna data just I just clear some of this old stuff off if we do an active scan of this of this vulnerability that we've resolved what's going on we definitely escape the less than sign

how come we've still got cross-site scripting so if we take a closer look at this and within the response burp always highlights the interesting bits the requests in response and you can see that the the page context was within the value attribute of an input tag so that Bert has been able to use an alternative attack that doesn't use the less than so that's actually one of my favorite was that's use the on focus of that and also provide the auto focus tag because that causes the XSS to execute without any user interaction so in this case it wasn't sufficient to just check for accent signs so I'm saying all this just to ran home the point that this will

confirm that the exact attack vector used is no longer vulnerable you need some manual testing to prove it's definitely fixed now we were laughs for this one that was unable to replicate now I've made this second example is is a little bit harder I'm just thinking if I if I fix this down front of you I'm going to spoil the surprise of how we introduce in the Penta so so we're gonna just we're gonna just put that to one side for now and and I'm gonna get back to the slides

[Music]

yeah so what we've got in this file got list of vulnerabilities we've got the probe request now there is one of the crucial thing we've got and that is the detection logic so we send the probe request to the server we get a response back and we need some mechanism to say does that respond to show the applications vulnerable or not now the most simple type of detection logic is it's the grep expression now in in the example of cross-site scripting the graph expression is the exact payload that's been used and so if this is echoed back without escaping we can infer the the page is vulnerable and if it's changed in some way we can infer that it's not

and the tool also supports collaborator detection as well writer it's not always been ages on that yeah and our foundation is where is all that okay so if you if you have a vulnerability that's there's like blind in their spots because is now abound interaction you can detect it with the cooperated detection mode okay now this was all the develop this site what I want to do is change hack now and look at this from the pen testers point of view now I'm going to just restart the extension to clear the nature of now top tip if you want to restart an extension if you hold down control when you click this it does a quick restart without

asking you to confirm which is really handy when you're developing extensions okay so we've got a blank replicator now I'm going to put this it's at estimated forget we get a few more options there and there's one crucial things that we go elsewhere which you'll see shortly now the other thing I have to remember to do is that we fix the vulnerability before so I need to put this back in its original vulnerable state ok so now we're going to do a quick pen test of this app now please do not judge me on my graphic design abilities this app is is sufficient for demonstrating certain coding floors and angular with no words the login form

it uses golden ratio to achieve nice distribution across the screen I mean is top of the range funds and what most pens has the client has given us some test credentials to login so we can log in and we can browse through the dynamic interactive front page and we can we can put some data in some of these fields because what wanted to do we start filling the site Christ I didn't have the skin a few Birds at night you've probably got it turning to set up this man hang on it's definitely not possible for it to be doing that right

come on Rafael you're always getting deeper in these things great so I know let's think about this right it's definitely the listeners definitely definitely running hang on wait what I think Y if I paste the URL in rupees eval though that will reduce by half the number of possible things that could be wrong pace yours as request upstream [Music] [Laughter] definitely didn't do this before right

surface new proxy connects to it so that means it's places the virtual machine correctly does it have socket is there anyone technical in the room that knows anything about burp that can help Paul

he did promise a dance if this went wrong so I did you did family-friendly he said I didn't anticipate is that it so I should say it's about fixes have time to dance so if someone sciences and then slaves

I always write he's still listening oh yeah actually sometimes these little mishaps I drove them in deliberately because if it he'll always sleep people just think it's a pre-recorded video so yeah right well well as those deleting some of this this day to say we stayed wrong right have we got a listener intercept is definitely definitely off right yeah this has to worry it's impossible for his nuts were not using foxy proxy for God to do so without foxy proxy chrome uses the host would I I think it's got a thing in the settings me oh hey that sounds like that sounds like a kid I do like to give his presentation okay I think I'm just gonna

ditch doing the dab oh no no no and I'll talk you through what it does so what we do we walk through the site and we build up a bit of a site map and then in the site map we start using active scanner on the branches and we find some vulnerabilities very quickly we find the cross-site scripting vulnerability and now um there was less Corral injection vulnerability in the that I showed you in the developer view now out of this go scanner doesn't find it and if I just put a single quote into the search page and I guess like I guess I could do that because he don't need a proxy for that and you need to what you

don't need a website for it no no no so if we just put a single quote in that there is a very high indication that there is an SQL injection vulnerability there and on the first go burps Keller does not pick this up now the reason for this is that the pages are CSRF token now it's a wooden you CSRF token so if scale is using a sends off one request that so can expires and then where does the next request with the decks payload the turkeys expire so it doesn't do its go now you can work around this with in bird if you have some very deep rosie history and using the using the session handling rules

that might be why it was like you know hmm now what we can do is we can define a macro that will fetch the token so when we look down a property history we've got these get requests research and the response includes a token so we can define a macro no I'm not sure definite roster so that's what half of it and then the second half is to create session handling rule and know in fact what we what we want to do is we want to find a suitable post request now we can copy the URL from that and we can paste it in there so what's going to happen now is each time book goes to this URL

this session having rules give a trigger and what we're going to tell it to do is you're on a macro are we going to use that fatsia sort of taking macro we just set up

now yes but it still councils to the back end I I'm gonna leave it as a complete mystery why it just hides no so the point is to to get that just going correctly you need to set up the macro in the session handling room and the key point then the key thing that replicator does when you load the file

is that the relevant rules are loaded so the pen tester can set up all the session handling rules to get the scans run correctly and then when you generate the replicated file these rules taken out of your berth config put in this file you send it to the developer and when they load it into but they get all the rules out of the box so in the absence of connectivity problems it just works now I'm presuming it fine

yeah so it stops at some point because early run weak like that and they they responded so it's something a stops at some point the kid would hear the can't Woodworks the the not keep would gets edited through Oh place it back that this guy seems to be responding again right I'm going to right I'm gonna roll with us for now those guys can go right right fellow fellow these guys right have gone up we can access through the proxy holy whoa

did something actually change that because I don't think anything changed right oh yeah we were adding your name and we're like we work for filling the sitemap so there we go we've got a populated sitemap so we can start doing the scanning now hopefully this search with first time around cause I define the rule although there's a risk it will

[Music]

right so this guesses the valid token [Music]

now the thing to do when you serve these rules is to test them in repeater before you dive in with scanner so this is a post search where they taking a feeler closely of that token it ends in 8c

okay right Oh so we finally found the SQL injection now what we can do now that we're in the has to be over theta if we select issues from the report we then get contacts many white so that allows us to send them to replicate sir

okay so you don't have to do a lot of manually when it's a scanner issue you get the title the path parameter you get the probe request and then also all the text that was in the issue response and highlighted that is then and provides them automatically put into the grep expression so that's frozen there must be some

this yeah now no it still is still cheered up on something oh yeah I'm sorry I did sorry it completely kills but kills before it that happening the other thing that I wanted to to point out to you is this issue about the the admin interface not being accessible it's like the admin interface being accessible to an unauthorized user you can pick this up the contents covering so yeah but what we're seeing here is all the threads in content discovery starting and frozen so what all happened is when we when you take that

[Music]

so issues that are not discovered by the scammer you can also send them to replicate sir but what you need to do you need to give them a name manually and you need to get the detection logic manually so for instance for an admin panel just the string like admin panel is present in the page is usually enough because if the when they fix it you'll get a 403 forbidden it won't include that couple of other things that can be useful in here now we've got session IDs in here right now these are valid three days later when it develops look at these these are going to be invalid now what we can do to deal with that first of all

and we can clear the cookies out of our requests so if not anything they're specific to us and we can also empty the cookie jar now the final piece of the picture is to create a login macro now if within a product option session as macros now if we look down our history we can find a post request that is the login so we can name that us

so now this is reliably reproducible so even if all those session IDs have expired the macro will run create fresh session IDs and the developer can successfully reproduce these one other thing that you might need to do you might have some conflict within bird that is required to connect your target site so a common example is host name resolution so if you want to include some of that in the replicator file so that's taken out of your running verb config saved in the replicates file and then when it goes to the developer they get it so this will encourage it to work out of the box okay I'm sorry the demos were Lively so getting away from

anything that is gonna rely on any sort of network communicators with this virtual machine and I just wanted to talk to you a bit about coding the extension now has anyone here had a go at coding the birth extender one safe Java - good choice like that so I wanted to use Java the everything reason is that each jason extension has separate - interpreters as a bit of an annoying to latestarter and I also find em cuz Java strongly time you get better IDE hints when you work is it was actually quite handy when you've got educate API to now a lot of this is actually not very specific to butcher this panel that we

see you coat all that using swig there's a small bit of the burp API to put it in the town now one little feature that if you notice in Corbett if you send an able to repeater the tab flashes flashes for exactly three seconds each other now and what's quite a nice touch is to do the same for extension generated ones now the way we can do this is this coheres and when we add our panel to the burp hierarchy we can actually walk up the swing hierarchy and get access to the tab and then we can we can then set the color and we can set a swing time or after three seconds to reset it back to

black and now another part of it and that was that looks great when it works is I was one we've got tokens that update each time you press test the tokens update just like they do in repeater now unfortunately the the birth API doesn't provide you a convenient way to do that but there is there's a really neat workaround so what you can do is you can add a header just before you it's before you send the request and then you can use an I HTTP listener and what that does that says running at the end of all birds processing so after all the macros and session handling rules have been applied and the quest has been updated

and it's absolutely ready to go out to the web server so you can within the handler if you detects that header then you remove the header to avoid play the web server but you also now know that that request corresponds to what's being displayed right there so you can update the display in real time another thing people have wondered about is how you get access to the to the macro session handling rules for from within an extension so the functionality is a little bit hidden but there are see really useful calls this safe safe config as jet yeah you only asked Jason methods not not the safe configures the safe configures Jason and load configures Jason so that lets you get

access to all the like the proxy scanner project options configuration and actually those two things allow you to do a whole ton of things of extensions that you would not otherwise ok yeah ok so I think that's be I'm really sorry thermostat workout I've given this presentation five times now four times they worked so thank you for at least not walking out I hope you enjoy the recipe day

thanks bull right so next presentations up the 3:45 we've got James kettle in here practical web cache poisoning but I think that's his black hat talk from from a couple of weeks ago and then in track to this monkey jack yep do you want questions could ask many questions is primarily not of a deep book nature so um in terms of making money and pen testing it's always great that the pen testers do the retesting so the developer says yeah we fixed it it comes back to the pen tester the pen to us to test it again said no you haven't fix it again we thought it's all cutting our margins a bit by getting the

developer to do their own retesting oh I think in business it's always best to do what's right for the client rather than squeeze as much as we can out of them now I often had it the clients come back to me and said they'd fix this and I've looked in not what a single change has been made and I know other faces in this audience who I know for a fact have had the same thing happen so I really think making me process efficient is good and I mean life most princess firm seem self so I can see this being useful for say you go and do the test for example then they have the developer asked us to do

the retest you're not available so I get people a day to do it I'm not up to speed to with the app I don't know how the app works so if I could have that export off you he'll make you a lot quicker for me to go and do the retesting that's it I can see the benefit there that is it that is a really good idea as well and she's something I didn't mention I know especially for me triage is up there I think this is something that would work well with bug bounties because that's it this seems to be a bit of a problem there when people report complex issues I think triage is they've got a million

ideas reporting non issues and then when there's something unusual eggs in there it can get lost in the noise and I would think some system-wide this perhaps was a bachelor reliability could help so this works with birth community over so devoted to repeat so so yes I wouldn't make a cut-down version the people could download for free so the developers could do this without buying a pro license and the answer is absolutely we did and it's called burp Community Edition got one more place absolutely in my instance they need to be protege on the back store absolutely not if we go on here on the bap store if you look at the detail column some of the bats are pro only

most of the working community some of them only work in a more limited servicing community via the enduring problem actually with with community OD box is where they send their output with probe apps it makes it works really well to create informational issues a lot of those perhaps that work like that the community version just prints out put onto the unity output up here within the extender which I mean it works it's just not quite as good

come on I I think we could get several crosses are you getting fired for not doing your demo I think buying around the drinks at the bar oft with his holy hill at least owe it to us boy come on to get fired especially as I've seen people drinking these like cheerful pink gins wasn't me question of the back so so far for six minutes I think I think and essentially I replaced ten minutes of constructive content it was difficult to show people with ten minutes of flipping windows around and looking bad so say round eye gaze you know it's like I did you know what there are actually videos that show this online but doesn't actually trust

my ability skill means no from here and show you two if you will if you go on the extension page there's a link to the the developer bed is this a bit more condensed only a couple of minute and there's a link to the pan test a bit as well there's no info about the like the coding techniques I mentioned because why all the other bats the source code is open it's on github so you could look through and learn do look three people spam people with the tons of cool techniques and there's open source perhaps loads of stuff to learn okay right enjoy the rest of the conference