Hacking with a Heads Up Display

sure the coolest thing I've ever done being on this big of a screen talking about something I've built so I'm excited to talk to you guys today about what it means to hack what the heads-up display and so if you have questions you can go to this website and use this tag or something automatically ask me questions or something like that a little about me before I dive into this so I do security engineering at a company called segment a security engineering I mean we do application security cloud security product security anything that requires us to build something to help keep our company secure and so quick plug if that sounds like something sounds fun to you we are

hiring specifically if securing infrastructure at scale and AWS sounds like something fun to you please come talk to us almost our entire team is here I'm also a core contributor to the Z attack proxy that wasp is app project but the last thing that you need to know about me is that I'm a big fan of the 80s so I was extremely stoked when B size decided this is the theme they wanted to run for the conference and what's that not to love about the 80s in 81 that's when the space shuttle program launched and as a kid a decade later this is all I could talk about the best music is from the 80s one

of my favorite bands Tears for Fears but this is also the time where we saw our first computer and hacking movies come out and my favorite from this generation was Tron so I might not look like someone who's seen the original Tron but I saw this for the first time in high school and immediately fell in love with it Tron follows the software developer Kevin Flynn as he gets sucked into a computer and in there he meets these other programs these programs are trying to destroy the user so we used to battle them in these light-cycle battles where if he makes a mistake he could die but he finds one program Truong who fights for the users and him and Tron

battle the other programs and eventually fight the mCP to master control program to escape the computer what I loved about wrong was how even back then they were able to visualize these abstract computer ideas puts a new perspective on the way that we look at computers I was also fortunate enough in high school that they also came out with the reboot which means you got to enjoy the exact same plot but in with better CGI so in this case we follow Kevin's son Sam Flynn as he discovers his missing dad's laboratory and also gets sucked into the computer but when he gets there he's experienced it in HD so he too has to fight for his life against these other

programs in these disc battles or if he makes a mistake he would get de-rezzed and this time our hero Tron is now evil Tron he's fighting against the users and in a way cooler looking version of the light cycle battles the consequences are just as real for Sam or if he makes a mistake he could die and again it's the way that these movies were able to put this tangible this this visual element on these abstract ideas that really sucked me into them I think that's an idea that we can carry into security finding new ways to visualize data or new eyes to envision our you eyes can open up new opportunities for us now

unfortunately I think there is a little bit of resistance within the InfoSec community to fancy flashy new UIs or data vis stuff hackers feel much more comfortable in their CL eyes I'm actually gonna blame this on another movie from the 80s I blame this hesitancy on war games and war games we follow a young Matthew Broderick as an up-and-coming hacker as he changes his school grades when they're not doing so great he stumbles a prompt across this program which he thinks is a game but turns out is actually some real government software as he starts launching nuclear missiles across the globe but what I take away from this movie is all these cool visualizations of nuclear missiles being

launched even in the 80s the way they will depict this now these maps showing attacks flying across the world remind me of a famous or rather pretty infamous InfoSec data visualization the Norse pew-pew map almost everyone I know in the community will take three minutes of their day to make fun of this map what it's supposed to show is cyber attacks flying across the world but what it's really doing is just putting flashy lights on some honey pots that noir set up showing this different types of network traffic there's no real security take away from this you can't use this and make your organization more secure but it is fun to look at so about ten

years ago everyone started displaying this thing you'd see recruiters showing it and if you're unfortunate you might see someone running this in their knock it makes it look like you know what's going on but really you're not getting anything out of it and I don't think all disciplines really need some fancy database stuff to improve their workflows it doesn't make sense in some cases in some cases it makes sense to view and hex and some cases it makes sense to stay on the CLI but there is one discipline of security that is inherently visual and that's application security that's denoted by this incredible stock image a knapsack we're testing applications that run in the browser this is an inherently visual

tool all the things that you want to test an application for for security require you to interface with this for example if you want to test to subvert some business logic you have to click through the application to understand what it means to check out an item even the most common vulnerability and web apps XSS we usually test this in a visual way we look for that alert we want to see this thing pop up to know that we just popped XSS on this so it's such a visual field why do the most popular tools that we use to test web applications look like this if you're not familiar with these tools this is burp suite on the left and a

auspice app on the right - very similar tools to different pros but they both look like they're made from decades ago it says the fact that they just kind of are painful to look at they can be frustrating to use because we're used to testing web applications in the browser that's the natural context for these things but when we use this application and pull this out of it we have to run this thing side by side we're still creating test users in the in the browser and now we have to come over to the application to try to run some test attacks against it and even for zap a project that I contribute to a

project that has all these powerful features you can still be frustrating for a first-time user to try to use it it can be fresher for someone trying to get into the industry to start using it it just it's not a great experience for the users and so that's why we on the zap team have spent some time thinking about how we can reimagine these user interfaces and so we came up with something we call this app heads-up display or the HUD at this point I'm sure dive in to show you what the HUD is so let's say this is our application this is a wasp juice shop if you're not familiar with it it's a great project

it's an intentionally vulnerable web app and when you spin up the heads-up display for the first time you'll notice that right on top of your application we've overlaid this user interface we've taken all the same features and functions that you would find in burp and zap and put them into these different tools that are on the left and right side of the screen and on this toolbar at the bottom so I'm going to walk through what some of these tools are and how you use them while testing your application so when you're testing up your application you start with its exploration phase right you should want to know what you're attacking and so these are some of the tools that we can

use to do that the first one to talk about is the site tree so every time zap intercepts a message starts recording what your application looks like and right from the browser if we click the site tree tool it'll display all the different domains that SAP is seen if we dive in on Jew shop here it's showing us all the different pages all different HTTP requests and responses that make up our site here we have some admin points and rest endpoints and if we dive in on them we can see the request and response that made up this page of course this is only four pages that we've gone and Traverse ourself in the browser we want to automate this and

for this we can use the spider tool so automatically crawl your application following URLs and try a couple different brute-force attempts and so when we run the spider it's gonna ensure that application we're attacking is actually in scope it's and let us know what we're attacking an off chance that we're gonna start spattering something that we didn't mean to attack and then once we start running the spider you'll see the percentage on it start to rip it up it started sending dozens of requests at the application trying to discover all the different endpoints and just to show you because we have a pretty simple UI and HUDs it display right now when you run that you can see in the background

is that the sending dozens of requests of course we don't need to look at zap anymore we can hide that what you only need to stay in the browser so after automatically crawling you different pages you might want to run some pretty simple generic payloads against them see if there's really some garden-variety XSS or sequel I available and for this we can use the active scan tool this will attack all the pages that you spider do so far and so then we spin up the active scanner you'll see the same thing as we start the tool it's letting us know progress wise all the different attacks is sent and while this looks simple on the surface we can see

behind the scenes that's sending dozens of different attack payloads against our application and if you fast forward a little bit you can see that when it discovers the vulnerability it'll actually bring up this growler alert in the bottom left-hand screen here letting us know it found an issue and so's app will discover issues in two different ways with passive scanning automatically inspecting all the requests in response that are going through it and with active scanning sending little payloads at it and we can inspect the different zap is found using these different flag tools on the left and right hand side now on the left hand side will see the page alerts use their alerts that are

specific to the page you're currently using in your browser so this case we found two low alerts and it's letting us know the different the amount of time that's found that alert across different pages on the other side we'll see the site alerts so this case we can see that there's two highlights that have been reported some 31 cases of source code disclosure we can also do if these five instances of a CSP alert in this case we have a wild card in there maybe we didn't mean to do that don't even specular it tells us where we found the issue what evidence we think supports the fact that we found this issue provides more resources on what

the issue actually means in case you're not familiar with it now in the future you'll be able to define what active and passive scans you want to support by simple checklist indicating which ones you want to detect for which ones you don't want to and when you get a false positive one of these alerts you can check a button indicate as a false positive and send it away but that's just your base layer that's what you want to do when you've just been choosing an application you want to get an idea of what's out there then you give the real bread and butter of app SEC intercepting a request replaying attacks and trying to discover data

leaks and so when we can we can look at replaying attacks is with the history tool which is similar to the network tab on your browser tools so this one's powered by SAP so as we inspect this request right here this is a request to see what's in our basket we can see the HTTP request and response and see that our basket was actually returned with nothing in it but what's interesting though is that when we look at this request we see this number 4 at the end of it probably a chance and this could be some ID or so we can actually just change that for to a2 to see what happens maybe this is a user ID and we

when we replay this in the console it's gonna return this JSON right back to us and now this information in his cart we've just viewed someone else's information and choose shop lets us know that we found this vulnerability and this is the part where I think the heads-up display really outshines everything else with intercepting messages so we can intercept messages with the break tool which is kind of like a break point in your IDE so when we use the break tool you'll see that as soon as we turn it on we are now intercepting messages any requests that we send will we'll be notified about so as we add an atom to our cart you'll see we

immediately get alerted with this pop-up this is the request that we just sent and now we can press step to allow this request through to the server and immediately intercept any responses or requests sent afterwards so we press step on this request we immediately get the response and if we press step one more time we get to see this really interesting request we have a quantity number for an item trying to add to our basket so like any good attacker we're going to change that one to a negative 100 and at this point we're going to press Continue to stop intercepting messages and let the traffic start flowing and when we inspect our basket at this point you can see we can check

out with a price of negative $200 and this is incredible like if we were trying to intercept messages before it with burper zap you have to start in the browser to find the thing you want to change and you go back to the application to turn on intercepting and you go back to the browser send the request and you go back to the application to change it they go back to the browser to see results it's just insane and if you're doing that 10 or 15 times just trying to test one thing takes forever and now we can do this all right in the browser we also have a couple tools to help try to reveal some

data leakage one of those that we're currently working on is the comments tool and this will let you know whether HTML comment in your application and let you just view them from the surface so in this case we're taking a look at the SID at act proxies page on the wasp wiki so you see we have this number three right next to it this means there's three comments in HTML and we scroll down and turn the tool on sexy pnac's a little icon letting us know there's comments right there we start to see these really strange like stats or are linked about things and this last comment has information with some parser cache with a key and a timestamp and

this is actually some automated information returned by Wikimedia some PHP library that framework that builds these Wikipedia pages up so nothing malicious but kind of strange that it's there and in the case we wanted to see where we could find something a little bit more interesting the first CTF challenge lubber try on any site right is finding the key hidden in the comment and just to show you how trivial it is this is what that would look like now granted you're not going to be finding passwords and keys lying on the applications you're testing but you will find things like to do fix this dependency out-of-date instead if I'm going to climb through this door through

the source code and grepping for things you can just view this in the browser we also have this reveal tool reveal allows us to show any enable any disabled field and show any hidden inputs and so the OAuth blogging page you can see our little lipo appear shows six different things that can be revealed by pressing the button we modify the page that we're attacking to show these hidden inputs again this is pretty simple functionality but instead having to crawl through source to look at these things why not just view it in one simple way there's two more things I really want to show off and these are really awesome so the first one is a

focus scan which is going to show how all these different tools can work together to have this attack workflow that I've never seen another tool and I'm also going to show you how we can create tools in the hood in less than two minutes this person's gonna go by pretty fast so in this case we have budget our application that we're testing against let me put a search in now we're going to view this in a history let me inspect the request let's see we have this button right here this active scan this is gonna actively scan just this specific request and because we're so focused on it immediately finds cross-site scripting and we can inspect

the alert the alert to see what was the payload that triggered it but what's even cooler is that when we go back to the page that triggered it we've now marked up the application to let us know which form have the vulnerability and we can then inspect that again and if we click on the URL to see the payload that triggered it and choose to replay it in browser we can replay the attack that caused this alert bring up XSS up immediately and this is something I can't do in any other tool I always find it super frustrating tender replay attacks from burp or zap there's a copyist curl or predator URL but then you're not

getting all the HTTP headers and stuff we can do all of this into one tool I gets me really excited and the other thing we can do is the heads-up display is you can create your own tools because even though we're building all this neat functionality we're more interested in creating a framework that allows everyone else to build the tools that they need to do the testing for their applications so in this case you can see we're using the script plugin for zap the scripting plugin allows you to hook into the various points of zap to add your own functionality so maybe on the receiving of requests or intercepting response or when you're wearing an

active scan you can define the code that runs there you can find this in JavaScript Python Ruby a couple different supported languages and in this case we've defined the script in zest and with zest which is a visual scripting language you can see that all we're gonna do is replace the word do shop with the word hacked in our body of our response so pretty simple script but you can imagine the different custom scripts that you could build on top of it so we have this script in here we also note that we have is HUD section of this this is all the code that makes up the heads up display and so in here

we're gonna create a new cool add new tool simply by copying and tweaking an existing one so we have this attack mode tool which I didn't even go over and we're gonna copy it and change just a few lines of code this case we're going to change the name of it we're gonna change what the label looks like and we're going to find the behavior what happens when we turn the tool on and off so we'll change the dialogue he gets returned to us they're all going to change two more lines of code after this and those lines of code are going to be calls to a rest endpoint it's actually gonna be this app API

which if you haven't looked at I would highly recommend man you can control all of SAP's functionality from the simple REST API in this case we're gonna hit this scripting end point we're getting able our Hacket script when we use the press the button we're gonna disable it when we're done after changing this we've just created our own custom functionality within the heads-up display so we'll save this we'll use the browser quick launch option in zap which immediately launches a browser configured to work with zap and the good if you the heads-up display at this point we'll see that we have this new tool that wasn't available to us before and so we'll go to add this tool to our

heads up display and there it is hack it when we add that to our panel here and turn it on and then refresh our page in the upper left hand corner where it says douche up you can see that's just changed to hacked now granted this is a pretty simple example but again you can write whatever code you want any of the existing script that you use to test your application you can built into this in less than a few minutes I think I clicked in doing my share of sweet all right so I've shown you a couple of the different I've shown you all these different features but I thinking is still asked like how does this help you

you might not be a penetration tester why do you think this can help you I think no matter what discipline you're in heads-up display can provide you value if you're a developer you can discover vulnerabilities as you're writing code you don't have to wait for CI to return something you know how to wait for some scan to return something you have to wait for a github hook if you're developing your code in a browser enabled heads-up display you'll commonly get these growler alerts letting you know when it thinks have had an issue this is pushing far left as you possibly can if you're in QA you can use this to help integrate security as your testing

application and I'll start illuminating this attack service you didn't know exists you highlight the forum's that might be vulnerable you can integrate these custom scripts that you used to test it right into the heads of display and in the future we can start building tools like a JIRA plugin so when we have an alert and you want to send it to developer just simply click a button it'll convert that alert for you and if you're a bug bounty hunter you can start automating your recon as you're hunting things we can create tools for appetizer or built with to understand the tech stack that you're trying to attack if you still don't believe that this is a

tool I can be useful for you well come try it out I'm been hanging over at the OS booth tomorrow from like 10:00 to 12:00 I'm hoping to have a couple MacBook Pro set up with a heads up display and you can go play and attack G shop with it and worst case I'll have my personal machine you can kind of give you guys at demos of how it works and also invite all of you guys to get involved with this so currently the heads up display is in alpha as an extension to zap and to figure out how to get started on it you can go to our github repo there's three different ways you can get started

with it and coming out in Zep 2.8 which is don't quote me hopefully coming out in a few months or within a few months we'll have the heads up display enabled by default and you'll be able to immediately Estella's app and use it there so please try it out and share your feedback with us and also please contribute I am not good at writing JavaScript and I made it this far so if you have any talent at all and writing JavaScript please come help me so I think I hope that I've shown you guys throughout this presentation that with a heads up display that because we're integrated in the browser we can enable these like new testing workflows and we

can able you to build the tools that you need to attack your web application and so just like evil Tron at the end of Tron Legacy when he remembers who he actually is hope that you guys believe that OS zap team is working to fight for the users thank you very much [Applause] hi do we have any questions Hey great presentation thank you really loaded but you know I'm not familiar with its app extensions so can you tell us a little bit more about how the how the extensions how this heart actually works is it like a browser extension or part of that's a great question actually didn't dive into the architecture which I love nerding out about so if you have

any interest about how this actually works please come bother me later this is not a browser extension you can use this on any browser that you want so what this is this is a plugin for it zap so when you run this app and you turn this on and open up your browser we're automatically gonna inject a little bit of JavaScript into your web app then load up these iframes which then communicate with the serviceworker in the background which then communicates with zap acting as a server so that's a pretty aggressive overview of how it works but if any of those technologies are something that you think is interesting please bother me about it thank you yeah okay yes yes so with his

app you can inspect WebSockets I'm not sure it's some of the bottom of those tabs you might have seen the WebSocket tab right next to the history tab yeah you can watch WebSocket traffic flow with the heads-up display yeah yep

that is actually a great question the question was why should he trust my JavaScript on his web app so one if you're testing your own web application you shouldn't be trippin too much but if you're actually viewing it to test like other people's web apps and you don't want those applications to attack you we've actually taken a couple of different security majors in zap so a couple of them off top of my head is that these I friends that we boot up or run on a separate domain so we can still keep single original policy intact with communications using the the post message API in the browser not to be confused with HTTP post requests we

verify all the different origins that they're just being sent to us and we have API keys to make sure that people can't access is out when you're viewing the application yeah one more question anyone all right thank you thank you everybody [Applause]