■ Burp
■ Debugging DHTML With Firefox Extensions
■ Analyzing HTTP Traffic with Firefox Extensions
■ GreaseMonkey
■ Hacking with Bookmarklets
■ Using Technika
Chapter 2
Summary
Solutions Fast Track
Frequently Asked Questions
Introduction
Finding and exploiting cross-site scripting (XSS) vulnerabilities can be a complex and time consuming task.To expedite the location of these bugs, we employ a wide range of tools and techniques. In this chapter, we look at a collection of tools that the authors have found to be invaluable in their research and testing.
It is important to note that many of the XSS bugs out there can be found with nothing more than a browser and an attention to detail.These low hanging fruit are typically found in search boxes and the like. By entering a test value into the form and viewing the results in the response, you can quickly find these simple bugs. However, these are the same bugs that you can find in a fraction of the time with a Web application scanner. Once these basic vulnerabilities are found, tools become a very valuable part of the attack process. Being able to alter requests and responses on the fly is the only way some of the best bugs are found.
We should also mention that these tools are good for more than just locating XSS flaws.
They are also very useful for developers and Web application penetration testers.
Burp
The modern browser is designed for speed and efficiency, which means Web application security assessment is a painful task, because probing a Web application requires in-depth analysis. Generally, to test an application, you want to slow down the transmission of data to and from the server to a snail’s pace so you can read and modify the transmitted data; hence the proxy.
In the early days of security, proxies were capable of slowing down the connection in only the outbound direction and as such, a user could only alter the information being transferred to the server; however, that’s only part of the equation when analyzing a Web application. Sometimes it greatly behooves you to be able to modify the incoming data. For example, you might want to modify a cookie so that it doesn’t use HttpOnly, or remove a JavaScript function. Sometimes you just want a bidirectional microscopic view into every request your browser is making. And then there was Burp Proxy (www.portswigger.com/
suite/.
Burp Proxy is part of a suite of Java tools called Burp Suite that allow for Web applica-tion penetraapplica-tion, but for the purposes of this book only one funcapplica-tion is particularly useful, and that’s the proxy.To get started, you need the Java run time environment installed, which you can get from Java.com’s Web site. Once that is installed you modify your proxy settings in your browser to use localhost or 127.0.0.1 at port 8080.
Figure 2.1 Firefox Connection Settings Dialog
Figure 2.2 Burp Suit Main Window
Once this is done, you can launch Burp Proxy, which will show you a blank screen.The Intercept and Options windows are the most important ones that we will be focusing on.
First let’s configure Burp Proxy to watch both inbound and outbound requests. Under
“Options” uncheck resource type restrictions, turn on interception of Server Responses, and
uncheck “text” as a content type.This will show you all of the data to and from every server you connect to.
Figure 2.3 Burp Suit Proxy Options Configuration Screen
N
OTEThis is also a good way to identify spyware you may have on your system, as it will stop and alert you on any data being transferred from your client. You should do this for all of your clients if you want to see what spyware you have installed, as each one will need to go through the proxy for it to show you what is using it.
Once this has been configured, you should be able to surf and see any data being trans-ferred to and from the host.This will allow you to both detect the data in transit and modify it as you see fit. Of course any data you modify that is sent to your browser affects you and you alone, however, if it can turn off JavaScript client side protection this can be used to do other nefarious things, like persistent XSS, which would normally not be allowed due to the client side protections in place. Also, in the days of Asynchronous JavaScript and XML (AJAX), this tool can be incredibly powerful to detect and modify data in transit in both directions, while turning off any protection put in place by the client to avoid modification by the browser.
Figure 2.4 Request Interception
This can also help remove lots of information that would otherwise leak to the target, including cookies, referrers, or other things that are either unnecessary or slow down the exploitation, as seen in the above image. Another useful feature is the ability to switch into hex mode.This is particularly useful when you are viewing pages in alternate encoding methods, like US-ASCII or UTF-16.
In both of the images below you can see there are either non-visible characters (null) or characters that don’t fall within the normal low order (0–127) American Standard Code for Information Interchange (ASCII) range, but rather fall in the higher order 128–255 range. In both of these examples, when they work (IE7.0 for the first example in Figure 2.5 and Firefox for the second in Figure 2.6) the viewing source would provide you with little or no information about the encoding methods used or the specific characters required to perform the attack in that character set (charset).
Figure 2.5 Response Interception as HEX for IE7
Figure 2.6 Response Interception as HEX for Firefox
Burp proxy is by far one of the most useful Web application security tools in any manual security assessment. Not only does it help uncover the obvious stuff, but it’s possible
to write custom rules if you know what you are looking for. For instance, if you wanted to find only XML files for debugging AJAX applications, a Burp proxy rule can be created to capture just this information.
Ultimately, Burp is only one tool amongst a wide array of others that do parts of what Burp does as well or better, but nothing works in quite the same way or with quite the same power as Burp Suite. Burp Proxy is not for the faint of heart, but once you get accus-tomed to it, it is a great learning tool for understanding how Hypertext Transfer Protocol (HTTP) actually works under the hood.