Tuesday, 25 August 2015

Selenium IDE: Flow Control Logic Extension for IDE

As we know, Selenium IDE is a good browser automation tool for performing basic automation purpose since it has many commands which can be used in our day-to-day automation works. However this tool doesn't have some features like a looping feature but the tool does allow users to create an extension which can be added to IDE called as Flow control to perform the looping operation while automating application functionalities. So this post may be helpful for you to see and learn on how we can implement Selenium IDE loop with a simple example.
  1. The Loop control flow code is mentioned towards the end of this post.
  2. Copy and paste the code in an text editor and create a .js extension file.
  3. Open Selenium IDE and Navigate to Options > General tab.
  4. Browse and locate the new Loop control JavaScript file and attached it in the Selenium Core Extensions section. (Note: Make sure to restart Selenium IDE for the changes/effects to take place.)
  5. Once this extension is configured, you should be able to see the following commands in Selenium IDE command list i.e.

  • label | mylabel - creates a label called "mylabel" (a goto target)
  • goto | mylabel - goto "mylabel"
  • gotoLabel | mylabel - synonym for goto
  • gotoIf | expression - jump to specified label if expression is true
  • while | expression - loop while expression is true
  • endWhile - indicate the end of a while loop
  • push | value | arrayName - push value onto an array, creating array if necessary

Note: This are additional command that we added to IDE through the java-script extension file that Selenium IDE doesn't provide or simply we can say it is 'OUT-OF-THE-BOX'.

 Example:

 Let us consider a small example which would demonstrate using one or two commands say In my case i will use Label and gotoLabel command. Also I will use Bing search page as an example here. We will see how Flow Control extension can be used to navigate to Bing Explore page and then would redirect to MSN Homepage multiple times.

 (Note: Likewise we can make use of other commands generated by the flow control logic wherever applicable.)

 =========
IDE Script:
=========

================
HTML Code Format:
================

 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head profile="http://selenium-ide.openqa.org/profiles/test-case">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="selenium.base" href="https://87sixdevelop.seedconnect.org/" />
<title>New Test</title>
</head>
<body>
<table cellpadding="1" cellspacing="1" border="1">
<thead>
<tr><td rowspan="1" colspan="3">New Test</td></tr>
</thead><tbody>
<tr>
<td>label</td>
<td>openBingSearch</td>
<td></td>
</tr>
<tr>
<td>open</td>
<td>https://www.bing.com/</td>
<td></td>
</tr>
<tr>
<td>clickAndWait</td>
<td>link=Explore</td>
<td></td>
</tr>
<tr>
<td>storeText</td>
<td>css=div.TaskTitle &gt; span</td>
<td>Actual_Title</td>
</tr>
<tr>
<td>echo</td>
<td>${Actual_Title}</td>
<td></td>
</tr>
<tr>
<td>store</td>
<td>Spotlight</td>
<td>Expected_Title</td>
</tr>
<tr>
<td>echo</td>
<td>${Expected_Title}</td>
<td></td>
</tr>
<tr>
<td>verifyEval</td>
<td>storedVars['Actual_Title']==storedVars['Expected_Title']</td>
<td>true</td>
</tr>
<tr>
<td>open</td>
<td>http://www.msn.com/en-in/</td>
<td></td>
</tr>
<tr>
<td>waitForElementPresent</td>
<td>css=h2 &gt; a</td>
<td></td>
</tr>
<tr>
<td>storeText</td>
<td>css=h2 &gt; a</td>
<td>ActualLinktitleMSN</td>
</tr>
<tr>
<td>echo</td>
<td>${ActualLinktitleMSN}</td>
<td></td>
</tr>
<tr>
<td>store</td>
<td>Make MSN my homepage</td>
<td>ExpectedLinktitleMSN</td>
</tr>
<tr>
<td>echo</td>
<td>${ExpectedLinktitleMSN}</td>
<td></td>
</tr>
<tr>
<td>verifyEval</td>
<td>storedVars['ActualLinktitleMSN']==storedVars['ExpectedLinktitleMSN']</td>
<td>true</td>
</tr>
<tr>
<td>gotoLabel</td>
<td>openBingSearch</td>
<td></td>
</tr>

 </tbody></table>
</body>
</html>

 ================
Test Execution Log:
================

 [info] Playing test case Demo_Loop_Control_Test
[info] Executing: |label | openBingSearch | |
[info] Executing: |open | https://www.bing.com/ | |
[info] Executing: |clickAndWait | link=Explore | |
[info] Executing: |storeText | css=div.TaskTitle > span | Actual_Title |
[info] Executing: |echo | ${Actual_Title} | |
[info] echo: Spotlight
[info] Executing: |store | Spotlight | Expected_Title |
[info] Executing: |echo | ${Expected_Title} | |
[info] echo: Spotlight
[info] Executing: |verifyEval | storedVars['Actual_Title']==storedVars['Expected_Title'] | true |
[info] script is: storedVars['Actual_Title']==storedVars['Expected_Title']
[info] Executing: |open | http://www.msn.com/en-in/ | |
[info] Executing: |waitForElementPresent | css=h2 > a | |
[info] Executing: |storeText | css=h2 > a | ActualLinktitleMSN |
[info] Executing: |echo | ${ActualLinktitleMSN} | |
[info] echo: Make MSN my homepage
[info] Executing: |store | Make MSN my homepage | ExpectedLinktitleMSN |
[info] Executing: |echo | ${ExpectedLinktitleMSN} | |
[info] echo: Make MSN my homepage
[info] Executing: |verifyEval | storedVars['ActualLinktitleMSN']==storedVars['ExpectedLinktitleMSN'] | true |
[info] script is: storedVars['ActualLinktitleMSN']==storedVars['ExpectedLinktitleMSN']
[info] Executing: |gotoLabel | openBingSearch | |
[info] Executing: |open | https://www.bing.com/ | |
[info] Executing: |clickAndWait | link=Explore | |
[info] Executing: |storeText | css=div.TaskTitle > span | Actual_Title 
...
...

 ==================
Test Summary Report:
==================

========================
Loop Control Logic Flow Code:
========================

 var gotoLabels= {};
var whileLabels = {};

 // overload the original Selenium reset function
Selenium.prototype.reset = function() {
    // reset the labels
    this.initialiseLabels();
    // proceed with original reset code
    this.defaultTimeout = Selenium.DEFAULT_TIMEOUT;
    this.browserbot.selectWindow("null");
    this.browserbot.resetPopups();
}
/*
 * ---   Initialize Conditional Elements  --- *
 *  Run through the script collecting line numbers of all conditional elements
 *  There are three a results arrays: goto labels, while pairs and forEach pairs
 *  
 */
Selenium.prototype.initialiseLabels = function()
{
    gotoLabels = {};
    whileLabels = { ends: {}, whiles: {} };
    var command_rows = [];
    var numCommands = testCase.commands.length;
    for (var i = 0; i < numCommands; ++i) {
        var x = testCase.commands[i];
        command_rows.push(x);
    }
    var cycles = [];
    var forEachCmds = [];
    for( var i = 0; i < command_rows.length; i++ ) {
        if (command_rows[i].type == 'command')
        switch( command_rows[i].command.toLowerCase() ) {
            case "label":
                gotoLabels[ command_rows[i].target ] = i;
                break;
            case "while":
            case "endwhile":
                cycles.push( [command_rows[i].command.toLowerCase(), i] )
                break;
            case "foreach":
            case "endforeach":
                forEachCmds.push( [command_rows[i].command.toLowerCase(), i] )
                break;
        }
    }  
    var i = 0;
    while( cycles.length ) {
        if( i >= cycles.length ) {
            throw new Error( "non-matching while/endWhile found" );
        }
        switch( cycles[i][0] ) {
            case "while":
                if( ( i+1 < cycles.length ) && ( "endwhile" == cycles[i+1][0] ) ) {
                    // pair found
                    whileLabels.ends[ cycles[i+1][1] ] = cycles[i][1];
                    whileLabels.whiles[ cycles[i][1] ] = cycles[i+1][1];
                    cycles.splice( i, 2 );
                    i = 0;
                } else ++i;
                break;
            case "endwhile":
                ++i;
                break;
        }
    }

 }

 Selenium.prototype.continueFromRow = function( row_num )
{
    if(row_num == undefined || row_num == null || row_num < 0) {
        throw new Error( "Invalid row_num specified." );
    }
    testCase.debugContext.debugIndex = row_num;
}

 // do nothing. simple label
Selenium.prototype.doLabel = function(){};

 Selenium.prototype.doGotoLabel = function( label )
{
    if( undefined == gotoLabels[label] ) {
        throw new Error( "Specified label '" + label + "' is not found." );
    }
    this.continueFromRow( gotoLabels[ label ] );
};

 Selenium.prototype.doGoto = Selenium.prototype.doGotoLabel;

 Selenium.prototype.doGotoIf = function( condition, label )
{
    if( eval(condition) ) this.doGotoLabel( label );
}

 Selenium.prototype.doWhile = function( condition )
{
    if( !eval(condition) ) {
        var last_row = testCase.debugContext.debugIndex;
        var end_while_row = whileLabels.whiles[ last_row ];
        if( undefined == end_while_row ) throw new Error( "Corresponding 'endWhile' is not found." );
        this.continueFromRow( end_while_row );
    }
}

 Selenium.prototype.doEndWhile = function()
{
    var last_row = testCase.debugContext.debugIndex;
    var while_row = whileLabels.ends[ last_row ] - 1;
    if( undefined == while_row ) throw new Error( "Corresponding 'While' is not found." );
    this.continueFromRow( while_row );
}

 Selenium.prototype.doPush= function(value, varName)
{
    if(!storedVars[varName]) {
        storedVars[varName] = new Array();
    } 
    if(typeof storedVars[varName] !== 'object') {
        throw new Error("Cannot push value onto non-array " + varName);
    } else {
        storedVars[varName].push(value);
    }

}

 Thanks,
Pinaki Mohapatra
Posted by at No comments:

Tuesday, 18 August 2015

Selenium IDE: Extracting a number or value/text from a string or URL and store it in a variable.

This post will basically explain about how we can extract a number say an Object ID or Object Name from a string or absolute URL.

 1. Extract object ID from an URL.

 Let say we have a URL - https://www.testfoo.org/folder1/folderA1/?objectID=1251

 Now from the Url - How we can extract the object ID i.e. 1251 and store it in a variable which we can call or use the same variable (ID) wherever required in our IDE script.

1. store | https://www.testfoo.org/folder1/folderA1/?objectID=1251 | string 
2. store | 1 | delimiter 
3. store | javascript{storedVars['string'].split('?objectID=')[storedVars['delimiter']]} | result 
4. echo | ${result}

 Step 1: Store the URL i.e. "https://www.testfoo.org/folder1/folderA1/?objectID=1251" in a variable - "string".
Step 3: Javascript will extract or split the stored variable (string) after "?objectID=" and store the value (ID) in a new variable i.e. result
Step 4: Print the result. The result will be - 1251

 HTML Code format:

 <tr>
<tr>
    <td>store</td>
    <td>https://www.testfoo.org/folder1/folderA1/?objectID=1251</td>
    <td>string</td>
</tr>
<tr>
    <td>store</td>
    <td>1</td>
    <td>delimiter</td>
</tr>
<tr>
    <td>store</td>
    <td>javascript{storedVars['string'].split('?objectID=')[storedVars['delimiter']]}</td>
    <td>result</td>
</tr>
<tr>
    <td>echo</td>
    <td>${result}</td>
</tr>

 OR

 1. storeLocation | string
2. store | 1 | delimiter
3. store | javascript{storedVars['string'].split('?objectID=')[storedVars['delimiter']]} | result
4. echo | ${result}

 Step 1: Store the current URL location i.e. "https://www.testfoo.org/folder1/folderA1/?objectID=1251" in a variable - "string".
Step 3: Javascript will extract or split the stored variable (string) after "?objectID=" and store the value (ID) in a new variable i.e. result
Step 4: Print the result. The result will be - 1251

 HTML Code format:

 <tr>
<tr>
    <td>storeLocation</td>
    <td>string</td>
</tr>
<tr>
    <td>store</td>
    <td>1</td>
    <td>delimiter</td>
</tr>
<tr>
    <td>store</td>
    <td>javascript{storedVars['string'].split('?objectID=')[storedVars['delimiter']]}</td>
    <td>result</td>
</tr>
<tr>
    <td>echo</td>
    <td>${result}</td>
</tr>

 2. Extract part of a text say Object name using selenium IDE and store it into a variable.

 Let say we have a string inside a div (HTML content). For Example; 

 <div class="Title">Edit XXX Centre 1-457898, India</div>

 And here we want to extract amd store "XXX Centre" in a variable. How can we do this through IDE ?

 1. store | Edit XXX Centre 1-457898, India | Text
2. store | 1   | delimiter1
3. store | javascript{storedVars['text'].split('Edit ')[storedVars['delimiter1']]}|string1
4. echo  | ${string1}
5. store | 0 |  delimiter2
6. store | javascript{storedVars['string1'].split(' 1-457898')[storedVars['delimiter2']]} | string2
7. echo  | ${string1}

 Result will be: XXX Centre

 Step 1: Store the entire string i.e. "Edit XXX Centre 1-457898, India" in a variable - "Text".
Step 3: Javascript will extract or split the stored variable (Text) after "Edit " and store the rest content/string in a new variable i.e. string1
Step 4: Print the result. The result will be - XXX Centre 1-457898, India
Step 6: Javascript will extract or split the stored variable [string1 i.e. XXX Centre 1-457898, India] before " 1-457898" and store the rest content/string in a new variable 
i.e. string2
Step 7: Print the result. The result will be - XXX Centre

 HTML Code format:

 <tr>
<tr>
    <td>store</td>
    <td>Edit XXX Centre 1-457898, India</td>
    <td>Text</td>
</tr>
<tr>
    <td>store</td>
    <td>1</td>
    <td>delimiter1</td>
</tr>
<tr>
    <td>store</td>
    <td>javascript{storedVars['text'].split('Edit ')[storedVars['delimiter1']]}</td>
    <td>string1</td>
</tr>
<tr>
    <td>echo</td>
    <td>${string1}</td>
</tr>
<tr>
    <td>store</td>
    <td>0</td>
    <td>delimiter2</td>
</tr>
<tr>
    <td>store</td>
    <td>javascript{storedVars['string1'].split(' 1-457898')[storedVars['delimiter2']]}</td>
    <td>string2</td>
</tr>
<tr>
    <td>echo</td>
    <td>${string2}</td>
</tr>
<tr>

Thanks,
Pinaki Mohapatra
Posted by at No comments:

Thursday, 13 August 2015

Selenium IDE - How to add random data into text, large/small text area fields.

For adding dynamic data we need to add a .js extension file in selenium IDE (Selenium IDE > Options > Options).

Copy paste the below code and save it as .js extension file (userextension.js).

===============

Selenium.prototype.doRandomString = function( options, varName ) {

    var length = 8;
    var type   = 'alphanumeric';
    var o = options.split( '|' );
    for ( var i = 0 ; i < 2 ; i ++ ) {
        if ( o[i] && o[i].match( /^\d+$/ ) )
            length = o[i];

        if ( o[i] && o[i].match( /^(?:alpha)?(?:numeric)?$/ ) )
            type = o[i];
    }

    switch( type ) {
        case 'alpha'        : storedVars[ varName ] = randomAlpha( length ); break;
        case 'numeric'      : storedVars[ varName ] = randomNumeric( length ); break;
        case 'alphanumeric' : storedVars[ varName ] = randomAlphaNumeric( length ); break;
        default             : storedVars[ varName ] = randomAlphaNumeric( length );
    };
};

function randomNumeric ( length ) {
    return generateRandomString( length, '0123456789'.split( '' ) );
}

function randomAlpha ( length ) {
    var alpha = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'.split( '' );
    return generateRandomString( length, alpha );
}

function randomAlphaNumeric ( length ) {
    var alphanumeric = '01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'.split( '' );
    return generateRandomString( length, alphanumeric );
}

function generateRandomString( length, chars ) {
    var string = '';
    for ( var i = 0 ; i < length ; i++ )
        string += chars[ Math.floor( Math.random() * chars.length ) ];
    return string;
}

==================

In Selenium IDE, enter

Command             Target             Value

randomString          6                Firstname
echo                ${Firstname}
type                   id=fname       ${Firstname}

==================

Scenario - Let say we want to create a new user profile and in firstname & lastname field we want to enter some random dynamic data.

Step 1: Copy paste the above code and save as .js extension file and add the javascript file to IDE (Selenium IDE > Options > Options > Selenium core extension). Restart your IDE.

Step 2: Add command

Command                  Target              Value
randomString                 6               Firstname
echo                       ${Firstname}
type                          id=fname        ${Fname}
randomString                 6                Lastname
echo                        ${Lastname}
type                           id=lname        ${Lname}
click                          id=submit

Once the user is added, for verification we can use;

Command                    Target                               Value

store                     ${Fname} ${Lname}             username
echo                          ${username}
verifyText           enter: id/css/xpath/dom      ${Fname} ${Lname}

OR    

verifyText           enter: id/css/xpath/dom            ${username}

=========
Incase of a drop down list,
=========
select                  enter: id/css/xpath/dom        ${Fname} ${Lname}
verifyselectedlabel    enter: id/css/xpath/dom        ${Fname} ${Lname}

OR    

select            enter: id/css/xpath/dom        ${username}
verifyselectedlabel    enter: id/css/xpath/dom        ${username}

===========

HTML Code Format

<tr>
    <td>randomString</td>
    <td>6</td>
    <td>Firstname</td>
</tr>
<tr>
    <td>echo</td>
    <td>${Firstname}</td>
</tr>
<tr>
    <td>randomString</td>
    <td>6</td>
    <td>Lastname</td>
</tr>
<tr>
    <td>echo</td>
    <td>${Lastname}</td>
</tr>
<tr>
    <td>Type</td>
    <td>id=fname</td>
    <td>${Fname}</td>
</tr>
<tr>
    <td>Type</td>
    <td>id=lname</td>
    <td>${Lname}</td>
</tr>
<tr>
    <td>click</td>
    <td>id=submit</td>
</tr>
<tr>
    <td>store</td>
    <td>${Fname} ${Lname}</td>
    <td>username</td>
</tr>
<tr>
    <td>echo</td>
    <td>${username}</td>
</tr>
<tr>
    <td>verifyText</td>
    <td>name=title</td>
    <td>${username}</td>
</tr>
<tr>
    <td>select</td>
    <td>id=username</td>
    <td>${username}</td>
</tr>
<tr>
    <td>verifyselectedlabel</td>
    <td>id=username</td>
    <td>${username}</td>
</tr>

 Thanks,
Pinaki Mohapatra
Posted by at No comments:

Tuesday, 28 October 2014

IronWASP: Check to find broken authentication

In this section, we will discuss about how to check and find broken authentication using IronWASP. For demonstration purpose, we would make use of the demo application which is provided by IronWASP like we had used earlier for learning on how to finding CSRF Vulnerabilities.

Now when you login to the demo application, you would find a series of links which are accessible only if a users is logged into the app. i.e. this set of links are only accessible after valid authentication into the app. Sometimes you may have come across a case were this links may be accessible without valid authentication/login. The reason for this can be during development/coding phase there may have been a case where the programmer may have made a mistake in enforcing the authentication which make the link vulnerable. So here our main job would be to test and find out those link or url which are accessible without valid login.

In general, the links which are present in an application can be manually tested to make sure that they are not vulnerable or broken but doing so would sometimes be time consuming & hectic task at times if the application have a bunch of links. But when it comes to IronWASP, the tool perform this task smoothly by automating the process for testing and validate broken authentication.

To test broken authentication using IronWASP, from IronWASP tool invoke Interactive testing tools menu and select 'Test for Broken Authentication'. This would open up a window as shown below where it would ask to select all logs or customize & include specific logs in your test. In my case, i had selected the host name, All logs for logs and then click on the 'Find Suitable Candidate' button.

Note: Before moving on to test for broken link authentication, our first task that we need to perform is to browse through the demo application (all links/pages) once so that the logs will be automatically generated in log section of IronWASP tools which in turn will help us to perform the broken authentication test easily.

After selecting the desired parameters in the configure phase (for broken authentication), it re-direct to 'Select Candidate' phase where you would view all the log requests/responses that was captured by the tool when you had browsed the application manually. Now here we simply need to customize our settings by selecting/di-selecting the desired methods that we want to include in our test (i.e. if you wish to include only 'GET' method and exclude 'Post' method then select them) and then click on the 'Test selected candidate' button.



On clicking on 'Test selected candidate' button, the tool start testing i.e. it automatically visits each links/pages that we had included in our test and check for broken authentication. Here what IronWASP does is, it visit all the URLs that we have selected from the logs and compares the responses that is generated for the URL/Links when not logged into the app with the responses of the same Link/URL that was captured earlier when we manually visited/accessed  logging in to the app. Here it actually checks whether the response of the URL after logging out from the app is same as that off what was generated earlier. And if the responses of both valid & invalid request are same then the tool confirm that the URL/Link is vulnerable thereby highlighting the particular link in 'RED' and that the link is accessible without valid authentication.



You can find the broken links from the percentage of difference in response due to invalid Session ID. In my case as shown in the screenshot below, you can make out that the percentage of difference was "9" means even though i was logged out of the application the server gave a very similar response for the same URl (link) when logged in/out of the app which is incorrect and that the page can be accessed in the browser through the URL/link directly without logging into the app.






To view the valid/invalid responses, move to Invalid/Valid Session Request/Response tab and then click on the render link. This would show both valid & invalid responses which is quiet similar which thereby confirms that the specified URL is vulnerable and can be accessed by any anonymous users directly without valid authentication to the app.



To confirm once whether the URL/Link is vulnerable or not, you can directly access the infected URL in the browser without logging in to the app.

 My Learning Material / Reference:

 Site Address:

 http://ironwasp.org/index.html

 http://hack-tools.blackploit.com/2014/04/ironwasp-2014-one-of-worlds-best-web.html

 http://securitybyte.org/resources/2011/presentations/ironwasp.pdf

 Video Tutorial Link Reference:

Click Here
Posted by at No comments:

Monday, 20 October 2014

DOM based Cross Site Scripting using IronWASP

For finding DOM based cross site scripting vulnerabilities, we need to use IronWASP as proxy and then browse through the various section of the demo application using the browser based crawler technique as discussed earlier while learning on how to perform CSRF vulnerabilities. This would generally capture all the logs of the site pages in the Logs > Proxy Logs section of IronWASP tool.
Now to perform DOM based XSS test, expand the Tools menu for IronWASP and select DOM XSS Analyzer. It should invoke a window with title as 'DOM XSS Analyzer'. Here you would find a 'Start Analysis' button clicking which it will go through all the Responses in the Proxy log, extracts all the JavaScript from each Response and externally referenced script files. It would then identify all occurrences of DOM XSS Sources and Sinks. [Basically it does static analysis on all the logs captured in the proxy log section and generate a analysis report in form of a file. It will show the path of the analysis report in the DOM XSS analyzer window once the analysis is complete. See screenshot below.
The screenshot below shows the details analysis of the DOM XSS that it had performed. It basically use regular expression to find the most common DOM XSS Sources and Sinks. The Screenshot highlights all the issues (vulnerabilities) that the tool found for different URLs of the site and display them.
Now click on any specific link would shows all the JavaScript that it located in the specific page/url of the site. In most pages, the JavaScript are located at different section of the site say some JavaScript are inside script tags or may be they are in event handler or there are few which are loaded from external URLs etc. This tool through DOM XSS Analyzer actually loads all the JavaScript present in different pages of the site and then link together in a series and show them in one location. From the report, if we scroll down you would view all the JavaScript that the page uses.

You will find that the different sources and sinks which were identified by the tool are highlighted/marked in different BG font color. So from the report, you can also examine manually and see whether any of the identified sources/sinks lead to DOM XSS Vulnerabilities or not.

My Learning Material / Reference:

 Site Address:

 http://ironwasp.org/index.html

 http://hack-tools.blackploit.com/2014/04/ironwasp-2014-one-of-worlds-best-web.html

 http://securitybyte.org/resources/2011/presentations/ironwasp.pdf

 Video Tutorial Link Reference:

 Click Here

Posted by at No comments:

Tuesday, 23 September 2014

IronWASP Tool Usages: How to find CSRF Vulnerabilities?

In this section, we will learn about how to automatically find CSRF (Cross Site Request Forgery) vulnerabilities using IronWASP. To perform this we would use the DEMO APP as reference to test and demonstrate how this feature of the tool actually works. Basically through this demo app, it allow users to select a star to schedule a meeting by filling in the form which contains name and phone number.
Now after performing this sequence through lo-gin recording, in the Tool >> Log section you would find the corresponding logs that is being generated. Selecting any log item, you can view each request of form which is protected by a token. You can view the token by following this navigational steps - Tool > Log > Proxy Log > Select any log item > Request tab > Body.

Similarly this Demo App has a bunch of celebrity link which performs the same operations i.e. setting up a meeting. Selecting any link opens up a form which are protected by same CSRF of token. So our aim here would be to find out from any of this form is actually making a mistake in validating the CSRF of token or may be in other word to check whether it is possible to submit the form without a valid CSRF of token and still have the application to process it. We could actually test for it by individually accessing and submitting the form and capturing the request with a proxy and then manipulating the value of the CSRF of token. So this is a manual way of testing for CSRF using this DEMO App. But with IronWASP, what we can actually test by automating this series of steps.
 
Now to automate this process, you need to select Tool > Interactive testing tools > Test for CSRF Protection. This would open up CSRF tester Window. Here our first step would be to enter the value of the CSRF token that we have got from the log section. After entering the name of the CSRF token parameter, our next step would be to configure "how do you want to test the CSRF Protection". Basically what this setting will do is that it will replace the value of the actual token with a dummy value. Also we do have another option were we can actually remove the value of the CSRF of token and then perform the test. Since most of the form in the DEMO App is accessed after a log-in, so we have to perform a lo-gin sequence recording for a series of form and then we have to select a lo-gin recording here for perform the CSRF protection test properly. Next step would be to provide the scope for CSRF testing i.e. we need to select the host and then press the 'Find Suitable Candidates for Testing' button.

Now what the tool will do is it would go through the logs and then it identifies & display all the request which has a CSRF of token. From the list, you may select/di-select any request if you wish to exclude from your test and press 'Test Selected  Candidate' button.

 
So IronWASP is then start and test every single requests for CSRF and what it does is it send the request again but this time it replaces the value of actual token with the dummy value that we have selected previously. And once it send the request, it get a response which it then compares with the response of the original request which had a valid token and it shows the percentage of the difference between the response of the request with a valid token and response of the request with an invalid token.


We can view the significant difference of the responses in percentages in the Side by side section as shown in the screen-shot below.

 
To see how the invalid response looks, move to Invalid Token Requests/Responses section and then press 'Render' link under the Response tab. Screen-shot below shows the responses when the token is invalid.


Similarly you can view the response of the valid token from the 'Valid token request/response' section. So when the token is valid you can see from the screen-shot attached below that the meeting was setup and when the token was invalid the application rejected it (i.e. it fails to validate) and shows the application again which is a normal behavior.
 
But in two cases which are highlighted in read in the screen-shot below, the percentage of the differences is actually '2' which means the responses is largely similar and from the response section you can make out that in both cases it says that the meeting is set-up. So this two request which say that the meeting is scheduled are actually vulnerable to the CSRF off attack because even though we send a request with an invalid token the application is processing the request which means it is failing to valid the CSRF of token in this particular instance.


Therefore, there were 2 instances from the test where the CSRF vulnerability was found and the tool was able to detect it automatically using the CSRF test features.

 Thanks,
Pinaki Mohapatra
Posted by at No comments:

Monday, 22 September 2014

IronWASP Tool Usages: Introduction

IronWASP stands for Iron web application advanced security testing platform. It is an open source tool used is developed for performing security testing on web application to find vulnerabilities. This tool in simple to use and good for beginner who want to learn more/deep on security testing.

Salient features:
  • The tool is free, open source, GUI based, easy to use & no security expertise required for learning the tool usages.
  • It help users to perform recording through Login sequence.
  • It support report generation both in HTML and RTF formats.
  • This tools checks and find over 25 different kinds of vulnerabilities, some are which listed below;
Through Active Scanning, the tools help to find defects related to;

SQL Injection
Cross-site Scripting
Command Injection
Header Injection
Code Injection
LDAP Injection
XPATH Injection
Local File Include
Open Redirect
Remote File Include

Through Parameter Manipulation Scanning, the tools help to find defects related to;

CSRF
Broken Access Control
Privilege Escalation
Hidden Parameter Guessing

Through Passive Scanning, the tools help to find defects related to;

Use of HTTP Basic Authentication
Cookies without Secure and HTTP-Only Flag
Cookies containing Sensitive Information
Insecurely Configured Cross Domain.xml file
Directory Listing Turned On
Potential Open Redirect Candidates
DOM XSS Sources and Sinks in the Page
Script, IFRAME and CSS Loaded from External Domains
Script, IFRAME and CSS Loaded over HTTP in an HTTPS & HTTP Page
HTML Form Contents Submitted to External Domains
HTML Form Contents From HTTPS Page Submitted to HTTP & HTTPS Page
HTML Form with Password Field Loaded Over HTTP
Password Sent in URL
Potential Session Fixation Candidates
Vulnerable Version of Web Server
Web Server Banner Grabbing
X-Header Analysis
  • Support both False Positives & False Negatives detection.
  • Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET and bundled with a growing number of modules built by researchers in the security community like;
WiHawk (WiFi Router Vulnerability Scanner), XmlChor (Automatic XPATH Injection Exploitation
Tool), IronSAP (SAP Security Scanner), SSL Security Checker (Scanner to discover vulnerabilities
in SSL installations), OWASP Skanda (Automatic SSRF Exploitation Tool), CSRF PoC Generator
(Tool for automatically generating exploits for CSRF vulnerabilities).

Source & Downloads:
  • IronWASP 2014 beta is available for download in this location - Click Here
  • Once downloaded, Unzip the file/content to any of the local directory in your machine. (IronWASP DOES NOT require installation or administrative rights to work).
  • After unzipping, browse and explore the contents extracted and look for IronWASP.exe to execute & get started.

Getting Started:

For learning IronWASP tool, you can make use of a demo application that is specially designed where you can test and understand the various features of the tool and the vulnerabilities that it finds. You can find the demo application inside the IronWASP folder that we have extracted with title as “DemoApp“.



Now for using this application - double-click on the demo app file where you can set the port number. After setting the port number click on the “Start Server” button to start the demo application on your browser by typing "localhost:port number" in the URL address.
This tool allow you to select different scan modes to perform the scan. Basically the two scan modes are default and user-configured settings which is used for effective crawling so that you can find more defects. Now we are all set to run and execute our first test.

Perform a vulnerability scans with IronWASP:

For performing a vulnerability scans with IronWASP, move to console tab and enter the application url address for scan.

After entering the URL address, press the start scan button and then the tool will start crawling the website. It will start finding vulnerabilities in the targeted site & once the vulnerabilities are detected, they will be listed in the tool classified as High, Medium and Low depending on the impact as shown in the screen-shot below.

There are multiple ways to perform the vulnerability scan and the easiest way to perform the scan is to type in the URL address and execute the scanning process. Even though, this is the easiest way but it does not give the best coverage. IronWASP does have a simpler method i.e. Browser based crawler which perform this task in a better way and at the same time give the best possible coverage. For performing this test, select Tool > Browser based crawler which actually helps to manually crawl the website (in-case if the website has authentication process to access some web pages). You can make use of the automated crawler that is built into IronWASP. Now in Browser based crawler window, click on 'Open Manual crawler' button.

What it does is that it actually opens up a Google chrome browser and it uses the browser to 
manually crawl through the website. Because it uses a real browser it helps to perform the task and output the best coverage of the target website but the problem with some other tools is that if the website has some complicated functionality or may be if it has a log-in page involved then it cannot automatically go through them really well. So at places like this, IronWASP helps you to manually crawl the website. To manually crawl the website click on the open manual crawler. This will open up another browser instance through which you can manually visit each and every pages including the pages which are accessed after valid authentication or have log-in sequence. The browser that opens up is configured automatically to use IronWASP as a proxy and if you are going through an SSL website then the tool will also automatically handle the SSL error internally. After browsing through the website manually, you can view all the logs that were captured in the log section of the IronWASP.

Now all that we have to do is to start a scan on the logs that are generated through browser based
crawler. You can do that by going to the site map. Right click on any log (host) under site map tree that you wish to scan and select scan branch.

This would invoke a wizard where you can move to the customization phase (Screen-shot attached below). Since some page of the website where accessible after performing the log-in, so to scan those sections we would make use of the login sequence recording (Note: Login sequence record can be performed here: Tool > Sequence Recording Tools > Record Login, CSRF token sequence. This section allow you to perform a log-in sequence recording which can be saved and used in various type of the tests that the tool perform). So here in the customization phase, select the log-in process from the field and then continue moving to next phase.

In Next Phase, click on the start scan button to begin the scanning process. While doing so, it would ask you to assist which request to scan but if you want to scan all the request that is available in the log then click 'No'. By clicking 'No' it would start scan process of all the request one after the other. While the scanning is in progress or after complete, you will find that the tool will identify and show all the vulnerabilities like SQL injection, Cross site scripting etc.
And because we selected the log-in recording, it will check and find whether you are logged into the site or not and if not then the tool will help in logging in to the site to scan the pages which are accessible after log-in. Also there is another way to perform scanning for the log that we have generated from the lo-gin sequence i.e. you can specifically scan a particular request. To do so, move to log section and right click on any request and select the option 'Select this for Automated scanning'. While performing such type of scan, you can also customize your test and include/exclude specific vulnerability check.

When the Scanning process is in progress or complete, you can view the list of vulnerabilities/defect
that are discovered and listed in IronWASP.



To view the defect, select a specific vulnerability. This would render all the details about the
vulnerability/defect on the right panel/section of IronWASP.


IronWASP also has a unique feature which would explain the exact reason why the vulnerabilities was found. So if you look and read the details of the vulnerabilities (Screen-shot attached above), then it would give you an idea & update about the problem that was detected by the tool.

Generate Test Report:
 
This tool also allow you to generate a test status report with all the vulnerabilities that the tool has
identified. For generating the report, select 'Generate Report' in IronWASP.



This section further allow you to customize and choose which vulnerability you want to include in your report. So you can select and include/exclude some vulnerability and then generate report either in HTML or RTF format.



Thanks,
Pinaki Mohapatra
Posted by at No comments:
Subscribe to: Posts (Atom)