IronWASP Tool Usages: How to find CSRF Vulnerabilities?

In this section, we will learn about how to automatically find CSRF (Cross Site Request Forgery) vulnerabilities using IronWASP. To perform this we would use the DEMO APP as reference to test and demonstrate how this feature of the tool actually works. Basically through this demo app, it allow users to select a star to schedule a meeting by filling in the form which contains name and phone number.

Now after performing this sequence through lo-gin recording, in the Tool >> Log section you would find the corresponding logs that is being generated. Selecting any log item, you can view each request of form which is protected by a token. You can view the token by following this navigational steps - Tool > Log > Proxy Log > Select any log item > Request tab > Body.

Similarly this Demo App has a bunch of celebrity link which performs the same operations i.e. setting up a meeting. Selecting any link opens up a form which are protected by same CSRF of token. So our aim here would be to find out from any of this form is actually making a mistake in validating the CSRF of token or may be in other word to check whether it is possible to submit the form without a valid CSRF of token and still have the application to process it. We could actually test for it by individually accessing and submitting the form and capturing the request with a proxy and then manipulating the value of the CSRF of token. So this is a manual way of testing for CSRF using this DEMO App. But with IronWASP, what we can actually test by automating this series of steps.
 

Now to automate this process, you need to select Tool > Interactive testing tools > Test for CSRF Protection. This would open up CSRF tester Window. Here our first step would be to enter the value of the CSRF token that we have got from the log section. After entering the name of the CSRF token parameter, our next step would be to configure "how do you want to test the CSRF Protection". Basically what this setting will do is that it will replace the value of the actual token with a dummy value. Also we do have another option were we can actually remove the value of the CSRF of token and then perform the test. Since most of the form in the DEMO App is accessed after a log-in, so we have to perform a lo-gin sequence recording for a series of form and then we have to select a lo-gin recording here for perform the CSRF protection test properly. Next step would be to provide the scope for CSRF testing i.e. we need to select the host and then press the 'Find Suitable Candidates for Testing' button.

Now what the tool will do is it would go through the logs and then it identifies & display all the request which has a CSRF of token. From the list, you may select/di-select any request if you wish to exclude from your test and press 'Test Selected  Candidate' button.

 

So IronWASP is then start and test every single requests for CSRF and what it does is it send the request again but this time it replaces the value of actual token with the dummy value that we have selected previously. And once it send the request, it get a response which it then compares with the response of the original request which had a valid token and it shows the percentage of the difference between the response of the request with a valid token and response of the request with an invalid token.

We can view the significant difference of the responses in percentages in the Side by side section as shown in the screen-shot below.

 

To see how the invalid response looks, move to Invalid Token Requests/Responses section and then press 'Render' link under the Response tab. Screen-shot below shows the responses when the token is invalid.

Similarly you can view the response of the valid token from the 'Valid token request/response' section. So when the token is valid you can see from the screen-shot attached below that the meeting was setup and when the token was invalid the application rejected it (i.e. it fails to validate) and shows the application again which is a normal behavior.

 

But in two cases which are highlighted in read in the screen-shot below, the percentage of the differences is actually '2' which means the responses is largely similar and from the response section you can make out that in both cases it says that the meeting is set-up. So this two request which say that the meeting is scheduled are actually vulnerable to the CSRF off attack because even though we send a request with an invalid token the application is processing the request which means it is failing to valid the CSRF of token in this particular instance.

Therefore, there were 2 instances from the test where the CSRF vulnerability was found and the tool was able to detect it automatically using the CSRF test features.

Thanks,

Pinaki Mohapatra

IronWASP Tool Usages: Introduction

IronWASP stands for Iron web application advanced security testing platform. It is an open source tool used is developed for performing security testing on web application to find vulnerabilities. This tool in simple to use and good for beginner who want to learn more/deep on security testing.

Salient features:

• The tool is free, open source, GUI based, easy to use & no security expertise required for learning the tool usages.
• It help users to perform recording through Login sequence.
• It support report generation both in HTML and RTF formats.
• This tools checks and find over 25 different kinds of vulnerabilities, some are which listed below;

Through Active Scanning, the tools help to find defects related to;

SQL Injection
Cross-site Scripting
Command Injection
Header Injection
Code Injection
LDAP Injection
XPATH Injection
Local File Include
Open Redirect
Remote File Include

Through Parameter Manipulation Scanning, the tools help to find defects related to;

CSRF
Broken Access Control
Privilege Escalation
Hidden Parameter Guessing

Through Passive Scanning, the tools help to find defects related to;

Use of HTTP Basic Authentication
Cookies without Secure and HTTP-Only Flag
Cookies containing Sensitive Information
Insecurely Configured Cross Domain.xml file
Directory Listing Turned On
Potential Open Redirect Candidates
DOM XSS Sources and Sinks in the Page
Script, IFRAME and CSS Loaded from External Domains
Script, IFRAME and CSS Loaded over HTTP in an HTTPS & HTTP Page
HTML Form Contents Submitted to External Domains
HTML Form Contents From HTTPS Page Submitted to HTTP & HTTPS Page
HTML Form with Password Field Loaded Over HTTP
Password Sent in URL
Potential Session Fixation Candidates
Vulnerable Version of Web Server
Web Server Banner Grabbing
X-Header Analysis

• Support both False Positives & False Negatives detection.
• Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET and bundled with a growing number of modules built by researchers in the security community like;

WiHawk (WiFi Router Vulnerability Scanner), XmlChor (Automatic XPATH Injection Exploitation

Tool), IronSAP (SAP Security Scanner), SSL Security Checker (Scanner to discover vulnerabilities
in SSL installations), OWASP Skanda (Automatic SSRF Exploitation Tool), CSRF PoC Generator
(Tool for automatically generating exploits for CSRF vulnerabilities).

Source & Downloads:

• IronWASP 2014 beta is available for download in this location - Click Here
• Once downloaded, Unzip the file/content to any of the local directory in your machine. (IronWASP DOES NOT require installation or administrative rights to work).
• After unzipping, browse and explore the contents extracted and look for IronWASP.exe to execute & get started.

Getting Started:

For learning IronWASP tool, you can make use of a demo application that is specially designed where you can test and understand the various features of the tool and the vulnerabilities that it finds. You can find the demo application inside the IronWASP folder that we have extracted with title as “DemoApp“.

Now for using this application - double-click on the demo app file where you can set the port number. After setting the port number click on the “Start Server” button to start the demo application on your browser by typing "localhost:port number" in the URL address.

This tool allow you to select different scan modes to perform the scan. Basically the two scan modes are default and user-configured settings which is used for effective crawling so that you can find more defects. Now we are all set to run and execute our first test.

Perform a vulnerability scans with IronWASP:

For performing a vulnerability scans with IronWASP, move to console tab and enter the application url address for scan.

After entering the URL address, press the start scan button and then the tool will start crawling the website. It will start finding vulnerabilities in the targeted site & once the vulnerabilities are detected, they will be listed in the tool classified as High, Medium and Low depending on the impact as shown in the screen-shot below.

There are multiple ways to perform the vulnerability scan and the easiest way to perform the scan is to type in the URL address and execute the scanning process. Even though, this is the easiest way but it does not give the best coverage. IronWASP does have a simpler method i.e. Browser based crawler which perform this task in a better way and at the same time give the best possible coverage. For performing this test, select Tool > Browser based crawler which actually helps to manually crawl the website (in-case if the website has authentication process to access some web pages). You can make use of the automated crawler that is built into IronWASP. Now in Browser based crawler window, click on 'Open Manual crawler' button.

What it does is that it actually opens up a Google chrome browser and it uses the browser to 
manually crawl through the website. Because it uses a real browser it helps to perform the task and output the best coverage of the target website but the problem with some other tools is that if the website has some complicated functionality or may be if it has a log-in page involved then it cannot automatically go through them really well. So at places like this, IronWASP helps you to manually crawl the website. To manually crawl the website click on the open manual crawler. This will open up another browser instance through which you can manually visit each and every pages including the pages which are accessed after valid authentication or have log-in sequence. The browser that opens up is configured automatically to use IronWASP as a proxy and if you are going through an SSL website then the tool will also automatically handle the SSL error internally. After browsing through the website manually, you can view all the logs that were captured in the log section of the IronWASP.

Now all that we have to do is to start a scan on the logs that are generated through browser based
crawler. You can do that by going to the site map. Right click on any log (host) under site map tree that you wish to scan and select scan branch.

This would invoke a wizard where you can move to the customization phase (Screen-shot attached below). Since some page of the website where accessible after performing the log-in, so to scan those sections we would make use of the login sequence recording (Note: Login sequence record can be performed here: Tool > Sequence Recording Tools > Record Login, CSRF token sequence. This section allow you to perform a log-in sequence recording which can be saved and used in various type of the tests that the tool perform). So here in the customization phase, select the log-in process from the field and then continue moving to next phase.

In Next Phase, click on the start scan button to begin the scanning process. While doing so, it would ask you to assist which request to scan but if you want to scan all the request that is available in the log then click 'No'. By clicking 'No' it would start scan process of all the request one after the other. While the scanning is in progress or after complete, you will find that the tool will identify and show all the vulnerabilities like SQL injection, Cross site scripting etc.

And because we selected the log-in recording, it will check and find whether you are logged into the site or not and if not then the tool will help in logging in to the site to scan the pages which are accessible after log-in. Also there is another way to perform scanning for the log that we have generated from the lo-gin sequence i.e. you can specifically scan a particular request. To do so, move to log section and right click on any request and select the option 'Select this for Automated scanning'. While performing such type of scan, you can also customize your test and include/exclude specific vulnerability check.

When the Scanning process is in progress or complete, you can view the list of vulnerabilities/defect
that are discovered and listed in IronWASP.

To view the defect, select a specific vulnerability. This would render all the details about the
vulnerability/defect on the right panel/section of IronWASP.

IronWASP also has a unique feature which would explain the exact reason why the vulnerabilities was found. So if you look and read the details of the vulnerabilities (Screen-shot attached above), then it would give you an idea & update about the problem that was detected by the tool.

Generate Test Report:
 
This tool also allow you to generate a test status report with all the vulnerabilities that the tool has
identified. For generating the report, select 'Generate Report' in IronWASP.

This section further allow you to customize and choose which vulnerability you want to include in your report. So you can select and include/exclude some vulnerability and then generate report either in HTML or RTF format.

Thanks,
Pinaki Mohapatra