Security – Page 2 – Adventures in the programming jungle

How to write a (Java) Burp Suite Professional extension for Tabnabbing attack

7 May, 20187 May, 2018Adrian Citu

Context and goal

The goal of this ticket is to explain how to create an extension for the Burp Suite Professional taking as implementation example the “Reverse Tabnabbing” attack.

“Reverse Tabnabbing” is an attack where an (evil) page linked from the (victim) target page is able to rewrite that page, such as by replacing it with a phishing site. The cause of this attack is the capacity of a new opened page to act on parent page’s content or location.

For more details about the attack himself you can check the OWASP Reverse Tabnabbing.

The attack vectors are the HTML links and JavaScript window.open function so to mitigate the vulnerability you have to add the attribute value: rel="noopener noreferrer" to all the HTML links and for JavaScriptadd add the values noopener,noreferrer in the windowFeatures parameter of the window.openfunction. For more details about the mitigation please check the OWASP HTML Security Check.

Basic steps for (any Burp) extension writing

The first step is to add to create an empty (Java) project and add into your classpath the Burp Extensibility API (the javadoc of the API can be found here). If you are using Maven then the easiest way is to add this dependency into your pom.xml file:

<dependency>
    <groupId>net.portswigger.burp.extender</groupId>
    <artifactId>burp-extender-api</artifactId>
    <version>LATEST</version>
</dependency>

Then the extension should contain a class called BurpExtender (into a package called burp) that should implement the IBurpExtender interface.

The IBurpExtender interface have only a single method (registerExtenderCallbacks) that is invoked by burp when the extension is loaded.

For more details about basics of extension writing you can read Writing your first Burp Suite extension from the PortSwigger website.

Extend the (Burp) scanner capabilities

In order to find the Tabnabbing vulnerability we must scan/parse the HTML responses (coming from the server), so the extension must extend the Burp scanner capabilities.

The interface that must be extended is IScannerCheck interface. The BurpExtender class (from the previous paragraph) must register the custom scanner, so the BurpExtender code will look something like this (where ScannerCheck is the class that extends the IScannerCheck interface):

public class BurpExtender implements IBurpExtender {

    @Override
    public void registerExtenderCallbacks(
            final IBurpExtenderCallbacks iBurpExtenderCallbacks) {

        // set our extension name
        iBurpExtenderCallbacks.setExtensionName("(Reverse) Tabnabbing checks.");

        // register the custom scanner
        iBurpExtenderCallbacks.registerScannerCheck(
                new ScannerCheck(iBurpExtenderCallbacks.getHelpers()));
    }
}

Let’s look closer to the methods offered by the IScannerCheck interface:

consolidateDuplicateIssues – this method is called by Burp engine to decide whether the issues found for the same url are duplicates.
doActiveScan – this method is called by the scanner for each insertion point scanned. In the context of Tabnabbing extension this method will not be implemented.
doPassiveScan – this method is invoked for each request/response pair that is scanned. The extension will implement this method to find the Tabnabbing vulnerability. The complete signature of the method is the following one: List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse). The method receives as parameter an IHttpRequestResponse instance which contains all the information about the HTTP request and HTTP response. In the context of the Tabnabbing extension we will need to check the HTTP response.

Parse the HTTP response and check for Tabnabbing vulnerability

As seen in the previous chapter the Burp runtime gives access to the HTTP requests and responses. In our case we will need to access the HTTP response using the method IHttpRequestResponse#getResponse. This method returns a byte array (byte[]) representing the HTTP response as HTML.

In order to find the Tabnabbing vulnerability we must parse the HTML represented by the HTML response. Unfortunately, there is nothing in the API offered by Burp for parsing HTML.

The most efficient solution that I found to parse HTML was to create few classes and interfaces that are implementing the observer pattern (see the next class diagram ):

The most important elements are :

IByteReader interface – this interface represents the Subject (or Observable) from the Observer pattern. This interface has methods for attach and notify the observers.
HTMLResponseReader class – this class implements the IByteReader and for each byte of the HTML response will notify the attached observers. After each notification, the HTMLResponseReader will also ask each observer if they found a Tabnabbing problem (via IByteReaderObserver#problemFound method).
IByteReaderObserver interface – this interface represents the Observer from the Observer pattern. The HTMLResponseReader will call the IByteReaderObserver#handleByte(reader, byte) for each byte from the HTML response. Each IByteReaderObserver implementation can call IByteReader#fetchMoreBytes(numberOfBytesToFetch) to fetch more bytes from the HTML byte array in advance if needed.
HTMLAnchorReaderObserver class – this class implements the IByteReaderObserver interface and is capable to find the HTML anchor tag and check if it is vulnerable to Tabnabbing problem.
JSWindowsOpenReaderObserver class – this class implements the IByteReaderObserver interface and is capable to find the window.open function call and check if it is vulnerable to Tabnabbing problem.

The following sequence diagram try to explains how the classes are interacting together in order to find the Tabnabbing vulnerability.

Final words

If you want to download the code or try the extension you can find all you need on github repository: tabnabbing-burp-extension.

If you are interested about some metrics about the code you can the sonarcloud.io: tabnnabing project.

(My) OWASP Belgium Chapter meeting notes

21 March, 2018Adrian Citu

These are my notes of OWASP Belgium Chapter meeting of 19th of March.

KRACKing WPA2 in Practice Using Key Reinstallation Attacks (by Mathy Vanhoef)

This talk subject was about the attack on the WPA2 protocol that was made the (security) headlines last year. The original paper can be found here and the slides can be found here.

The talk had 4 parts :

presentation of the attack.
practical impact
common misconceptions
lesson learned

Presentation of the attack

The 4-way handshake is used in any WPA2 protected network. His use if for mutual authentication and to negotiate a new pairwise temporal key (PTK).

The messages sent between the client and the access point (AP) are the following ones:

The PTK is computed in the following way: PTK = Combine (shared secret, ANonce, SNonce) where ANonce, SNonce are random numbers.

Re-installation attack:

the attacker will clone the access point on different channel.
the attacker will/can forward or block frames.
the first 3 messages are sent back to client and AP.
message 4 is not sent to the AP; the attacker block this, and the client install the PTK (as per protocol specification)

client can sent encrypted data but the AP will try to recover from this by re-sending message 3.
then the client will reinstall the PTK meaning that will reset the nonce used to send encrypted data.

the effect of this key re-installation is that the attacker can decrypt the frames sent by the client.

Other types of handshake protocols are vulnerable to this kind of attack:

group key handshake.
fp handshake.

Practical impact of the attack

The main impact is that the attacker can decrypt the data frames sent by the victim to the AP (access point) and the attacker can replay frames sent to the victim.

iOS 10 and Windows, the 4-way handshake is not affected (because they are not following the WPA2 specification), but the group key handshake is affected.
Linux and Android 6.0+ that are using the wpa_supplicant 2.4+ version are exposed to install all-zero key vulnerability. The basic explanation of the vulnerability is the following one; the application do not keep the key, the PTK is installed at the kernel level and the application will zeroed the memory buffer that contains the key. But when the key re-installation is triggered, then the all-zero key will be sent to the kernel to be installed.

Countermeasures:

AP (access point) can prevent most of the attacks on clients:
- Don’t retransmit message 3/4.
- Don’t retransmit group message 1/2.

Common missconceptions

update only the client or AP is sufficient.
- in fact both vulnerable clients & vulnerable APs must apply patches
must be connected to network as attacker.
- in fact the attacker only need to be nearby victim and network.

Lessons learned

4-way handshake proven secure AND encryption protocol proven secure BUT the combination of both of them was not proven secure.

This proves the limitation of formal proofs so abstract model ≠ real code.

Making the web secure by design (by Glenn Ten Cate and Riccardo Ten Cate)

This talk was about the new version of the OWASP SKF. I already covered the SKF in some of my previous tickets (see here and here) so for me was not really a novelty. The main changes that I was able to catch comparing with the previous version :

(secure) code examples in more languages; at least Go and Java languages was added since last time I looked.
the SKF security requirements are mapped directly from the OWASP Application Security Verification Standard (ASVS) project.
the checklist functionality contains also the OWASP Mobile Application Security Verification Standard (MASVS).

How to create and customize a Docker image for Burp Suite Professional Edition

4 October, 20171 February, 2018Adrian Citu

This ticket explains how to create and customize a Docker image for the Burp Suite Professional Edition. The main difference with a creation of an image for the Burp Suite Free Edition is that you will need to register a valid license during the image creation.

- Create a Dockerfile for the initial image. You will need to have the burpsuite_pro_Vx.y.z jar file; the jar should be in the bin folder that is on the same level as the Dockerfile. The Docker file looks like this:

    FROM openjdk:8u121-jre-alpine
    RUN apk --update add openssl ca-certificates ttf-dejavu && \
        rm -f /var/cache/apk/* && \
        mkdir -p /opt/burp /work && \ 
        adduser -D -s /bin/sh user user && \
        chown -R user /work

    ADD bin/* /opt/burp/
    RUN chown -R user /home/user/.*
    USER user
    WORKDIR /work
    EXPOSE 8080

Build the image:

    docker build -t burppro .

Run the image. It will be needed to run the Burp in the UI mode in order to register the license and (eventually) to customize the application (like installing extensions); unfortunately it is not possible to install extensions directly from the command line, so you will have to do it manually.

    docker run -ti \
      -e DISPLAY=$DISPLAY \
      -v /tmp/.X11-unix:/tmp/.X11-unix\
    burppro \
       java -jar /opt/burp/burpsuite_pro.jar

Once you’ve finished the customization, commit the new image in order to save the changes made on the initial image.

    docker commit <burppro_container_id> burppro_with_license_with_extension

Run the new image (in headless mode).

    docker run -p8080:8080 -ti \
    burppro_with_license_with_extension \
      java -jar -Djava.awt.headless=true /opt/burp/burpsuite_pro.jar

(My) OWASP Belgium Chapter meeting notes

21 June, 2017Adrian Citu

These are my notes of OWASP Belgium Chapter meeting of 16th of June.

OWASP Summit 2017 debrief

The talk was a debrief about the OWASP Summit 2017 which was held in London; more than 200 participants, 176 working sessions, 6 rooms. To see all the outcomes of the summit you can check the Summit Outcomes.

Some info about some of the discussed topics:

OWASP Top 10 2017
- discussions about the process
- have a broader audience, not developers only
- more can be found here.
mobile security testing guide
- guide updated
- new content added; more topics like the best practices for use of OAUTH2 (??)
- more can be found here.
define agile security practices
- participants redefined the session goals to discuss security practices for agile development teams.
SAMM 2
- more can be found here.
app sec education
- what is the perfect/best curriculum to teach app sec at school.
security GitHub integration
- drafted a letter to be able to reach out github with a request for comment.
- more can be found here.
threat modeling (TM) sessions
- OWASP wants to be more visible on threat modeling.
- TM OWASP pages revamp
- TM templates
- TM iot devices
- TM diagram techniques
- TM cheat sheets & lightweight TM
- new slogan: “The sooner the better, never too late”
OWASP playbook series
- actionable consistent process to getting started with various application security topics.
- more can be found here, here and here.
OWASP Testing guide v5

Threat modeling lessons from Star Wars

This is an introductory talk about threat modeling having as goal to demystify the threat modeling is hard and can be done only by very smart/trained people.

You can start to threat model by answering 4 questions:

What are you building?
- You must represent/draw somehow the item that you want to build.
- The DFDs (data flow diagrams) are the most common way to represent the system under build but other options are available like Swim Lanes diagrams.
- You can use any kind of diagram that fits your needs.
What can go wrong?
- Find the threats using STRIDE, Attack Trees, CAPEC Kill chain, Check Lists.
- A small introduction to STRIDE mnemonics was done.
What are you going to do about it?
Did you do an acceptable job at 1-3?

The second part of the talk was called “Top 10 lessons” and actually contained a list of 10 misconceptions about the threat modeling:

Think like an attacker
- it is very difficult to think like an attacker doesn’t help you to know what you have to do.
You’re never done threat modeling
- the 4 states of a threat modeling:
  - model
  - identify threats
  - mitigate
  - validate
The way to threat model is…
- should focus on what delivers value by helping people find good threats
- for each threat modeling phase (model, identify, mitigate, validate) there are different techniques to do the job.
Threat modeling as one skill
- there are different techniques : DFDs , Attack trees, etc…
Threat modeling is born not taught
- threat modeling is like playing a violin; you need to train yourself and you will not be able to play correctly from the beginning.
- practice, practice, practice
The wrong focus
- focus on the software being build not on the assets that you want to protect or by thinking about your attackers.
Threat modeling is for specialists
- threat modeling should be like version control, anyone can and should threat model.
Threat modeling without context
- see threat modeling not in a vacuum but as part of a chain, that can help different teams (dev team, operations team) to fix (security) problems.
Laser like focus on threats
- requirements drive threats.
- threats expose requirements.
- threats needs mitigations.
- un-mitigatable threats drive requirements.
Threat modeling at the wrong time
- you must start threat modeling early.

Main take-aways: anyone can threat model and should; all the necessary technique can be learned.

5 (software) security books that every (software) developer should read

1 June, 201719 May, 2017Adrian Citu

I must admit that the title is a little bit catchy; a better title would have been “5 software security books that every developer should be aware of“. Depending on your interest you might want to read entirely these books or you could just know that they exists. There must be tons of software security books on the market but this is my short list of books about software security that I think that each developer that is interested in software security should be aware of.

Hacking – the art of exploitation This book explains the basics of different hacking techniques, especially the non-web hacking techniques: how to find vulnerabilities (and defend against) like buffer overflow or stack-based buffer overflow , how to write shellcodes, some basic concepts on cryptography and attacks linked to the cryptography like the man-in-the-middle attack of an SSL connection. The author tried to make the text easy for non-technical peoples but some programming experience is required (ideally C/C++) in order to get the best of this book. You can see my full review of the book here.

Iron-Clad Java: Building secure web applications This book presents the hacking techniques and the countermeasures for the web applications; you can see this books as complementary of the previous one; the first one contains the non-web hacking techniques, this one contains (only) web hacking techniques; XSS, CSRF, how to protect data at rest, SQL injection and other types of injections attacks. In order to get the most of the book some Java knowledge is required. You can see my full review of the book here.

Software Security-Building security in This books explains how to introduce the security into the SDLC; how to introduce abuse cases and security requirements in the requirements phase, how to introduce risk analysis (also known as Threat Modeling) in the design phase and software qualification phase. I really think that each software developer should at least read the first chapter of the book where the authors explains why the old way of securing application (seeing the software applications as “black boxes” than can be protected using firewalls and IDS/IPS) it cannot work anymore in the today software landscape. You can see my full review of the book here: Part 1, Part 2 and Part 3.

The Tangled Web: A Guide to Securing Modern Web Applications This is another technical book about security on which you will not see a single line of code (the Software Security-Building security in is another one) but it highly instructive especially if you are a web developer. The book presents all the “bricks” of the today Internet: HTTP, WWW, HTML, Cookies, Scripting languages, how these bricks are implemented in different browsers and especially how the browsers are implementing the security mechanism against rogue applications. You can see my full review of the book here.

Threat modeling – designing for security Threat modeling techniques (also known as Architectural Risk Analysis) were around for some time but what it has changed in the last years is the accessibility of these technique for the software developers. This book is one of the reasons for which the threat modeling is accessible to the developers. The book is very dense but it suppose that you have no knowledge about the subject. If you are interested in the threat modeling topic you can check this ticket: threat modeling for mere mortals.