WebScarab and Ethereal
WebScarab (also by OWASP) is a framework written in Java for analyzing applications that communicate using the HTTP and HTTPS protocols. WebScarab records the requests and responses that it observes, and allows you to review them in various ways. The real work is done using security testing plug-ins. At the time of this article, WebScarab had the following plug-ins available (descriptions are largely from the WebScarab site):
- Fragments. Extracts scripts and HTML comments from HTML pages as they are seen via the proxy or other plug-ins.
- Proxy. Observes traffic between the browser and the web server. The WebScarab proxy is able to observe both HTTP and encrypted HTTPS traffic by negotiating an SSL connection between WebScarab and the browser, instead of simply connecting the browser to the server and allowing an encrypted stream to pass through it. Various proxy plug-ins have also been developed to allow the operator to control the requests and responses that pass through the proxy.
- Spider. Identifies new URLs on the target site and fetches them on command.
- Manual Request. Allows editing and replay of previous requests, or creation of entirely new requests.
- SessionID Analysis. Collects and analyzes a number of cookies (and eventually URL-based parameters) to visually determine the degree of randomness and unpredictability.
- Scripted. Operators can use BeanShell (a lightweight scripting language for Java) to write a script to create requests and fetch them from the server. The script can then perform some analysis on the responses, with all the power of the WebScarab Request and Response object model to simplify things.
- Parameter Fuzzer. Performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities such as cross-site scripting (XSS) and SQL injection.
Ethereal is a network packet analyzer that can read more than 706 protocols directly "off the wire" from a live network connection. Ethereal is an excellent tool for examining security problems, debugging protocol implementations, and for learning the internals of a given protocol. Ethereal and WebScarab overlap in functionality, but I mention Ethereal because it works with much more than just HTTP and HTTPS.
There is more to WebScarab and Ethereal than I can show in one article, but I hope to entice you enough to download and start to learn more about them on your own.
This example will show how to spoof an authentication cookie in WebGoat using WebScarab. According to OWASP, the security term fail-open describes the situation when an error occurs during a verification method, causing that method to evaluate to true. The authentication is passive in that, if the password is not provided, the system won't bother to check for it or even ask why it wasn't provided.
In their paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection," Thomas H. Ptacek and Timothy N. Newsham talk about fail-open in terms of firewalls:
The terms "fail-open" and "fail-closed" are most often heard within the context of firewalls, which are access-control devices for networks. A fail-open firewall stops controlling access to the network when it crashes, but leaves the network available. An attacker that can crash a fail-open firewall can bypass it entirely. Good firewalls are designed to "fail-closed", leaving the network completely inaccessible (and thus protected) if they crash.
Our example will look at this phenomenon during an application login. Figure 9 shows the login screen in WebGoat.
Figure 9 Login from the Fail Open Authentication example in WebGoat.
By running WebScarab and configuring my browser to point to a local proxy, I can log in without a password. If I simply enter the user name webgoat and click Login, WebScarab gives me the result shown in Figure 10.
Figure 10 Intercepted HTTP POST in WebScarab.
If I delete the text &Password= from the last line in the POST and click Accept Edits, I get the result in Figure 11. (Note that I click Release All Intercepts on the response from the server.)
Figure 11 Successful completion of the Fail Open Authentication example.
Installing WebScarab, configuring my browser to perform this test, and running this test took me a total of 15 minutes. Tools like WebScarab and Ethereal are intimidating to people who have never used them before, but they're powerful. Don't be intimidated. Take the 15 minutes to run this test on your own. Then play around with your current application and see what you can find out using WebScarab.
Secure Sockets Layer (SSL)
In this example, we'll use Ethereal to check the SSL on my email server. I ran this test a couple of months ago with Jonathan Bach when someone told us that they could hack our email by using Ethereal. Jonathan and I ran a series of tests:
- Using his computer, could Jonathan capture the network traffic from my wireless card?
- Could Jonathan see my password when I logged into my email without using SSL?
- Could Jonathan see my password when I logged in using SSL?
Figure 12 shows the login screen for my email. Notice that SSL is optional.
Figure 12 Login screen for SSL example.
In this example, I have Ethereal running on a different computer (just as Jonathan did). This is very different from using WebScarab, because Ethereal is not using a proxy server. Ethereal is just capturing the information that my wireless network card sends out for the entire world to see. If I attempt to log in without using SSL, Figure 13 shows what I record on the second computer.
Figure 13 Login information in Ethereal.
If you look closely at Figure 13, you'll see the username (userName) and password (myPassword) that I used for this example. Figure 14 shows a closeup.
Figure 14 Username and password.
If I run the same test using SSL, I can't find my username and password anywhere. I find a lot of entries that look similar to the ones in Figure 15, and if I perform a search for the password, it comes back as "match not found."
Figure 15 Login SSL information in Ethereal.
Good enough for me. Someone may be able to break the SSL encryption, but my email isn't really all that interesting, so I'm not too worried about it. Either way, that's outside of the introductory scope of this article.
As a public service announcement, be aware that if you ever check your email at a public wireless access point—for example, at a conference or the hotspots at your local coffeehouse—you're probably exposing your data to nefarious people like me. (Don't believe me? Check out what happened at the 2005 Defcon conference.) Either avoid doing anything you don't want other people to observe, or use a tool like Anonymizer to protect yourself. (Thanks to James Bach for the Anonymizer tip.)