/299$jev22-talk-8920

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles oder https://chat.rc3.world/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles or https://chat.rc3.world/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

[Music]

[Music]

good morning good morning to day three of RTC 22 from potam at cccp the first talk of the Day by Daniel is about a a tool he is working on that is called waiter and what waiter actually is Will be the first topic of today thank you the stage is yours hello everyone like all of you I was very disappointed when the official CCA event was cancelled this year but fortunately the community is strong and uh thanks to the organizers of this event we can still meet here and have some fun I've been attending CCC for the past 10 years but this is my first time here on stage and today today uh despite my imposter syndrome and the stage fright I'm still excited to talk to you about the project I've been working on for the past two [Music] years so here's what I'm going to do today first of all I will start with the introduction to describe the problems that um I was facing that um gave birth to Rader then I will go uh into methodology which will um explain the basic concepts in Rader how Rader Works its uh architecture and so on after I will show you a demo which will hopefully convince you to give Rider a try and integrate in your own workflow and I will end the presentation the short conclusions and the Q&A

session but before I be before we begin let me introduce myself I'm Daniel I'm 30 years years old and um I've been a penetration tester for more than 5 years uh before that I worked five more years in it mostly as a and mean and uh if you're asking yourself how did I managed to get more than 10 years experience as um uh 30 years old the answer is simple I'm a Dropout I don't have any degrees so I've tried going to University twice but it didn't work out for me I was passionate about um security since I was a kid and uh back when I was going to the university there were no security courses there so um I dropped out and it worked out well for me uh about 2 years ago I started working on radar and um later the same year it became a part of ofas project so what exactly is Raider I've been brainstorming with a friend to come up with a title for this presentation and we end it up with this of our sprader a novel framework for manipulating HTP processes of persisting sessions this sounds complicated we are bad at naming things and I hope the next time I will come up with a shorter title for this presentation but for now bear with me radar was incepted uh to make uh to help make web authentification testing easier but by now it has evolved and can be used for all kinds of HTTP processes basically radar is a um framework which helps you manipulate HTTP processes and to do that he defines a new DSL domain specific language in contrast with GPL General programming languages like pyth and Java and so on and it uses this DSL to describe the information exchange between the client and the server and uh since it's impossible to build um a tool that will cover all your future needs especially in pantastic security Fields I've buil Rader with this in mind so uh it allows the user to extend it with their own code so it's um flexibility is in it DNA and the main code of radar is written in Python while the configuration files are written in a little known language called high or high
which is um a lisp dialect on top of python I will explain my decisions in a later [Music] slide for now let's talk about the problem uh I was frustrated with the way uh existing tools uh with the approach of the existing tools when it comes to authentification so when I was testing authentication I ended up with something like you see in this screenshot in a barbit repeater so uh basically my work flow was like this I had to go to uh the first step of the process I made some modifications I send the request then I had to go through the uh response body find for the right piece of information I was looking for copy it go to the Barb suit decoder encode it decode it as necessarily then come back to the repeater go to the next stab paste it into the right spot and resend again and I didn't like this process it was it's also error pron if you copy one character less for example so I needed a solution with much less [Music] clicks once you understand how the authentication process works you usually want to automate automate it or at least parts of it with Barb suit this can be done using Barb suit macros and uh you can see them in this screenshot so this works for simple cases you can copy parameters from previous requests put them into the next one and you can also extract um custom ones either by using regular expressions or static strings but this approach has limitations for example if one of those fields are require to send the onetime password which you have the secret for then I don't know how to do it with the Barb suit uh it doesn't allow you for arbitrary actions you might managed to to do this by writing custom Barb suit extensions but I wanted a more flexible [Music] solution now let's take a look at how Z proxy does it and uh to automate the authentication process with the zap proxy you need to set up the context here you can see it how it looks like you can choose from the drop- down menu some of the types of authentication and uh you also configure the us
er and uh you also need to set up the regular expression patterns which will detect when the user is logged in and when is logged out and while this looks trivial it's not trivial to configure and it's very hard to debug when things go wrong the most important part is this will only help you if you want to automate parts of the automate authentication it will not help you if you want to test the process itself and uh here you can see it's also and there's also script based authentification so Z proxy provides you with some um authentication scripts and those in theory could be used to automate uh almost all kinds of authentication but they can be used only in inside the context you cannot run those Standalone which is a deal breaker for my case because I needed to test the authentication process [Music] itself zap proxy also provides such a thing called zest scripts and it's an interesting feature it's the they're closest to what I wanted to have when I was testing the authentification and you can see them here they can run Standalone but uh the configuration is written in Json you have a Json file to set it up and um this also has some limitations so the early radio prototypes we also using Json for configuration and uh it didn't work out that well so I will discuss those limitations on a later [Music] slide um the problem with authentification is well known in the zap proxy Community I guess in Barb Community as well so here's a screenshot from the proxy web page where they recommend you to disable or simplify authentification when testing your web app and I totally understand this advice authentification does make your life hard which is the main reason I ended up on this stage but this is a bummer uh especially if you're particularly interested in testing the authentication process itself zrox in Barb suit will not help you that much so I decided to build my own tool at first it was just an idea spread over several Python scripts then I put them into package and
I needed a configuration file so I use Json but Json files grow big and they get complicated fast and editing it manually gets painful there are also many other issues like um you cannot uh so you need special syntax to reference previously defined items uh and I haven't F figured out an um elegant way to process items like encoding decoding the string of operations and so on you also cannot uh easily reuse Parts which you defined previously let's say you had the three three lines at the top of the file which you wanted to reuse at the bottom so I don't I don't know how to do this um in an elegant way using Json and all those problems could be solved if we had a real programming language for that [Music] which brings us to the interesting part why lisp to most people lisp is an ancient language that doesn't have much real usage today but I disagree I needed to create a language which defines the information exchange between the client and the server and the Lis languages are ideal for creating a custom DSL it allows you to Define your own syntax and um there's also this very interesting concept called homo iconicity which is also called code is data and data is code unfortunately I don't have a lot of time to explain this into details but in short a programming language is homo ionic if the internal representation of the program can be manipulated as data using the language itself and why is that useful that brings us to the next part meta programming so you can write Lis macros which look like regular functions but they not unlike regular functions list macros do not return a value very return pieces of code which is why it's called meta programming you writing code that generates [Music] code and uh before I move to the next slide I want to tell you a story you can take a time to check the comic if if you haven't seen before but uh I started using emex like 10 years ago before that I was mostly using Vim uh nowadays I'm still using Vim for some tasks but mostly e
mex so I'm not here to start an editor or but uh uh I fell in love with imex extensibility how easy it is to change it to modify how it works um and it's honestly pretty impressive what um people are managing to do using emex so why am I telling you this while I was battling with adjacent issues I described on the previous slide it's some point at some point it finally clicked I needed to write configuration files which is data but they also need to contain code I could have invented a new language for that but why B lisp Is

Here Yeah so um uh I started playing with lisp and uh after a while it all starting to make sense lisp starting to make sense mro starting to make sense and uh I've genely felt the great Lis enlightment you can see in this comic so uh I couldn't wait to try all out in Rader and uh by now I hope it's clear why Lis but why High lank well the main reason is because it's based on python it compiles into python code you you can access all your python libraries which is super important especially in the security Cu uh so many tools and libraries are using Python and it's also relatively easy to learn if you know python which I assume a lot of you [Music] do now we already covered the basics let's look into the details in my experience uh a lot of pentesters see the authentification part as a black box they just assume it's safe without testing it that much which is a shame because um this leads to many undiscovered bugs and uh with this talk and R in particular I'm aiming to make it easier for pesters to test and understand complex HTP processes like authentification but not limited to that so next I'm going to show you my technique on how to reverse engineer the authentification

process and here you can see a screenshot with the mm proxy it's another tool and I captured all the requests that were generated while logging in on Reddit and uh it generated about 400 requests most of those are not relevant to the authentification process so from here we start by removing everything that's not relevant most of those are JavaScript files images videos and uh there also some other so we might end up with something like this which is much easier to dig [Music] around one approach from here is to start from the beginning and uh find out all the outputs then reuse them until the end but this is not always the best approach for example if the first request gives us back three cookies we might assume all of them are important and reuse them until the end but maybe just one of those cookies are actually used for authentification [Music] another way is to start from the end so we start with um a request which works only if the user is authenticated and I picked this one so from here you can see we have three different blurred fields which could potentially be used for identifying the user so from here to understand what's going on we would uh need to remove everything piece by piece until it logs us out so we end up with some something much simpler we try to make the simplest request which will still return us an authenticated response and from here it's pretty clear that um the only input which you need for this particular endpoint is the authorization barrier token the first two headers um required for the HP protocol and the rest um generated automatically by uh request Library so those are not important that means we only need this one input how do we get it we search for this string uh through the whole traffic and find out the first request which gives us back this token as an response in the [Music] output and this is what I found so on the left side you can see the requests on the right side the response body with the the access token which I was
looking for so from uh uh from this request uh we only need one output this access token but what are the inputs that we need well we have here several cookies and we repeat the same process we remove everything piece by piece until it so we try to make the simplest request which will still give us back our token and uh I don't have time to explain this process until the end so I just explained my technique and now I need to move on to rer but you can continue this on your own if you're [Music] interested now let's talk about States as it turns out the little time I've spent the university wasn't totally wasted so I've learned learn about Finance this machines there and to my university professors if you're watching this hello this is awkward I haven't been a good student but as you can see I ended up here talking about some of the stuff that you taught me so you did a good job thank you moving on finite St machines uh is a mathematical model which can be used for a detailed analysis of how a system works and uh a system is stateful if it remembers the previous events HTP protocol for example is stateless each HTTP uh connection is independent from previous ones while the authentication process itself is stateful so um you need to complete each step of the of the authentication in right order uh in order to finish it the state is the information which you remember about the system and the system can be in only one of its states at any given [Music] time I found out that um the so-called melee finan machines can be used the best to model the authentication system uh I also don't have time to explain this into details but we can have multiple inputs multiple outputs for each step and the output values are determined both by the current state and its

inputs here's how one one such step would look like in this case we send the username the password and the csrf token and the server checks them and gives us back some outputs in this case two cookies and we need to uh map the entire process using this so we need to chain multiple States together which will look like this uh I remove the inputs and outputs for each step because it do not fit on the screen it would get too complicated but they're here so basically we start and unauthenticated we send the credentials uh the server checks them the server checks if a multiactor is enabled and if everything is correct get authenticated otherwise we get to login failed and that's it that's how you model the authentication process using finite St [Music] machines now how do we do that with Radar Radar defines the concept of flows a flow describe the information exchange that that takes place during one step so just one request and one input one response and we created like this set V in highing is used to create a variable so here we created the variable init which is an flow object that will send a get request to the url url in this case is a variable a flow optionally can have some outputs and uh in radar uh those are called plugins I will explain them in more details later optionally you can also have operations those are uh pieces of code which will run after we receive the [Music] response and here's how it looks like uh in this case we have two flows flow zero flow one each flow with the own request and response the request optionally has some inputs and uh the response optionally some outputs and also uh each flow optionally has some operations and the main reason operations exist is to say which flow to go to next but they can have many other uses as well another important thing is that uh the outputs from previous flows can be used as inputs in the next ones this is how rer shares um information about the state between

flows to create a flow you need to give it one request I already said that and to create one request you need at least the URL everything else is optional and the method is specified by the by the class method as you can see here you can also create custom methods it's allowed you can give it cookies headers and the uh the rest so params are used in uh in the URL data in the request body they can also format this format it as either Json or [Music] multiart all request parameters can contain plugins those are used to share data between the Flows In This example uh we will send a post request and uh the URL is also a plug-in called combine combine just combines multiple plugins and or strings and Returns the final value so in this case it will append API test to whereever is in based [Music] URL uh also uh in the cookies uh you can see a j session ID which is supposed to be uh extracted in a previous flow that's how you share data in a previous flow you use it as an output here we use it as an input and also in the params param 2 you can see you can write real Highland code inside those

parameters now let's talk about plugins uh they mostly used to share data between flows but uh they can also be used to manipulate data like uh URL incode b64 incode and so on and uh can also be nested so uh for example yeah let's say we we got the prompt prompt plug-in which will just ask the user for some input in the terminal then we want to URL encode it so we combine those two and I don't have time to explain them all into details and the list is constant constantly growing uh so and the user can also write their own without touching the [Music] core operations as I said are small pieces of code that to run after the response is received and the main reason is to control which flow to go to next there's also success and failure operations which will um indicate whether the uh STP process completely completed successfully or not the print and save operations are used to print in the terminal was Sav into a file the values of some plugins interesting one also conditional operations so for HTTP we check the HTTP status uh for grap we check um uh we search through the response body for some string or regular expression and match checks if some plugin matches some value depending if the condition uh returns true or false we can run other operations so you can Nest those that means we can run we can say for example run flow a if um HTP status code is 200 and flow B otherwise you can Al even run real Highland code by using the lisp code and uh yeah like plugins uh users can write their own operations

now let's talk about flow graphs uh it makes for much more flexible setup you can chain multiple flows together and run them until the end or until success of failure operations return they basically act as a pointer you point to a flow and say start here and it will run until the end to create one is quite easy here we created the authentication flow graph which points to the login flow and you can run this from the command line as you can see here uh and optionally you can also have a test flow for the flow graph this is used just an as an additional check to see for example if the user is successfully [Music] authenticated and we can build complex setups like you can see here you can have just single flows like flow flow 9 which will either return success of failure or you can have complex networks like the rest and uh from the common line you can run uh either a flow a flow graph or any combination of flow graphs and flows as you want which means you canun for example start with flow four then go to flow flow 11 then run flow graph one until return success then go to flow 15 and so on any combination of flows and flow graphs is [Music] allowed now the demo part so um uh before I actually show you how it works uh I'm going to explain to you some comments so the first two I'm not going to use in the demo because I already have the code but basically you can create a new project uh so you need the project name and the high file name and you can also edit it radar also allow you to search through your collection of uh proof of Concepts so uh you can filter either by project by high file and by flows and

graphs for the first first example of the demo uh so for the demo I'm going to uh use I'm going to automate some um parts for the Juice Shop um OAS Juice Shop application which is an intentionally vulnerable web application so I'm not going to focus on the authentication part here I'm just going to focus on radar and uh in this example I automated the registration process so here we created the flow graph register and so to actually register a new user in Ju shop you need three steps to get the security questions to actually register the users and to answer to give the security answer and the register flow graph will start with the first flow then go until success is returned the first time we run it uh we will register and login with this user and return the access token the second time we cannot do this because um the user is already registered uh so we need a new email for that but we can just use log in to get the same [Music] token for the second example uh I'm going to show you the SQL injection which is um located inside the email field when logging in in in J shop so to actually test it I created a flow called login sqli which points to itself and the flow graph will point to this flow so basically it will run in a loop until it returns success success will return When um server answers with HP 200 so meaning the user uh logged in successfully [Music] and the last example is a little bit more complicated so um we need to exploit two different issues and I chain them together so uh basically how it works here uh you need to go to the to log in with the user go to the user's profile page and uh you can set up the username and when you do that the username is vulnerable to cross side scripting but it's not possible to exploit it directly because the server has some content security policy headers which disallow you to do that therefore we first need to modify the uh to exploit another vulnerability which will modify the content security policy header and this i
s located inside the uh so you can set up your profile picture and you can use it in url as well so for the content security policy bug uh instead of giving uh a real URL for your profile picture you send a fake URL but you append some attributes that will be appended to the header uh you will see exactly how this work very

soon [Music] now so the First Command Rader show will just show all my uh configured projects all the proof of Concepts I have here you can also filter and by partial match for the project here have three matches but I'm just going to show you the Juice Shop [Music] one and you can see all the high files High files configured for this project we can also see all the flows and all the flow

graphs uh the flow graphs are in red and you can see uh here we have a default flow graph which is created by radar automatically just for convenience so you don't need to create um a flow graph um uh if you have just one so it will uh be created

automatically now I'm going to show you some

[Music] so I also don't have time to go into the details into all configuration I will post all the uh Juice Shop uh files inside the repository after I'm finished with this talk so let's take a look at just the first file and here's how it looks like I created the um base URL here here which I'm going to use later then those are some plugins which will um help uh extract the data and uh here is the username field uh which will just print the part of HTML which is vulnerable to xss so it's going to be easier to find out and lastly I have created the user with a password and security answer so if I try now to log in with this user it will not work because I haven't created it [Music] yet yes but I can [Music] run register then login so this will uh uh send those um request necessary for registration and login so now it outputs the access token which is need if I run the second time it will fail because I cannot register it twice but I can get the token just by using login so this part works the second example was was sqli I injection so here it asks me for the input to use for the email field if I put just random value it will say invalid email or password makes sense but if I put something including a code it will send this uh SQL error so we know we have an SQL injection here I'm just going to use the solution because I already know [Music] it and it exited uh with a successful login even though I don't know the password for the admin and here can see the token and the user admin now for the last example by combining uh two different um uh weaknesses so first we need to log in then exploit the CSP issue then the cross side scripting I think that's right yes so here you can see the content security policy header uh which uh doesn't work for us uh we need to add a new attribute to script SRC to allow unsafe in line so it ask me if I'm satisfied with the result I say no I want to change it so I put an fake uh URL then I add my my

attribute and I add the rest of [Music] them and hopefully this will work so first we need to wait for the server to time out and uh because it's trying to access this um URL which does not exist and here you can see this uh image the default one is added to the content security policy but uh it should be soon replaced with with the wherever we input it here now I just need to wait few [Music] seconds and as you can see it's already here and I guess this should work I am satisfied now uh the last issue the cross side scripting here you can see the original um HTML code where this issue is encountered if we just put username you will see it here uh but if we try uh a regular corite scripting

xss you will see that it gets filtered so we see just lert xss uh I already know the solution so I'm going to use it I don't have time to explain it uh let's just document

[Music] cook and it seems like it works fine now we if we actually log in it worked and if I go to the account [Music] profile I don't know why it's so slow then we see the cookie [Music]

here so what's next for Rider first of all I need to finish the documentation after latest architectural changes a lot uh has um a lot has changed and the the documentation still does not reflect reality so this is um a priority right now the command line interface is still a new addition to Raider previously you had to write um Python scripts which invoke Rader as a library and this is not very convenient and speaking about convenience I wanted also to create um rapple R the Val print Loop so instead of going to the source code modifying it then to the terminal again and the Run Rader we could just use like a radar shell to do all those kinds of stuff so work in real time to test it another thing I'm um excited about is fuzzing so um previously uh in early stages Rader still had some uh uh very limited fuzzing it didn't work out that well yet but now after all those uh architectural changes it stopped working completely so I need to fix that uh and I'm sure that uh with proper fing we can find much more bugs using this um using radar next I want to have sessions every time you run Rader we have a different set of inputs and outputs uh and those can be considered a session it would be helpful to save them into file so that we can recall them later and maybe check for some session issues uh it's also not very easy to debug so you would need the you need to understand the source code if something is not working well I need to improve that part as well and speaking about Lis and macros uh I've just started um uh using mro macros recently like few months ago so I'm only just scratching the surface right now what of what um lisp and macros can do for Rider and uh I also want to spend time on that next uh another thing I'm uh really interesting about but uh I still need to do some research is graph Theory so uh basically we have a network a graph uh we know all the flows we know all the inputs we know all the outputs I guess it could be uh in theory possible to look for p
atterns to identify vulnerabilities based on our uh structure uh I still need to do some research on that because it's a complicated topic but I'm uh I'm very interesting about this and last but not least I want to integrate it with other tools which will benefit from having something like

this so in summary radar is not just a toy anymore it can be used for real world use cases during pentesting I've been uh I managed to automate um a real life single sign on providers like Microsoft or Al zero so it works for real cases but there's still a lot of work to do a lot of bugs to be fixed lots of missing features so yeah uh I'm happy to hear your feedback if um you're interested and obviously I'm looking for contributors um if you want to help with that and before going to the Q&A session I want to thank my family and friends for uh supporting me through this journey and here you can have all the links if you want to contact me or learn more about raider that's it thank you very [Music] much we thank you Daniel for your presentation if there any questions you can talk to the microphone here in the room I don't have the time to check the whole chat rooms online but I think we have some questions from [Music]

there for the question I think first one in the room okay so um in your first picture where you connected different flows there was something weird that one Arrow was going to the edge of the flow and one Arrow was going into the flow and that doesn't sound like an elegent design decision

it this uh no previous boxes one so the left arrow is going to the border of the box which sounds like a nice encapsulated design whereas the other arrow goes into the box so it's like you you're mixing these layers that's well it's not really a black box but you have to go into the box well operations I Ed just to say which flow to go to next but outputs uh are used as um can be used as inputs in uh those so those are not um uh so outputs are just to share information but the operations say which to go next does it make sense a little bit okay so that explains why you have these different types yeah it's different types so one just uh says where to go next the other just shows that uh the inputs can use the values from the outputs from previous

ones thank you for your question there any other questions from the public

um I think we have no more questions for you okay so thank you for your presentation my pleasure and we can shut down the

[Music]

live