burpkit presented by - paper conf/defcon/2015/defcon-23-nadeem-douba...• building hacking tools...
TRANSCRIPT
![Page 1: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/1.jpg)
BURPKITUsing WebKit to Own the Web
1
2015-07-15
Presented by:
Nadeem Douba
![Page 2: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/2.jpg)
INTRODUCTION
• Nadeem Douba• Founder of Red Canari, Inc.• Based out of Ottawa, ON.• Hacker
• Interests:• Exploiting stuff• Building hacking tools
• Prior work:• Sploitego (presented at DEF CON XX)• Canari (used by Fortune 100s)• PyMiProxy (used by Internet Archive)
BurpKit - Using WebKit to Own the Web
2
2015-07-15
![Page 3: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/3.jpg)
OVERVIEW
• WebKit• What is it?• Why use it?• How can we use it?
• BurpKit• Design Considerations• Implementation• Demos!
• Conclusion• Questions?
2015-07-15BurpKit - Using WebKit to Own the Web
3
![Page 4: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/4.jpg)
THE WEB PEN-TESTER’S CONUNDRUM
• Today’s web applications are complex beasts
• Heavy use of JavaScript for:• Rendering pages• Rendering page elements• Performing web service requests
• ¿But our security tools are stillscraping HTML!?
2015-07-15BurpKit - Using WebKit to Own the Web
4
![Page 5: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/5.jpg)
OUR TOOLKIT
2015-07-15BurpKit - Using WebKit to Own the Web
5
• Reconnaissance & Scanning:• Most tools (nikto, cewl, etc.) just
scrape HTML• Attack:
• BurpSuite Pro/Community• Lobo-based Renderer tab (Burp’s
neglected child) !• No JavaScript/HTML5 support
• Charles & Zed are just proxies• WebSecurify’s Proxy.app only has a
web view
![Page 6: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/6.jpg)
MODERN TOOLKIT REQUIREMENTS
2015-07-15BurpKit - Using WebKit to Own the Web
6
• Web penetration testing tools that:• Have modern web browser
capabilities• Parse and interpret JavaScript• Dynamically render and inspect
content• Most importantly:
• Our tools need to be able to interact with the DOM!
![Page 7: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/7.jpg)
WEBKITWhat is it good for? - Lots of things!
2015-07-15BurpKit - Using WebKit to Own the Web 7
![Page 8: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/8.jpg)
WHAT IS WEBKIT?
“WebKit is a layout engine software component for rendering web pages in web browsers. It powers Apple's Safari web browser, and a fork of the project is used by Google's Chrome web browser.”
- Wikipedia (https://en.wikipedia.org/wiki/WebKit)
2015-07-15BurpKit - Using WebKit to Own the Web
8
Image credit: Smashing Magazine
![Page 9: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/9.jpg)
(UN)OFFICIAL DEFINITION…
2015-07-15BurpKit - Using WebKit to Own the Web
9
![Page 10: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/10.jpg)
WEBKIT API• Made up of two major components.• JavaScriptCore - responsible for
everything JavaScript:• JavaScript/JSON parsing & execution• Garbage collection• Debugger• Etc.
• WebCore – responsible for everything else:• Resource loading• Content parsing & rendering• Web Inspector• Etc.
2015-07-15BurpKit - Using WebKit to Own the Web
10
![Page 11: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/11.jpg)
KNOWN IMPLEMENTATIONS & FORKS
2015-07-15BurpKit - Using WebKit to Own the Web
11
• Apple’s Safari• Android’s web browser• Nokia QT• JavaFX WebView• WebKitGTK+• PhantomJS• Google Chromium• Node WebKit• Many more…
(https://trac.webkit.org/wiki/Applications%20using%20WebKit)
Image credit: http://bitergia.com/public/reports/webkit/2013_01/
![Page 12: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/12.jpg)
WHY USE WEBKIT?
Pros"Widespread adoption"Lots of language support: Java,
Python, C/C++, JavaScript, etc."Portable across many platforms"Can interact with the DOM and JS
Engine.
Cons✗ Your code will be susceptible to the
same bugs that plague modern browsers
✗ Tools will be hungrier for system resources (i.e. RAM, CPU).
2015-07-15BurpKit - Using WebKit to Own the Web
12
![Page 13: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/13.jpg)
HOW CAN YOU USE WEBKIT?
Language• JavaScript (NodeJS)• Python• JAVA• Swift/ObjC• Ruby• C/C++
Libraries• Node WebKit• WebKitGTK+, PyQt• FX WebView, Qt Jambi, JxBrowser• UIWebView• WebKitGTK+, Qt• Chromium, WebKit
2015-07-15BurpKit - Using WebKit to Own the Web
13
![Page 14: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/14.jpg)
BURPKITHow we used WebKit.
2015-07-15BurpKit - Using WebKit to Own the Web 14
+ =
![Page 15: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/15.jpg)
WHAT IS BURPKIT?
• BurpKit = BurpSuite + WebKit• Used JavaFX’s implementation of
WebKit• WebView & Debugger• WebEngine
• Provides a real rendering tab (that’s right… no more lobo)
• Has a bidirectional bridge between BurpSuite & WebKit!
• And more!
BurpSuiteExtender-
APIJava4based-WebKit API
Rendering-engine
2015-07-15BurpKit - Using WebKit to Own the Web
15
BurpKit
![Page 16: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/16.jpg)
DESIGN DECISIONS
• Chose to go with JavaFX over JxBrowser – why?
• Redistribution:• JavaFX comes with Java 1.8+.• JxBrowser needs bundling (>250MB)
• Cost: • JavaFX is FREE!• JxBrowser is not!
• API:• JavaFX has a cleaner API• JxBrowser’s is a bit ¿clunky?
2015-07-15BurpKit - Using WebKit to Own the Web
16
![Page 17: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/17.jpg)
JAVAFX: PROS AND CONS
Pros"Easy-to-use & clean API"Complete JavaScript bridge"Portable across many platforms"Leverages the Java URL framework
(hookable)"Does provide debugging/profiling
information (with some hacking)"Bundled with Java 1.8+
Cons✗ API is incomplete – under
development✗ No GUI components for
WebInspector and friends✗ Little documentation on advanced
features (must look at code)✗ Still a bit buggy
2015-07-15BurpKit - Using WebKit to Own the Web
17
![Page 18: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/18.jpg)
IMPLEMENTATIONNerd Rage
2015-07-15BurpKit - Using WebKit to Own the Web 18
![Page 19: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/19.jpg)
CHALLENGES
• Burp uses Swing for its GUI• WebView and WebEngine need to run
on FX event loop• WebEngine does not have a loadContentWithBaseUrl(content,6url)method - only has: • loadContent(content,6type); and • load(url)
• BurpSuite had to be able to interact with JavaScript and vice-versa
2015-07-15BurpKit - Using WebKit to Own the Web
19
![Page 20: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/20.jpg)
CHALLENGE: SWING/FX INTEROP• Solution:javafx.embed.swing.JFXPanel
• Gotchas:• Must avoid interweaving blocking
calls • i.e. Swing # JavaFX # Swing =
¡DEADLOCK!• Always check if you’re on the right
event loop!• Workarounds:
• Eagerly initializing resources sometimes necessary
• Lots of wrapping code!
2015-07-15BurpKit - Using WebKit to Own the Web
20
![Page 21: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/21.jpg)
CHALLENGE: LOADING CONTENT WITH A BASE URL
2015-07-15BurpKit - Using WebKit to Own the Web
21
Credit: http://media.techtarget.com/tss/static/articles/content/dm_protocolHan dlers/j ava_protocol.pdf
• Why? • Required to render responses for
repeated requests• Solution: hook java.net.URL
protocol handling framework• WebView uses framework to issue
HTTP(S) requests• Challenge:
• Our new handlers would have to support both live and repeated requests.
![Page 22: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/22.jpg)
CHALLENGE: REPEATER
2015-07-15BurpKit - Using WebKit to Own the Web
22
• Background: did not want to reissue a live request because content may change.
• Solution: overrode HTTP(s) handlers and used User4Agent to “tag” repeated requests.• If User4Agent contains SHA1 hash,
give URL handler fake output stream
• Else, continue with live request• See BurpKit Java package com.redcanari.net.http for code.
![Page 23: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/23.jpg)
CHALLENGE: JAVASCRIPT BRIDGE
• Background: need to be able to query and manipulate DOM
• Solution: inject JAVA objects into JS engine!• Gotchas:
• Funky reflection algorithm in WebEngine prevented straight-forward JAVA object interaction.
• Lots of deadlock scenarios• Workarounds:
• Wrapper classes galore!• Eager instantiation of Swing components.
2015-07-15BurpKit - Using WebKit to Own the Web
23
![Page 24: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/24.jpg)
THE FINAL PRODUCT
Google: Before & After
2015-07-15BurpKit - Using WebKit to Own the Web
24
![Page 25: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/25.jpg)
WELL?
2015-07-15BurpKit - Using WebKit to Own the Web
25
![Page 26: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/26.jpg)
BURPKIT DEMOSThere’s lots to see!
2015-07-15BurpKit - Using WebKit to Own the Web 26
![Page 27: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/27.jpg)
DEMO: GUI WALKTHROUGHFeature set
2015-07-15BurpKit - Using WebKit to Own the Web
27
![Page 28: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/28.jpg)
XSS TRACKERTainting applications
2015-07-15BurpKit - Using WebKit to Own the Web
28
![Page 29: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/29.jpg)
DEMO: DOM INTERACTIONAnalyzing Twitter Followers
2015-07-15BurpKit - Using WebKit to Own the Web
29
![Page 30: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/30.jpg)
DEMO: BURP EXTENSIONSProxy Listeners, Message Editors, and Context Menus
2015-07-15BurpKit - Using WebKit to Own the Web
30
![Page 31: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/31.jpg)
CONCLUSION
• Let’s stop scraping and let’s start DOMinating the web!
• Our security tools need to evolve just like the web.• We have the tools/libraries at our
disposal• Please contribute your ideas and
code to BurpKit!• We need to make it the standard!
2015-07-15BurpKit - Using WebKit to Own the Web
31
![Page 32: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/32.jpg)
KUDOS• My Lovely Wife $• Justin Seitz
• http://automatingosint.com/• Dirk Lemmermann
• http://dlsc.com/• Tomas Mikula
• https://github.com/TomasMikula/RichTextFX
• Java/JavaFX team• The Noun Project• All the contributors!
2015-07-15BurpKit - Using WebKit to Own the Web
32
![Page 33: BURPKIT Presented by - Paper Conf/Defcon/2015/DEFCON-23-Nadeem-Douba...• Building hacking tools • Prior work: • Sploitego (presented at DEF CON XX) • Canari (used by Fortune](https://reader033.vdocument.in/reader033/viewer/2022042105/5e83bda83a72d6249d2987b7/html5/thumbnails/33.jpg)
¿QUESTIONS?We aim to please…
2015-07-15BurpKit - Using WebKit to Own the Web 33