Thursday, September 3, 2009

Burp Suite Tip of the Day (BToD) Proxy > HTML Modifications/Match and Replace

Today's tip is just purely based on some experiences I've had during testing. The gist is that some developers choose to render the application in such a way where obfuscation IS the security. So I will explain the scenario and then how to modify proxy options to uncover the obfuscated data.

It is true that you will eventually, when performing manual dynamic analysis, review the source code of every response. However, in my case, directly after building my site map I simply take a look and annotate the interesting finds and input that I may want to test.

To keep track of these annotations I prefer Dradis 2.3 and if you have any questions on using this tool might I suggest one of three routes. The first is to join the community Here. The second is to contact etd, the creator, on irc at on the #dradis channel. Lastly, etd is on twitter and I highly suggest following him anyways!

Anyways, on with the tutorial. So, both @jack_mannino and I observed a situation, where a site loaded content from another site they managed via iFrame. Now the trick is directly calling the site being loaded in the iFrame to try and gain unauthenticated access to MAYBE an exposed default directory. We were in luck, there was in fact a default directory exposed. When requesting this resource however we received a 200 but with a redirection occuring in the browser? The page rendered fully in the response. WTF? Well what controls said redirection? Ahhh, JavaScript! So what happens if we strip javascript? Fully functionality! Sweet.....

Okay, so on with viewing the site with JavaScript disabled. Lets use burp to strip the JavaScript!
NOTE: Personally, I recommend always viewing a site with JavaScript disabled AND cookies disabled.

Navigate to Burp > Proxy > Options. Scroll down until you see 'html modifications' and check remove all JavaScript. Its really that simple.

The next scenario is where full administrative functionality was provided in the response BUT it was commented out. Again, wtf.....seriously? Obfuscation = fail. So if you want to just automatically remove the characters that control comments so that everything is rendered do the following. On the same page, navigate down to 'match and replace'. Choose 'response body in the drop down bar' like so:

Now in the 'match' field enter in the 'match' field this time and in the 'replace' field just leave this blank. When you are finished it should look like:

Happy hacking!

No comments: