Friday, 29 August 2014

BurpCSJ - Dealing with authentication

I have received many questions on how to properly handle authentication when using BurpCSJ, so here is a short tutorial on how to properly manage authentication. If you are looking for how to use this Burp extension, here is a basic tutorial as well.

In this post, we are going to use BurpCSJ against the Altoro bank (vulnerable web application made on purpose), which is available online here: http://demo.testfire.net/

First, start clean (the reasons will be clear at the end of this tutorial):

- Start Burp;
- Start browser and configure proxy settings to work with Burp;
- Browse to target site: http://demo.testfire.net/
- Perform login: user: jsmith - password: Demo1234
- Check Burp cookie jar (under options/sessions), this should be populated with some cookies:


- Configure BurpCSJ (Crawljax tab) and make sure that "Use Manual Proxy" is ticked and it is pointing to Burp and that the "Use cookie jar" option is ticked as well:



- Start/Launch BurpCSJ against target site (right-click, Send URL to crawljax option). When BurpCSJ launches Crawljax, you will notice that the first request has no "cookie" - this is normal in WebDriver and the reason why this occurs is that WebDriver needs to first initialize, so no worries.



- the second request, or third request (depending if there is a redirection) and all the subsequent requests performed by Crawljax will include the valid cookies from the cookie jar.

You are now performing an authenticated crawling session and if you check the browser managed by WebDriver, you should notice that it is using a valid authenticated session.

In case you do not follow the first two steps, you might end up having some issues and failing to run a proper authenticated crawling session. This happened to me quite few times...

Let's say that you already started the browser, logged in and then you enable proxy with Burp and then you run BurpCSJ. The issue is that Burp does not have history of the Set-Cookie directive so it will identify the cookies sent by the browser and will populate the Cookie jar by taking as a reference the parent domain only.

Below, you can see the issue by comparing the cookies in the browser and the ones in the Burp cookie jar. Can you spot the difference? ;-)

If this happens, a BurpCSJ crawling against demo.testfire.net would not use the cookies in the Burp cookie jar, as demo.testfire.net doesn't match with testfire.net. So no authenticated crawling session in this case...

So don't be lazy, if you have to restart/clean the browser time to time... ;-)

The latest Crawljax package has fixed multiple issues. I have noticed the crawler is more diligent and sticks to the target domain instead of visiting other pages from out-of-scope domains.

As usual, feedback is more than welcome and feel to contact me or raise github issues - https://github.com/malerisch/burpcsj

Wednesday, 18 December 2013

Crashing Firefox with Regular Expression

Recently, I have found an interesting crash in Firefox and decided to investigate more. So I decided to Google for it and it appears that the issue is already known and was reported few months ago to Mozilla.
However, the bug is not fixed yet (at least in FF 26) and as a matter of personal exercise, I have decided to dig a little deeper and collect some notes which I am sharing in this blog post.
Here is a brief analysis of what I have found, thanks also to the pointers given from my friend Andrzej Dereszowski.

This is the crash PoC:

<html>
<head>

<script>
function main() {
regexp = /(?!Z)r{2147483647,}M\d/;
"A".match(regexp);
}

main();
</script>
</head>
<body>
</body>
</html>


Below, a windbg screen shot showing the crash on Firefox 25 / Windows 8.1 (64bit):

 

At this stage, we can infer that an overflow occurred and as a measure of protection FF decided to crash instead of gracefully handle the issue. In my PoC, you can see already the integer 2147483647 which is used in a regular expression.

In the call stack, there are functions dealing with the RegExp just before the mozjs!WTF::CrashOnOverflow::overflowed: . Let's put a breakpoint on the previous function: mozjs!JSC::Yarr::YarrGenerator<1>::generatePatternCharacterFixed+0x87 and see what happens just before the overflow is identified.

This is the function where we are setting the breakpoint (bp) on:

void generatePatternCharacterFixed(size_t opIndex)
    {
        YarrOp& op = m_ops[opIndex];
        PatternTerm* term = op.m_term;
        UChar ch = term->patternCharacter;

        const RegisterID character = regT0;
        const RegisterID countRegister = regT1;

        move(index, countRegister);
        sub32(Imm32(term->quantityCount.unsafeGet()), countRegister);

        Label loop(this);
        BaseIndex address(input, countRegister, m_charScale, (Checked<int>(term->inputPosition - m_checked + Checked<int64_t>(term->quantityCount)) * static_cast<int>(m_charSize == Char8 ? sizeof(char) : sizeof(UChar))).unsafeGet());

The bp is set on the BaseIndex address() part. This is where some checks are performed on our integer.

After stepping through different checks, our integer (2147483647) is stored in both lhs and rhs and then lhs and rhs are summed together. The sum is then stored in the "result" variable, as shown below:



The addition of lhs and rhs is 4294967294 (0xFFFFFFFE) which is stored in an int64. Following that, a further check is performed, as shown below:

 template <typename U> Checked(const Checked<U, OverflowHandler>& rhs)
        : OverflowHandler(rhs)
    {
        if (!isInBounds<T>(rhs.m_value))
            this->overflowed();
        m_value = static_cast<T>(rhs.m_value);
    }
 
Within the isInBounds check (in the screen shot below), the minimum value is 0x80000000 and the maximum value is 0x7FFFFFFF, which means between -2147483648 and 2147483647, the range of a long.



The rhs.m_value is now 4294967294 (0xFFFFFFFE) as result of the previous arithmetic operation between lhs and rhs.



This triggers the check as 0xFFFFFFFE is greater than 0x7FFFFFFF (max value in the inBounds check). This would call overflowed() which would then simply crash FF.