WebInspect 9.20 Web Macro Recording with TruClient 2012

Technical study to show WebInspect capabilities

Hans Enders, HP Presales

May 1, 2012

DenimGroup Auth Example

Using TruClient in WebInspect 9.2

Background

• This document details how to use the WebInspect 9.20 new TruClient

Web Macro Recorder (WMR) against a simple Challenge-Response

authentication app.

• This document is meant to demonstrate that WebInspect can manage

these scenarios out-of-the-box as well as to show the user many

advanced capabilities it offers to maintain session state.

• Since TruClient records user actions and not simple sessions, it includes

the ability to handle advanced Q&A without needing changes to the

application under test.

Background

• Vendor Challenge:

• http://diniscruz.blogspot.co.uk/2012/04/small-step-for-appsec-large-step-for.html

• Discussion centered around this DenimGroup blog entry:

• http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-

handling-complicated-logins-with-appscan-and-burp-suite.html

• The sample app was provided by DenimGroup:

– https://github.com/denimgroup/authexamples

Agenda: Overview & Configuration

Demo app walk-through

Macro for demo app

Customized demo app

Macro for customized app

Finalizing the macro

Overview

• Auth example application provided by DenimGroup

– All Responses are “apple”

– Hosting app to local instance of XAMPP

• Initial recording

• Editing the example app for differing Answers: “apple, CEO, White”

https://github.com/denimgroup/authexamples

Demo app - Authexamples

• What - A simple Challenge-Response app in PHP, using a single answer

for all questions.

• Description:

– This is a simple project that is intended to demonstrate a couple of different non-standard

authentication scenarios for folks to train their scanners and scanner operators on.

Currently based on a single scenario in PHP, we'd love to add more scenarios.

Questions/comments/updates? Please contact dan _at_ denimgroup.com

http://www.apachefriends.org/en/xampp-windows.html

Demo app – posting to XAMPP

• What - A simple web server suite for Windows.

• OS used – Windows 7 64-bit

• Installed path: C:\Websites\xampp\

• XAMPP 1.7.7, including:

– Apache 2.2.21

– MySQL 5.5.16

– PHP 5.3.8

– phpMyAdmin 3.4.5

– FileZilla FTP Server 0.9.39

– Tomcat 7.0.21 (with mod_proxy_ajp as connector)

http://www.apachefriends.org/en/xampp-windows.html

Demo app – posting to XAMPP

• Extracted AuthExample to XAMPP htdocs folder:

– C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\

– URL: http://localhost/denimgroup-authexamples-5059b6f/index.php

Macro for demo app

Customized demo app

Login screens

Demo app – normal walk through

C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\loginplusquestion\login.php

Demo app – default Answers

• Answers are all set to “apple” inside login.php

// Set up some page data

$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',

'apple' );

$second_stage_questions[1] = array( '817', 'What is your favorite Jobs

job', 'apple' );

$second_stage_questions[2] = array( '423', 'What is your favorite Beatles

record label', 'apple' );

Challenge screens – all “apple”

Login, browse, logout

Macro for demo app

Customized demo app

Web Macro Recorder for WebInspect 9.20

TruClient WMR

15 Enterprise Security – HP Confidential

• HP TruClient is the latest iteration of HP WebInspect’s Web Macro

Recorder tool (WMR).

• TruClient is an Event-based UI recorder.

• The two prior WMR tools are still present in WebInspect:

• Event-based WMR

• Session-based (Traffic-based) WMR.

Raw recorded steps

WMR – simple recording

Playback successful

Notice that Step #8 is the Challenge-Response (Q&A) session.

Once Playback is successful, browse to get logged out

WMR - simple recording

Once logged out, click Select button – highlight identifying element

Review the Logout Condition

Works out-of-the-box

WMR – simple recording is Done

Macro for demo app

Customized demo app

C:\Websites\xampp\htdocs\denimgroup-authexamples-5059b6f\loginplusquestion\login.php

Demo app – custom Answers

• Edited the answers to “apple”, “CEO”, and “White” inside login.php.

// Set up some page data

$second_stage_questions[0] = array( '1234', 'What is your favorite fruit',

'apple' );

$second_stage_questions[1] = array( '817', 'What is your favorite Jobs

job', ‘CEO' );

$second_stage_questions[2] = array( '423', 'What is your favorite Beatles

record label', ‘White' );

Challenge screens – now different

Demo app – custom Answers

Macro for demo app

Customized demo app

Initial recording. Press Stop, ignore the follow-up Play button, we will need some Q&A code added

WMR – custom Answers

Final Goal

• To manage dynamic Challenge-Response, the TruClient user will need to

insert three new steps into the recorded steps.

1. Evaluate JavaScript code – Dynamic Security Questions

2. Evaluate JavaScript – setSecurityQuestion

3. Evaluate JavaScript - getDynamicAnswer

• For Q&A involving more than one field, each field will need its own pair

of setSecurityQuestion and getDynamicAnswer steps, but may be able to

all share a single step for the Dynamic Security Questions.

Sneak peek - Final Goal

Insert new Step #7 – “Evaluate JavaScript” from Toolbox sidebar

WMR - custom Answers

Open the JavaScript Editor window

Code – Dynamic Security Question

• Expand the new Javascript step > click on “[Code]” > expand

“Arguments” > “JS” button

Sample code

• Build your raw JS, or steal this basic script framework shown below.

– Edit the questionAnswer lines to match your situation.

– Note that variable names created here must be kept the same elsewhere as we continue.

//dynamic security questions

var questionAnswer = [];

questionAnswer["What is your favorite fruit"] = "apple";

questionAnswer["What is your favorite Jobs job"] = "CEO";

questionAnswer["What is your favorite Beatles record label"] = "White";

var currentQ;

function setSecurityQuestion(q)

currentQ = q.replace(/^\s\s*/, '').replace(/\s\s*$/, '');

function getDynamicAnswer()

return questionAnswer[currentQ];

Sample code

• User simply pastes in this code sample, then edits the “questionAnswer”

lines to match their situation.

• Update the question inside quotes

• Update the answer at the end, also in quotes

• Note that variable names used in this script will be used elsewhere, so

the user must keep them the same.

Sample code

• Here is what Step #7 has become.

Insert new Step #8 – “Evaluate JS on Object” from Toolbox sidebar

Code – setSecurityQuestion

Choose the Question object

• Play this step alone, then high-light the JavaScript Object in the browser.

– Right-click step, or high-light and press F7

– “!” icon simply indicates an error on Playback, offering details with mouseover.

Choose the Question object

• For this example app, we cannot just select the Question text because

the text is not contained within an element of its own (see green block

below). Because of this we need to do some additional regular

expression parsing. On most sites this step would not be necessary.

Identify the Question object

• Sample of the raw text offered:

– Hint: apple is a pretty good choice for all the questions

– Question: What is your favorite fruit

• Used included Regular Expression Editor tool to work up regex:

– Question:\s(.*)

• Open the JavaScript Editor for this new step

• Useful test code to verify proper regex working in JS:

– basic >> window.alert(object.textContent)

– This test app >> window.alert(object.textContent.match(/Question:\s(.*)/)[1])

• Play this Step to check pop-up – does it match your desired Question

text? yes

• With the Alert pop-up verification, we are secure our regex works.

• Here is our regex inserted into our standard setSecurityQuestion code:

– setSecurityQuestion(object.textContent.match(/Question:\s(.*)/)[1])

• Paste this into the JS Editor window

– Recall that this variable name “setSecurityQuestion” must match what we created for the

Q&A code back in Step #7.

Quick edit for the setSecurityQuestion step

Code – element location

• TruClient by default will locate a text object by doing an exact match on

the text. For security questions, we want to locate the text object by

position instead. To do this we must change the ID Method from

"Automatic" to "XPath".

Quick edit for the setSecurityQuestion step

Code – element location

• Expand the drop down menu for "XPath:" and choose the second XPath

expression “/html/body/width” to find the question by its position.

– Verify this new entry in the browser by using the Highlight button

Connect the Question back to the Javascript Q&A code

Code – getDynamicAnswer

• We have now added to the macro our Q&A code and code to identify

the Question.

• Now to edit Step #9 so the Answer matches the Question…

Connect the Answer back to the Javascript Q&A code in Step #7

Code – getDynamicAnswer

• Open the JS Editor windows for Step #9’s Argument and enter in our

standard code:

– getDynamicAnswer()

Macro for demo app

Customized demo app

Play the finished macro from the beginning

WMR final steps

Playback successful, select Logout Condition for WebInspect

WMR final steps

Wait, what are these again?

Logout Conditions

• A logout condition is an indicator for WebInspect to know when it has

gotten logged out while scanning

• Every Login Macro must have one or more logout conditions • Whether or not it involved Challenge-Response questions

• Three Types of logout conditions • Regular Expression - Supported for all three Web Macro Recorders

• Object - TruClient, UI event-based WMR only

• URL - TruClient, UI event-based WMR only

Browse to Logout, then click Select button – highlight element

WMR final steps

Review the Logout Condition – add more as needed

WMR final steps

Final Macro

Final Macro - closer

Final Macro – with Comments added from the Toolbox sidebar

Denouement

• Apologies for the length of this study. This technology is sufficiently new

that I wanted our customers to fully understand the steps.

– Future studies should be able to skip well-known steps.

• My thanks go to:

• Steve Hardeman for his JS coaching and internal training

• Jeremy Brooks for guidance in setting up this study and the optimal macro

• The HP Fortify Dev team for their tremendous work on this new WMR tool

Outcomes That Matter

WebInspect 9.20 Web Macro Recording with TruClient 2012

Technology

Prestandatest Mobilbanken 3 - lightsinline.se€¦ · •Ajax TruClient / Mobile TruClient –Klarar REST/JSON för JavaScript klienter •Mobile App –Kräver inspelning, endast

9.20 TOWN OF PERINTON - Monroe County, New York Section 9...Section 9.20: Town of Perinton DMA 2000 Hazard Mitigation Plan Update – Monroe County, New York 9.20-2 April 2017 Property

WebInspect Installation Guide · With WebInspect, security professionals and compliance auditors can quickly and easily analyze the numerous Web applications and Web services in their

Data sheet HP WebInspect - Micro Focus WebInspect gives security professionals and security novices ... Advanced algorithms to detect ... and HP TippingPoint, HP Enterprise Security

9.00 – 9.20 The ECML (Susanna Slivensky) 9.20 – 9.50

LEERLING INFORMATIE BOEKJE SCHOOLJAAR 2019-20201… · Onderbouw Bovenbouw 1e uur 8.30 uur e- 9.20 uur 1 uur 8.30 uur - 9.20 uur 2e uur 9.20 uur - 10.10 ... In leerjaar 1 worden deze

9.00 – 9.20 Das EFSZ (Susanna Slivensky) 9.20 – 9.50

Data sheet HP WebInspect - StarBase WebInspect Datasheet.pdfHP WebInspect gives security professionals and security novices ... Advanced algorithms to detect ... and HP TippingPoint,

Australian Broker magazine Issue 9.20

HP WebInspect

9.20 Borough of Mendham - Morris County Office of ... 9.20: Borough of Mendham DMA 2000 Hazard Mitigation Plan Update – Morris County, New Jersey 9.20-5 July 2015 Tool / Program

Jueves 9.20 Dr. Román y Dra. Casajuana

Micro Focus Fortify WebInspect Installation Guide€¦ · Micro Focus Fortify WebInspect is the most accurate and comprehensive automated Web application and Web services vulnerability

Micro Focus Fortify WebInspect Installation Guide · 2018. 10. 29. · Fortify WebInspect uses two basic modes for determining your security weaknesses: l A crawl is the process by

Micro Focus Fortify WebInspect Enterprise€¦ · 19.2.0 / December 2019 Updated: l Description of Guided Scan to include WebInspect Enterprise Desktop Application that provides support

HP TruClient technology: Accelerating the path to testing

9.2, 9.2s, 9.20, 9.20s Treadmill · 2006. 3. 31. · 9.2, 9.2s, 9.20, 9.20s Treadmill Page 1 9.2, 9.2s, 9.20, 9.20s Treadmill Warning: This service manual is for use by Precor trained

Micro Focus Fortify WebInspect on Docker User Guide

Pemakaian Lisrel Versi 9.20

PM-Prasanna Chandra Pg9.10-9.20