1 2015 - 11 - 13
Presented by: burpkit Nadeem Douba using webkit to own the web Introduction 2 BurpKit 2015 - 11 - - 13 Using
u Nadeem Douba WebKit to u Founder of Red Canari, Inc. Own the
u Based out of Ottawa, ON. Web u I’m a Hacker u Interests:
u Exploiting stuff u Building hacking tools u Prior work:
u Sploitego (presented at DEF CON XX) u Canari (used by Fortune 100s) u PyMiProxy (used by Internet Archive) Overview 3 BurpKit 2015 - 11 - - 13 Using
u WebKit WebKit to u What is it? Own the
u Why use it? Web u How can we use it? u BurpKit
u Design Considerations u Implementation u Demos!
u Conclusion u Questions? The Web Pen-Tester ’s Conundrum 4 BurpKit 2015 - 11 - - 13 Using
u Today ’s web applications are complex WebKit to
beasts Own the
u Heavy use of JavaScript for: Web
u Rendering pages u Rendering page elements u Performing web service requests
u ¿But our security tools are still scraping HTML!? Our Toolkit 5 BurpKit 2015 - 11 - - 13 Using
u Reconnaissance & Scanning: WebKit to u Most tools (nikto, cewl, etc.) just scrape Own HTML the Web u Attack:
u BurpSuite Pro/Community
u Lobo-based Renderer tab (Burp’s neglected child) L
u No JavaScript/HTML5 support u Charles & Zed are just proxies
u WebSecurify’s Proxy.app only has a web view The Only Valid Lobo Use Case 6 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web Even asdf.com is too advanced! 7 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web We need to move forward 8 BurpKit 2015 - 11 - - 13 Using
u Web penetration testing tools that: WebKit to u Have modern web browser capabilities Own the
u Parse and interpret JavaScript Web u Dynamically render and inspect content u Most importantly:
u Our tools needed to be able to interact with the DOM! 9 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
WebKit What is it good for? - Lots of things! What is Webkit? 10 BurpKit 2015 - “WebKit is a layout engine … 11 - - 13 Using
It powers Apple's Safari web WebKit to browser, and [is forked] by Own the
Google's Chrome ...” Web - Wikipedia
Image credit: Smashing Magazine (Un)official definition… 11 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web Webkit API 12 BurpKit 2015 - 11 - - 13 Using
u Made up of two major components. WebKit to
u JavaScriptCore - responsible for everything Own
JavaScript: the Web u JavaScript/JSON parsing & execution u Garbage collection u Debugger u Etc. u WebCore – responsible for everything else: u Resource loading u Content parsing & rendering u Web Inspector u Etc. Known implementations & Forks 13 BurpKit 2015 - 11 - - 13 Using
Image credit: http://bitergia.com/public/reports/webkit/20 13_ 01/ u Apple’s Safari WebKit to u Android’s web browser Own the u Nokia QT Web
u JavaFX WebView
u WebKitGTK+ u PhantomJS
u Google Chromium u Node WebKit
u Many more… (https://trac.webkit.org/wiki/Application s%20using%20WebKit) Why use WebKit? 14 BurpKit 2015 - 11 - - 13 Using + Pros − Cons WebKit to Own ü Widespread adoption ✗ Your code will be susceptible to the same the
bugs that plague modern browsers Web ü Lots of language support ✗ Tools will be hungrier for system ü Portable across many platforms resources (i.e. RAM, CPU). ü Can interact with the DOM and JS Engine. How Can You Use WebKit? 15 BurpKit 2015 - 11 - - 13 Using # Language $ Libraries WebKit to Own u JavaScript (NodeJS) u Node WebKit the Web u Python u WebKitGTK+, PyQt u JAVA u FX WebView, Qt Jambi, JxBrowser
u Swift/ObjC u UIWebView
u Ruby u WebKitGTK+, Qt u C/C++ u Chromium, WebKit 16 BurpKit 2015 - 11 - - 13 Using WebKit to Own
+ = the Web burpkit how we used webkit BurpKit - Using WebKit to Own the Web 2015-11-13 17 engine Rendering it API k based - Java WebKit burp API BurpSuite Extender WebKit of (that’s ? Kit tab Web kit + lobo!) rendering Debugger Suite implementation & real burp more Burp a = no JavaFX’s is
WebView WebEngine u u
Provides right… Used BurpKit u u u What Design Decisions 18 BurpKit 2015 - 11 - - 13 Using
u Two leading WebKit implementations in WebKit to
JAVA – JavaFX WebView and JxBrowser. Own the
u Chose to go with JavaFX over JxBrowser Web – why?
u Redistribution: u JavaFX comes with Java 1.8+. u JxBrowser needs bundling (>250MB)
u Cost: u JavaFX is FREE! u JxBrowser is not! 19 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
Implementation nerd rage JavaFX Pros & Cons 20 BurpKit 2015 - 11 - - 13 Using + Pros − Cons WebKit to Own ü Portable across many platforms ✗ API is incomplete – under development the Web ü Easy-to-use & clean API ✗ No GUI components for WebInspector and friends ü Complete JavaScript bridge ✗ Little documentation on advanced ü Leverages the Java URL framework features (must look at code) (hookable) ✗ Still a bit buggy Challenges 21 BurpKit 2015 - 11 - - 13 Using
u Burp uses Swing for its GUI WebKit to u JavaFX WebEngine did not have a Own loadContentWithBaseUrl(content, url) the Web Challenge: SWING/FX Interop 22 BurpKit 2015 - 11 - - 13 Using
u Solution: WebKit to
javafx.embed.swing.JFXPanel Own the
u Gotchas: Web
u Must avoid interweaving blocking calls
u i.e. Swing à JavaFX à Swing = ¡DEADLOCK!
u Always check if you’re on the right event loop! u Workarounds:
u Eagerly initializing resources sometimes necessary u Lots of wrapping code! BurpKit - Using WebKit to Own the Web 2015-11-13 23 java_protocol.pdf / dm_protocolHan dlers /static/articles/content/ tss / media.techtarget.com : http:// redit 2) C of (1 () support protocol to for issue to have requests. responses would framework Repeater repeated java.net.URL render uses to requests and handlers requests loadContentWithBaseUrl hook framework live new Challenge:
WebView HTTP(S) Our both Required repeated u u u
New Solution: handling Why? Implement u u u u Challenge: Challenge: Repeater (2 of 2) 24 BurpKit 2015 - 11 - - 13 Using
u How do we discern between live and WebKit to
repeated requests? Own the
u Solution: overrode HTTP(s) handlers and Web used User-Agent to “tag” repeated requests. u If User-Agent contains SHA1 hash, give URL handler fake output stream
u Else, continue with live request u See BurpKit Java package com.redcanari.net.http for code. 25 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
The Final Product? 26 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
Demo: GUI Walkthrough Featureset 27 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
Demo: XSS Tracker Tainting applications A word from our marketing department… 28 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web 29 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web One more thing… JavaScript BurpSuite Plugin Development 30 BurpKit 2015 - 11 - - 13 Using
u You can now write plugins in JavaScript WebKit to u Quick-and-dirty plugin development Own the u Imagine writing Burp plugins on steroids: Web
u Intruder Payload Generator that pulls the next payload from the DOM u Advanced Spider that sends all external references to Burp Scanner or the Burp Sitemap 31 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web burpkit demos There’s lots to see! 32 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
Demo: DOM interaction Analyzing Twitter Followers 33 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
Demo: Burp Extensions Proxy Listeners, Message Editors, and Context Menus Challenge: JavaScript Bridge 34 BurpKit 2015 - 11 - - 13 Using WebKit u
Background: need to be able to query and manipulate DOM to Own
u Solution: inject JAVA objects into JS engine! the Web u Gotchas:
u Funky reflection algorithm in WebEngine prevented straight-forward JAVA object interaction. u Lots of deadlock scenarios
u Workarounds: u Wrapper classes galore! u Eager instantiation of Swing components. Conclusion 35 BurpKit 2015 - 11 - - 13 Using
u Let’s stop scraping and let’s start WebKit to
DOMinating the web! Own the
u Our security tools need to evolve just like Web the web.
u We have the tools/libraries at our disposal u Please contribute your ideas and code to BurpKit! u We need to make it the standard! Kudos 36 BurpKit 2015 - 11 - - 13 Using WebKit u J
My Lovely Wife & Baby to Own u Justin Seitz the Web u http://automatingosint.com/ u Dirk Lemmermann u http://dlsc.com/ u Tomas Mikula
u https://github.com/TomasMikula/RichTextFX u Java/JavaFX team u The Noun Project u All the contributors! 37 BurpKit 2015 - 11 - - 13 Using WebKit to Own the Web
¿Questions? We aim to please… Drop me a line! 38 BurpKit 2015 - 11 - - 13 Using % : @ndouba WebKit to Own the Web & : [email protected]
' : https://github.com/allfro/BurpKit
( : http://www.redcanari.com
) : nadeem.douba