Automated Web Attacks Using Headless Browsers Dima Bekerman & Ben Herzberg September 2016
Total Page:16
File Type:pdf, Size:1020Kb
Automated Web Attacks Using Headless Browsers Dima Bekerman & Ben Herzberg September 2016 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster ben.about() > ben.history <· [“PT”,”Dev”] > ben.employer <· “Imperva Incapsula” > ben.positionX <· “Sec. Research Manager” > ben.social <· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”} 2 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster dima.about() > dima.history <· [“Machine Learning”, “Sec. Analysis”] > dima.employer <· “Imperva Incapsula” > dima.positionX <· “Security Researcher” > dima.social <· {“TWT”: “@_unxmaster”, “LNK”: “Dima Bekerman”} 3 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Remember… What happens in Novi Sad stays in Novi Sad 4 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster 5 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Headless browser A headless browser is a web browser without a graphical user interface. It accesses web pages but doesn’t show them to any human being, it used to provide the content of web pages to other programs. https://en.wikipedia.org/wiki/Headless_browser 6 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster No JavaScript No Dom No Styling HTTP library Web Browser No Layouts Command line tool Headless Browser 7 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Web browser engine A web browser engine is a program that renders marked up content and formatting information Blink WebKit Gecko Trident Presto Chrome 28+ Safari Firefox Internet Explorer Opera Opera 15+ iOS IceWeasel Windows Mobile Opera Mini Android 4.4+ Chrome <27 SeaMonkey EdgeHTML Opera Mobile 8 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster What is DOM – Document Object Model? Is the Is the Is the HTML ‘View- code in you write Source’ DevTool DOM? DOM? DOM? Nope Nope Yep The HTML you write is View Source just shows DevTools panel parsed by the browser you the HTML that shows you a visual and turned into the DOM makes up that page. representation of the It's probably the exact DOM. HTML that you wrote. 9 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Source Code <div id="container"></div> <script> var container = document.getElementById("container"); container.innerHTML = “Hello World"; </script> DOM representation <div id="container">Hello World</div> 10 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Page processing • JavaScript • CSS • SVG • MathML • WebGL 11 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Modernizer web features test 12 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster ECMAScript test262 13 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster • Based on WebKit Based on Gecko • Cross Platform • Portable • Scriptable with JavaScript SlimerJS Based on Trident • Good for WebUI automation PhantomJS TrifleJS Chromium Embedded Framework • Chromium based • V8 – JavaScript Engine WebKit .NET • Programmable with .NET, C++ • Compiled to cross platform app • Can be used as a module Awesomium 14 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Web Browser Headless Browser 15 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Selenium / WebDriver • Selenium is a browser control and automation system • Manipulating a real web browser using a browser driver • Manipulated browser must be installed • Host OS should have a GUI framework 16 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster The world of two contexts Browser Context Page Context • Language depends on • JavaScript framework • Evaluated by the web engine • Compiled / evaluated inside • Has access to DOM objects framework interpreter • Has access to OS 17 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster The world of two contexts Browser Context Page Context my_script.js example.com Control WebKit page.open(“example.com"); Page event . Inject page.evaluate(function(){ function () { return document.title; Callback return document.title; }); } 18 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Use Cases • Test automation • Crawl websites • Render dynamic web page to static HTML • Inject and execute arbitrary JavaScript code • Perform actions • Taking screen shots • Monitor performance 19 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Use Cases • Content scraping • Click fraud • Fuzzing • Bidding abuse • Login brute force • Botnet • Sophisticated DDoS attacks 20 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Capture screen to image Source Code var page = require('webpage').create(); page.open(‘http://www.google.com’, function (status) { page.render('google.png'); phantom.exit(); }); 21 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Grabbing text Source Code //Page title console.log(page.title); // View-source console.log(page.content); //Content without HTML tags console.log(page.plainText); 22 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Handle console and alerts Source Code //Handle console page.onConsoleMessage = function(msg) { console.log('CONSOLE: ' + msg); }; //Handle alert page.onAlert = function(msg) { console.log('ALERT: ' + msg); }; 23 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster 24 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster 25 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Spot the differences 26 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Awesomium 27 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Android WebView Source Code webView.setWebViewClient(new WebViewClient() { @Override public void onPageFinished(WebView view, String url){ browser.loadUrl( "javascript:window.HTMLOUT.processHTML( document.getElementsByTagName('html'));"); } }); 28 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster 29 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Scenarios from the wild • SEO tools scrape for dynamic content • E-commerce abuse • DDoS attacks from a mobile botnet 30 © 2016 Imperva, Inc. All rights reserved. @Incapsula_com @KernelXSS @_unxmaster Хвала вам! THANK YOU! @KernelXSS @_unxmaster Ben Herzberg Dima Bekerman [email protected] [email protected] 31 © 2016 Imperva, Inc. All rights reserved. .