1 2015 - 11 - 13 Presented by: burpkit Nadeem Douba using webkit to own the web Introduction 2 BurpKit 2015 - 11 - - 13 Using u Nadeem Douba WebKit to u Founder of Red Canari, Inc. Own the u Based out of Ottawa, ON. Web u I’m a Hacker u Interests: u Exploiting stuff u Building hacking tools u Prior work: u Sploitego (presented at DEF CON XX) u Canari (used by Fortune 100s) u PyMiProxy (used by Internet Archive) Overview 3 BurpKit 2015 - 11 - - 13 Using u WebKit WebKit to u What is it? Own the u Why use it? Web u How can we use it? u BurpKit u Design Considerations u Implementation u Demos! u Conclusion u Questions? The Web Pen-Tester ’s Conundrum 4 BurpKit 2015 - 11 - - 13 Using u Today ’s web applications are complex WebKit to beasts Own the u Heavy use of JavaScript for: Web u Rendering pages u Rendering page elements u Performing web service requests u ¿But our security tools are still scraping HTML!? Our Toolkit 5 BurpKit 2015 - 11 - - 13 Using u Reconnaissance & Scanning: WebKit to u Most tools (nikto, cewl, etc.) just scrape Own HTML the Web u Attack: u BurpSuite Pro/Community u Lobo-based Renderer tab (Burp’s neglected child) L u No JavaScript/HTML5 support u Charles & Zed are just proxies u WebSecurify’s Proxy.app only has a web view BurpKit - Using WebKit to Own the Web 6 2015-11-13 ase C se U Lobo Valid Only The BurpKit - Using WebKit to Own the Web 7 2015-11-13 advanced! too is asdf.com Even We need to move forward 8 BurpKit 2015 - 11 - - 13 Using u Web penetration testing tools that: WebKit to u Have modern web browser capabilities Own the u Parse and interpret JavaScript Web u Dynamically render and inspect content u Most importantly: u Our tools needed to be able to interact with the DOM! BurpKit - Using WebKit to Own the Web 9 2015-11-13 things! of Lots - for? good it is WebKit What What is Webkit? 10 BurpKit 2015 - “WebKit is a layout engine … 11 - - 13 Using It powers Apple's Safari web WebKit to browser, and [is forked] by Own the Google's Chrome ...” Web - Wikipedia Image credit: Smashing Magazine BurpKit - Using WebKit to Own the Web 2015-11-13 11 definition… (Un)official Webkit API 12 BurpKit 2015 - 11 - - 13 Using u Made up of two major components. WebKit to u JavaScriptCore - responsible for everything Own JavaScript: the Web u JavaScript/JSON parsing & execution u Garbage collection u Debugger u Etc. u WebCore – responsible for everything else: u Resource loading u Content parsing & rendering u Web Inspector u Etc. Known implementations & Forks 13 BurpKit 2015 - 11 - - 13 Using Image credit: http://bitergia.com/public/reports/webkit/20 13_ 01/ u Apple’s Safari WebKit to u Android’s web browser Own the u Nokia QT Web u JavaFX WebView u WebKitGTK+ u PhantomJS u Google Chromium u Node WebKit u Many more… (https://trac.webkit.org/wiki/Application s%20using%20WebKit) Why use WebKit? 14 BurpKit 2015 - 11 - - 13 Using + Pros − Cons WebKit to Own ü Widespread adoption ✗ Your code will be susceptible to the same the bugs that plague modern browsers Web ü Lots of language support ✗ Tools will be hungrier for system ü Portable across many platforms resources (i.e. RAM, CPU). ü Can interact with the DOM and JS Engine. How Can You Use WebKit? 15 BurpKit 2015 - 11 - - 13 Using # Language $ Libraries WebKit to Own u JavaScript (NodeJS) u Node WebKit the Web u Python u WebKitGTK+, PyQt u JAVA u FX WebView, Qt Jambi, JxBrowser u Swift/ObjC u UIWebView u Ruby u WebKitGTK+, Qt u C/C++ u Chromium, WebKit BurpKit - Using WebKit to Own the Web 2015-11-13 16 = + webkit kit used we ow burp h What is burpkit? 17 BurpKit 2015 - 11 - - 13 Using u BurpKit = BurpSuite + WebKit WebKit to u Used JavaFX’s implementation of WebKit Own the u WebView & Debugger Web u WebEngine u Provides a real rendering tab (that’s BurpSuite Java-based Rendering right… no more lobo!) Extender API WebKit API engine burpkit Design Decisions 18 BurpKit 2015 - 11 - - 13 Using u Two leading WebKit implementations in WebKit to JAVA – JavaFX WebView and JxBrowser. Own the u Chose to go with JavaFX over JxBrowser Web – why? u Redistribution: u JavaFX comes with Java 1.8+. u JxBrowser needs bundling (>250MB) u Cost: u JavaFX is FREE! u JxBrowser is not! BurpKit - Using WebKit to Own the Web 2015-11-13 19 rage erd Implementation n JavaFX Pros & Cons 20 BurpKit 2015 - 11 - - 13 Using + Pros − Cons WebKit to Own ü Portable across many platforms ✗ API is incomplete – under development the Web ü Easy-to-use & clean API ✗ No GUI components for WebInspector and friends ü Complete JavaScript bridge ✗ Little documentation on advanced ü Leverages the Java URL framework features (must look at code) (hookable) ✗ Still a bit buggy Challenges 21 BurpKit 2015 - 11 - - 13 Using u Burp uses Swing for its GUI WebKit to u JavaFX WebEngine did not have a Own loadContentWithBaseUrl(content, url) the Web Challenge: SWING/FX Interop 22 BurpKit 2015 - 11 - - 13 Using u Solution: WebKit to javafx.embed.swing.JFXPanel Own the u Gotchas: Web u Must avoid interweaving blocking calls u i.e. Swing à JavaFX à Swing = ¡DEADLOCK! u Always check if you’re on the right event loop! u Workarounds: u Eagerly initializing resources sometimes necessary u Lots of wrapping code! Challenge: Repeater (1 of 2) 23 BurpKit 2015 - 11 - - 13 Using u Implement loadContentWithBaseUrl() WebKit to u Why? Own the u Required to render responses for Web repeated requests u Solution: hook java.net.URL protocol handling framework u WebView uses framework to issue HTTP(S) requests u New Challenge: u Our new handlers would have to support both live and repeated requests. Credit: http://media.techtarget.com/tss/static/articles/content/dm_protocolHan dlers/java_protocol.pdf Challenge: Repeater (2 of 2) 24 BurpKit 2015 - 11 - - 13 Using u How do we discern between live and WebKit to repeated requests? Own the u Solution: overrode HTTP(s) handlers and Web used User-Agent to “tag” repeated requests. u If User-Agent contains SHA1 hash, give URL handler fake output stream u Else, continue with live request u See BurpKit Java package com.redcanari.net.http for code. BurpKit - Using WebKit to Own the Web 2015-11-13 25 Product? Final The BurpKit - Using WebKit to Own the Web 2015-11-13 26 Walkthrough GUI set Feature Demo: BurpKit - Using WebKit to Own the Web 2015-11-13 27 Tracker XSS applications Tainting Demo: BurpKit - Using WebKit to Own the Web 2015-11-13 28 department… marketing our from word A BurpKit - Using WebKit to Own the Web 2015-11-13 29 thing… more One JavaScript BurpSuite Plugin Development 30 BurpKit 2015 - 11 - - 13 Using u You can now write plugins in JavaScript WebKit to u Quick-and-dirty plugin development Own the u Imagine writing Burp plugins on steroids: Web u Intruder Payload Generator that pulls the next payload from the DOM u Advanced Spider that sends all external references to Burp Scanner or the Burp Sitemap BurpKit - Using WebKit to Own the Web 2015-11-13 31 emos d see! to kit lots urp b There’s BurpKit - Using WebKit to Own the Web 2015-11-13 32 interaction DOM Followers Twitter Analyzing Demo: BurpKit - Using WebKit to Own the Web 2015-11-13 33 Menus Extensions Context and Editors, Burp Message Listeners, Proxy Demo: Challenge: JavaScript Bridge 34 BurpKit 2015 - 11 - - 13 Using WebKit u Background: need to be able to query and manipulate DOM to Own u Solution: inject JAVA objects into JS engine! the Web u Gotchas: u Funky reflection algorithm in WebEngine prevented straight-forward JAVA object interaction. u Lots of deadlock scenarios u Workarounds: u Wrapper classes galore! u Eager instantiation of Swing components. Conclusion 35 BurpKit 2015 - 11 - - 13 Using u Let’s stop scraping and let’s start WebKit to DOMinating the web! Own the u Our security tools need to evolve just like Web the web. u We have the tools/libraries at our disposal u Please contribute your ideas and code to BurpKit! u We need to make it the standard! Kudos 36 BurpKit 2015 - 11 - - 13 Using WebKit u J My Lovely Wife & Baby to Own u Justin Seitz the Web u http://automatingosint.com/ u Dirk Lemmermann u http://dlsc.com/ u Tomas Mikula u https://github.com/TomasMikula/RichTextFX u Java/JavaFX team u The Noun Project u All the contributors! BurpKit - Using WebKit to Own the Web 2015-11-13 37 ? please… to aim Questions ¿ We Drop me a line! 38 BurpKit 2015 - 11 - - 13 Using % : @ndouba WebKit to Own the Web & : [email protected] ' : https://github.com/allfro/BurpKit ( : http://www.redcanari.com ) : nadeem.douba.