RE: Advanced techniques with "exodus proxy"

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Hi Ralph,

I don't think there is a good writeup on how to actually use Exodus. As the
author, I know that I haven't written one yet! ;-)

So here is a first stab at it:

My approach to reviewing a web application using Exodus is to have someone
walk me through the expected functionality of the web application, using
Exodus to record the conversations. While that is happening, I am making
notes of what action kicked off each conversation (or series of
conversations). 

At the same time, I am looking at parameters flowing in either direction,
and looking for interesting ones, such as account numbers or names, userids
that could be manipulated, etc, and noting them for followup.

Once the walkthrough has finished, I review the spider tree to see what has
been observed but not accessed, (as well as which additional sites have
emerged - sometimes this reveals hidden IP addresses, etc), and retrieve
pages on relevant sites that have not yet been fetched. (Note: Exodus's
spider is a bit broken, in that it does not generate valid requests for
HTTP/1.1 sites. The Location: field is not filled in automatically, which it
should be.)

I also review the Fuzzer to see which pages are identified as being
applications. This works by flagging pages that receive either URL
parameters, a Cookie or are POST URL's. There is intended functionality that
will test an URL that only received a Cookie, to see if it gets the same
content without a Cookie, to identify images and other static content, and
filter those out, leaving those "landing pages" that report the current
"state" of a session. I then run the fuzzer on the URL's remaining. At this
point, Fuzzer results are not properly analysed, so that task is left to the
user, to search for errors in the responses. Any errors that are found are
generally indicative of a problem that should be reviewed more closely.

When one sees a conversation that looks interesting, and you want to replay
it, make use of the Manual tab, select the request in question, edit it to
your liking, and resubmit it to the server. Things you may want to do would
include putting HTML tags into the parameters, deleting headers, changing
the method (GET -> POST, etc). The Transcoder window is useful here, for
providing encodings and decodings of strings that may be needed.

The Manual tab is merely intended to provide a friendly interface to
manually creating requests that you would otherwise have to do using netcat
and openssl. So, you should be able to do anything that you could with
netcat, generally speaking. Well, actually, the request must be valid,
well-formed HTTP. As an added benefit, it also records the conversation for
prosperity, which netcat wouldn't.

So, to use Exodus to verify XSS, SQL injection, etc, I would suggest reading
some of the excellent papers available that explain the techniques
(www.sqlsecurity.com, etc), and then use the Manual tab in Exodus to build
and execute your tests.

Hope this is useful.

Rogan

> -----Original Message-----
> From: Ralph M. Los [mailto:Ralph () boundariez com] 
> Sent: 23 August 2003 06:07 AM
> To: webappsec () securityfocus com
> Subject: Advanced techniques with "exodus proxy"
> Sensitivity: Confidential
>
>
> 'ello all,
>       Just curious to see if anyone has a good write-up on dirty
> hacks, or methods one can accomplish with Exodus Proxy.  I audit
> internal appliations for our enterprise almost daily, and I always run
> into the same things, XSS, session manipulation, logic subversion,
> etc...but it's all using the automated AppScan (Sanctum, 
> Inc)...I'd like
> to be able to duplicate all those manually with Exodus.  I know the
> basic functions, intercepts, etc...but I was hoping for some
> documentation on how YOU'VE used it?
>
>       The biggest thing I try and fail with is SQL injection into our
> Oracle servers.  Different app teams use different frameworks to talk
> through to Oracle...but I'm trying to come up with a way where I can
> stop getting jdbc errors, and start retrieving Oracle data....ideas?
> I'm also trying to do a POC on pushing a malicious login page 
> to harvest
> passwords, through XSS into a simple app.
>
> Thanks in advance,
>  ./Wiz

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet 
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this 
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access 
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.