WebApp Sec mailing list archives
RE: Advanced techniques with "exodus proxy"
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 25 Aug 2003 09:38:15 +0200
Hi Ralph, I don't think there is a good writeup on how to actually use Exodus. As the author, I know that I haven't written one yet! ;-) So here is a first stab at it: My approach to reviewing a web application using Exodus is to have someone walk me through the expected functionality of the web application, using Exodus to record the conversations. While that is happening, I am making notes of what action kicked off each conversation (or series of conversations). At the same time, I am looking at parameters flowing in either direction, and looking for interesting ones, such as account numbers or names, userids that could be manipulated, etc, and noting them for followup. Once the walkthrough has finished, I review the spider tree to see what has been observed but not accessed, (as well as which additional sites have emerged - sometimes this reveals hidden IP addresses, etc), and retrieve pages on relevant sites that have not yet been fetched. (Note: Exodus's spider is a bit broken, in that it does not generate valid requests for HTTP/1.1 sites. The Location: field is not filled in automatically, which it should be.) I also review the Fuzzer to see which pages are identified as being applications. This works by flagging pages that receive either URL parameters, a Cookie or are POST URL's. There is intended functionality that will test an URL that only received a Cookie, to see if it gets the same content without a Cookie, to identify images and other static content, and filter those out, leaving those "landing pages" that report the current "state" of a session. I then run the fuzzer on the URL's remaining. At this point, Fuzzer results are not properly analysed, so that task is left to the user, to search for errors in the responses. Any errors that are found are generally indicative of a problem that should be reviewed more closely. When one sees a conversation that looks interesting, and you want to replay it, make use of the Manual tab, select the request in question, edit it to your liking, and resubmit it to the server. Things you may want to do would include putting HTML tags into the parameters, deleting headers, changing the method (GET -> POST, etc). The Transcoder window is useful here, for providing encodings and decodings of strings that may be needed. The Manual tab is merely intended to provide a friendly interface to manually creating requests that you would otherwise have to do using netcat and openssl. So, you should be able to do anything that you could with netcat, generally speaking. Well, actually, the request must be valid, well-formed HTTP. As an added benefit, it also records the conversation for prosperity, which netcat wouldn't. So, to use Exodus to verify XSS, SQL injection, etc, I would suggest reading some of the excellent papers available that explain the techniques (www.sqlsecurity.com, etc), and then use the Manual tab in Exodus to build and execute your tests. Hope this is useful. Rogan
-----Original Message----- From: Ralph M. Los [mailto:Ralph () boundariez com] Sent: 23 August 2003 06:07 AM To: webappsec () securityfocus com Subject: Advanced techniques with "exodus proxy" Sensitivity: Confidential 'ello all, Just curious to see if anyone has a good write-up on dirty hacks, or methods one can accomplish with Exodus Proxy. I audit internal appliations for our enterprise almost daily, and I always run into the same things, XSS, session manipulation, logic subversion, etc...but it's all using the automated AppScan (Sanctum, Inc)...I'd like to be able to duplicate all those manually with Exodus. I know the basic functions, intercepts, etc...but I was hoping for some documentation on how YOU'VE used it? The biggest thing I try and fail with is SQL injection into our Oracle servers. Different app teams use different frameworks to talk through to Oracle...but I'm trying to come up with a way where I can stop getting jdbc errors, and start retrieving Oracle data....ideas? I'm also trying to do a POC on pushing a malicious login page to harvest passwords, through XSS into a simple app. Thanks in advance, ./Wiz
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- Advanced techniques with "exodus proxy" Ralph M. Los (Aug 23)
- <Possible follow-ups>
- RE: Advanced techniques with "exodus proxy" Dawes, Rogan (ZA - Johannesburg) (Aug 25)