Understanding JSON Web Tokens (JWT)

Background

JSON Web Token (JWT) is an open standard ( RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

What this essentially means is that JWT helps you secure your application by allowing to securely share claims such as user data between your application and the client that is communicating it. In this post, I will explain fundamentals of JWT and how it works.

When you would use JWT?

As mentioned before JWT can be used to secure communication between two parties that exchange data. Following are some common use cases -

1. Authorization:  This is a very common use case of JWT. When users log into an application, they are presented with a JWT token. Each of the subsequent requests that user makes to this application must include this JWT token. Your application would validate each of the requests to see if it has valid JWT before processing it.
2. Information exchange:  You can also transfer information in JWT in a secure manner. This means JWT can have data as part of it. Note that this information sent is visible to anyone having access to that token. However, no one can alter this information since the token signature is calculated based on the information it holds and altering any data will change the signature which would invalidate the token. We will see this in detail in some time. 

What does JWT look like?

Now that we know when can we use a JWT, let's see how does it look like and what does it comprise of.

A JWT typically looks like -

• xxxxx.yyyyy.zzzzz

As you can see it consists of 3 parts separated by a dot. These three parts are -

1. Header
2. Payload
3. Signature 

Let's see what each of these sections represent.

Header: Header is a JSON that mainly consists of two parts - the type of token which is JWT and the algorithm used for hashing. For example,

{
  "alg": "HS256",
  "typ": "JWT"
}

The header section of JWT is Base64 URL encode of above JSON.

Payload: This is the 2nd part of the JWT. This section contains the claims or the information that needs to be shared. This is again in JSON format. These claims can be of 3 types -

1. Registered claims: These are predefined claims which are optional but useful to convey proper information. Example can be iss(issuer), exp(expiration time), sub(subject) etc. You can see all the claims here.
2. Public claims:  These can be defined by anyone using JWT but should be defined in  IANA JSON Web Token Registry to avoid a collision.
3. Private claims: These are custom claims that can be added to share information between two parties as long as both agree on using them. These are neither registered or private claims.

Example -

{
  "sub": "Welcome to my blog!",
  "name": "Aniket Thakur",
  "iss": "opensourceforgeeks.blogspot.com",
  "exp": 1530436998
}

The payload section of JWT is Base64 URL encode of above JSON.

Signature: This is the 3rd and last part of JWT. This represents the signature of the token. This is created as follows -

Signature = Hash (base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

As you can see signature comprises of the header and well as payload. So if anyone changes header or payload then the signature would not match and hence JWT validation would fail. This is exactly why I mentioned before that JWT is secure from tampering. Also, notice that a secret key is used to compute the hash value. This secret will never be available to anyone (just the application generating the JWT to protect its resources). And finally, the hashing method would depend on the algorithm you are using. In above example we used - HS256 (HMAC with SHA-256).


So, assuming the secret key used is "secret", for the example we have used above JWT  would look like -

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJXZWxjb21lIHRvIG15IGJsb2chIiwibmFtZSI6IkFuaWtldCBUaGFrdXIiLCJpc3MiOiJvcGVuc291cmNlZm9yZ2Vla3MuYmxvZ3Nwb3QuY29tIiwiZXhwIjoxNTMwNDM2OTk4fQ.8pmcCeFS9gx8Yb-DPRkAihhW7mUxAZkklYHHme5a0tU

where

header : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

payload : eyJzdWIiOiJXZWxjb21lIHRvIG15IGJsb2chIiwibmFtZSI6IkFuaWtldCBUaGFrdXIiLCJpc3MiOiJvcGVuc291cmNlZm9yZ2Vla3MuYmxvZ3Nwb3QuY29tIiwiZXhwIjoxNTMwNDM2OTk4fQ

Signature : 8pmcCeFS9gx8Yb-DPRkAihhW7mUxAZkklYHHme5a0tU

You can also see this JWT in action - https://jwt.io/.

NOTE1: Notice for registered claims all claim names are 3 characters in length. This is because JWT is meant to be compact.

NOTE2: Also you must have realized by now that header and payload are just base64 URL encoded values and that anyone with access to token can decode and read these. So you must never add any sensitive information to these sections. JWT just ensures that the data cannot tamper but the data is visible to everyone with the access to the token.

How does JWT work?

Now that we saw fundamentals of JWT let's see how JWT is actually used to protect resources in an application.

For simplicity let's assume we have our own server application which has an authentication module and a set of APIs that must be protected. First user or the client would authenticate itself against the server. The server will send the JWT in the response of successful authentication call. This token will be used by the client in all subsequent API calls made to the server. You can send this token in the headers of the API call. Now in each API call server will check if the JWT is valid and process the request based on the validity of the token.

We already saw how JWT tokens are created. Now let's see how they are verified. Once the server receives JWT token it will extract payload and header section. Then it will use these parts along with the secret that is stored only on the server to calculate the signature. If the signature calculated is same as the one that is received from the JWT then the JWT is valid and the further processing can happen. If the signature does not match then it means someone has tampered with the request and it must not be allowed to execute. You can send a 401 - unauthenticated response in such cases.

Ideally, you would have a separate API server and a separate authentication server in which case you can keep the secret is a centralize place like a database and read it from both the servers to generate signatures of JWT.

Flow is something like below -

Summary

• JWT can be used to securely share claims between two parties. This can either be used for protecting your resources on the server or sharing data securely.
• JWT protect the data from being tampered but it does not prevent anyone from viewing that data (Since the data is just base64 encoded string). So never send sensitive data as part of JWT.
• Always add an expiry to the JWT. So if your token is compromized for some reason it would not be valid post its expiry. The client can reach out to the server for the new token in this case. 
• Always use https for sending JWT since it prevents unauthorized users from stealing the JWT.
• You can use https://jwt.io/ to generate and see JWT yourself.

Related Links

• Introduction to JSON Web Tokens
• Registered claims
• learn-json-web-tokens(Github)

Creating a new Xposed module in Android

How Xposed works

Before we start lets see how Xposed works -

There is a process that is called "Zygote". This is the heart of the Android runtime. Every application is started as a copy ("fork") of it. This process is started by an /init.rc script when the phone is booted. The process start is done with /system/bin/app_process, which loads the needed classes and invokes the initialization methods.

This is where Xposed comes into play. When you install the framework, an extended app_process executable is copied to /system/bin. This extended startup process adds an additional jar to the classpath and calls methods from there at certain places. For instance, just after the VM has been created, even before the main method of Zygote has been called. And inside that method, we are part of Zygote and can act in its context.

The jar is located at /data/data/de.robv.android.xposed.installer/bin/XposedBridge.jar and its source code can be found here. Looking at the class XposedBridge, you can see the main method. This is what I wrote about above, this gets called in the very beginning of the process. Some initializations are done there and also the modules are loaded.

Source 

Creating a new Xposed module in Android

I have couple of app on playstore . I am going to use FlashLight to demonstrate Xposed module.

• Create a normal Android app. Add following extra meta data in the apps manifest file. This is how xposed installer app knows your apk is a xposed module.

        <meta-data
            android:name="xposedmodule"
            android:value="true" />
        <meta-data
            android:name="xposeddescription"
            android:value="Demo example that renders Flashlight app (com.osfg.flashlight) useless" />
        <meta-data
            android:name="xposedminversion"
            android:value="53" />

• Next create a class that implements IXposedHookLoadPackage like below -

public class XPFlashLightKiller implements IXposedHookLoadPackage {
    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {

        if (!loadPackageParam.packageName.equals("com.osfg.flashlight"))
            return;

        XposedBridge.log("Loaded app: " + loadPackageParam.packageName);

        XposedHelpers.findAndHookMethod("com.osfg.flashlight.FlashLightActivity", loadPackageParam.classLoader, "isFlashSupported", new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                // this will be called before the clock was updated by the original method
            }
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                // this will be called after the clock was updated by the original method
                XposedBridge.log("Hooken method isFlashSupported of class com.osfg.flashlight.FlashLightActivity");
                param.setResult(false);
            }
        });
    }
}

NOTE :  Here we have used XC_MethodHook as callback so that we can execute methods before and after original method is executed. Other alternative is to replace the original method entirely - original hooked method will never get executed.

When you call XposedHelpers.findAndHookMethod the callback can either be

• XC_MethodHook : Callback class for method hooks. Usually, anonymous subclasses of this class are created which override beforeHookedMethod(XC_MethodHook.MethodHookParam) and/or afterHookedMethod(XC_MethodHook.MethodHookParam).
• XC_MethodReplacement : A special case of XC_MethodHook which completely replaces the original method.

1st one just provides you the hooks to execute methods before and after original method where as 2nd one replaces it completely.

• Next create a file called xposed_init in your assets folder and add your fully qualified class name to it. This file tells xposed installer where to look for the module class. For eg in our case it will be -

com.osfg.flashlightxpmodule.XPFlashLightKiller

• Finally download XposedbridgeApi.jar from here and add it in your app folder. Make sure the version of this jar should be same as xposedminversion set in the meta data tags in step 1.

Now build your app and deploy on your device. Once done Xposed installed should detect it. Just enable the module and reboot the device -

Testing out the module

Just to give you some background on the original Flashlight app. It's code is something like below -

    @Override
    public void onRequestPermissionsResult(int requestCode, String[] permissions, int[] grantResults)
    {
        switch (requestCode)
        {
            case CAMERA_PERMISSION:
                if (grantResults.length > 0 && grantResults[0] == PackageManager.PERMISSION_GRANTED) {
                    Log.d(TAG, "Received Camera permission");
                    if(!isFlashSupported()) {
                        Toast.makeText(getApplicationContext(), "LED Flash is not supported on your device",Toast.LENGTH_LONG).show();
                        finish();
                    }

                }
                else {
                    Log.d(TAG, "Camera permission denied");
                    Toast.makeText(this, "Please provide camera permission", Toast.LENGTH_SHORT).show();
                    finish();
                }
                return;
        }
    }

It first asks for permission. If you give it then it will check if flash is supported on the device. So if you have already given Flashlight app camera permission then remove it from settings and open the app again. Now when it prompts for permissions again give it. But now you can see that the app shuts down with toast message - "Flash not supported on this device". This is because we hooked into isFlashSupported() method and made it always return false. So that the app never works :)

NOTE : From next time it will work fine. Since permission is already given next time it will not prompt and never execute  isFlashSupported() method. To retest remove the permissions from settings again.

You can also see following line in logcat -

03-20 02:36:37.864 8002-8002/? I/Xposed: Loaded app: com.osfg.flashlight

03-20 02:36:44.123 8002-8002/? I/Xposed: Hooken method isFlashSupported of class com.osfg.flashlight.FlashLightActivity

Complete code is added in my github repo -

• https://github.com/aniket91/FlashLightXPModule

Related Links

• Installing Xposed Framework on Android devices (OSFG)
• FlashLightXPModule github
• How does Xposed Framework hook methods in Android(SO)

Installing Xposed Framework on Android devices

Background

Android as you know is very flexible and developer friendly. It runs a Linux kernel underneath with some modifications needed to operate handheld devices with relatively less memory. You can root your device to further boost its potential application. You can do stuff with root access now. You can even take it a step further - Unlock boot-loader and install customer recovery like ClockworkMod or TWRP (We are going to work with TWRP in this post). Custom recovery software's let you install custom mods or even full ROMs that can drastically improve user experience.

Xposed is a framework that can alter the the way your applications work, give you more control over it without actually flashing any custom ROMs or MODs or even tampering any of the apks. It uses root privileges to access androids core resources and use it to change the androids behavior .It's potential power is unlimited. We will see how to install and use it in a while.

NOTE : Xposed uses root privileges i.e device needs to be rooted.

Xposed is a framework once installed you can create and install various modules to alter apps/android behavior. Best part about this is that the modules are held in memory. So to get back the system to original state all you need to do is uninstall the module and reboot the device.

NOTE : Works on Android 4.0.3 (ICS) and above only.

Xposed framework is brought to us by XDA Recognized Developer rovo89.

Warning : This required rooting your device and changing some androids base resources. Follow this guide on your own risk. We are not liable if you phone gets bricked or damaged in the process.

 Installation and Setup

Make sure your device is recognized by adb (connect your device to your laptop having android SDK using a USB) -

NOTE : If you adb is not able to detect or recognize your device then you may refer to link in the Related Section at the end of this post.

Before you start Xposed has two parts to it -

1. Xposed Framework : Lays down all the groundwork for the framework
2. Xposed Installer app : Apk use to manage Xposed modules.

Download the framework from -

• http://dl-xda.xposed.info/framework/

Choose based on your the sdk version you have on your android device.

You can download the latest xposed installer from  -

• http://repo.xposed.info/module/de.robv.android.xposed.installer

First we are going to flash custom recovery image - TWRP on our Android device. So first reboot in bootloader mode using following command -

• adb reboot bootloader

You device should reboot now and you should see following screen -

Once you reach above screen adb will not work. You need to use fastboot instead. You can type following command to make sure your device is still connected -

• fastboot devices

 Now lets flash our recovery image. Use following commands to do so -

• fastboot flash recovery /Users/athakur/Desktop/xposed/twrp-3.0.2-0-hammerhead.ndif

 You can download the image from here. Above command obviously has path to the image from my local machine. You need to replace it accordingly.

Once done navigate to Recovery mode by navigating using vol up/down button. Once on Recovery mode press power button to enter it.

Now go to install and install the Xposed framework - the zip file we downloaded earlier and then reboot.

On reboot install the Xposed installed apk. On install open it -

Here your Xposed  setup and installation is complete. You can create and install modules going in Modules section of installer as shown in screenshots above. We will see how to create modules in upcoming post. So stay tuned!

Good to Know 

What is Fastboot? : Fastboot is a protocol that can be used to re-flash partitions on your android device (update the flash file system in your Android devices). It comes with the Android SDK (Software Developer Kit) and can be user as an alternative to the Recovery Mode for doing installations and updates.

What is Android recovery image? : A bootable program on an Android flash memory partition (/recovery) that is used to perform a factory reset or restore the original OS version. You can also install a different OS version (a different ROM). For that the stock recovery image must be replaced with a custom version such as ClockworkMod Recovery or TWRP (as we are doing).

Related Links

• Android Partitions and Kernel Explained(OSFG) 
• What is Android Debug Bridge (adb)? (OSFG)
• Installing Google Nexus 5 USB Drivers (for ADB)(OSFG)
• Troubleshooting steps when Android device is detected but not recognized by Eclipse ADT.(OSFG)
• Troubleshooting steps when Eclipse ADT does not recognize your Android device. (OSFG)

Understanding HTTP Strict Transport Security (HSTS)

Background

Have you any time tried to visit a site by typing "http://" in your web browser and the site that loads corresponds to "https://". Well it happens a lot of time. A website may support only https - secure connections and browser is smart enough to know this. How? We will see that in a moment.

My use case was for using a proxy to intercept browser traffic. As you know any proxy will intercept traffic and then send it's own certificate to the browser and if browser does not recognize the cert it shows the error -

• "Your connection is not secure"... SEC_ERROR_UNKNOWN_ISSUER

You may go in Advanced tab and then add exception to start trusting the new certs for your testing. But it is not always possible and well see why?

NOTE : If you are not trying something on your own and dont understand why above prompt came its time to turn back. Your network traffic may be getting intercepted by some hacker using MITM (Man in the middle) attach to steal sensitive data like passwords.

WARNING : All the below information is provided only for the use case of pen testing and other security testing. Please do not use it otherwise. All of the below features are provided for your security. Playing around with it without understanding can compromise your security. So proceed on your own risk.

HTTP Strict Transport Security (HSTS)

As per Wiki,

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

How this works is that your webserver eg. Apache or NGINX is configured so that in each response header it sends header corresponding to  HSTS

• Strict-Transport-Security "max-age=63072000"

max-age is the expiry time. So the HSTS will be applicable till this much time.

NOTE : This is updated every time you visit the site. So if this time period is 2 years them each time you visit the site this will be set for next 2 years.

For eg see below in case of techcrunch -

Working of HTTP Strict Transport Security (HSTS)

Browser once it receives stores this data corresponding to each site. In case of Firefox you can see it as follows -

1. Type about:support in firefox tab
2. Click on "Show in Folder". This should open your firefox profile folder.
3. In this search for a file called SiteSecurityServiceState.txt and open it.
4. Firefox stored HSTS data for sites in this file.

Steps in screenshots -

NOTE : As mentioned earlier this entry is updated every time you hit the url in your browser. Exception is incognito mode in which case entry from this file is removed once incognito is close. However note that if you have visited the site even once in non incognito mode then the security restrictions will be obeyed even in incognito mode.

Working :

• This tells browser that every subsequent connection should always be https (secure). So even if you try to access http version of the site browser will convert it to https and proceed. 
• For eg. You can try hitting "http://techcrunch.com/" and it will automatically hit "https://techcrunch.com/"
• Another effect it has it that if this header is set then you cannot add exception for the certificate which does not match the original one (the one browser does not trust). Eg in screenshot below -

NOTE : I am using Zap proxy. You can use any others like Fiddler or Burp. I have written posts on this before you can revisit them if needed.

• Using OWASP Zed Attack Proxy (ZAP) and Plug-n-Hack as a proxy for your browser
• Intercepting Android network calls using Fiddler Web Proxy

How to bypass HSTS?

Well now that we know where firefox stores this data it is easy to bypass this. All you have to do is remove the entry from this file. You can probably change the permission of this file so that new entry is not made in it. When tried for techcrunch you can see you can get back option to add certificate exception -

NOTE : For above to work make sure firefox is closed else it can overwrite the file.

NOTE : Above workaround will not work for the well known sites like google since for them the entries are hardcoded into browser code. Please do share if you know of any workaround for this.

NOTE : In the above mentioned file you might also see entries corresponding to HPKP. A HTTP Public Key Pinning (HPKP) header instructs clients to pin a specific public key to a domain. So, if a HPKP-supporting browser encounters a HPKP header, it will remember the specified public key hashes and associate them with that domain. In the future (until the specified max-age timeout expires), the browser will only accept a certificate for that domain if any key in the certificate's trust chain matches one of the associated hashes.

• What is HPKP and how does it work in case of websites
• Can HSTS be disabled in Firefox?

Related Links

• HTTP Strict Transport Security (Wiki)
• Using OWASP Zed Attack Proxy (ZAP) and Plug-n-Hack as a proxy for your browser(OSFG)  
• Intercepting Android network calls using Fiddler Web Proxy(OSFG)  
• HTTP Strict Transport Security for Apache, NGINX and Lighttpd
• How to prevent HSTS tracking in Firefox
• Test HTTP Strict Transport Security (OTG-CONFIG-007)
• What is HPKP and how does it work in case of websites
• Can HSTS be disabled in Firefox?  

Understanding Cross-site scripting (XSS)

Background

As per wiki
             Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
       We will see this in details as to how web applications can be vulnerable to an XSS attack and how can it be safeguarded. This is the most common known security vulnerability. You can use 3rd party produces like IBM App scan to check for security vulnerabilities in your web applications.

Types of XSS attacks

There are many variants of XSS attacks but the major ones are -

• Reflected or Non persistent XSS attack
• Stored or persistent XSS attack

Reflected or Non persistent XSS attack

Out of this reflected is most common. In this type if xss malicious script is executed on clients browser and sensitive data might be stolen.

For eg. lets take a search field on some social networking site. You generally type is words their to either search for a particular word in your feed or to search your friend/family members. When you do this in the resultant page you see something like - "Search result for - your search query". Now if your social networking site is not safeguarded from xss attacks, attacker might inject a malicious script in the search query that will get executed when you do a search which will result in the attacker stealing your data. Worst case your authorization cookie is stolen and your account is compromised.

As stated in Wiki - A reflected attack is typically delivered via email or a neutral web site. The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script.

So when you get that mail again saying hey please review these bull**** documents please do not click it. It's either a spam or worst - attempt to steal your sensitive data, since you are logged into multiple sites with active sessions. Always see who is it sent from? Do you know that person? Does the link look suspicious? No one will give you money just like that or you will not be selected for a lucky draw without applying for it :). If you are curious as to what it actually is then copy the link and open it in incognito mode which have no active sessions or logins. Now if it asks you to login it's time to turn around.

Now what do we mean by  innocent-looking URL? The URL is infact that for a trusted website. All attacker will do is inject an XSS vector in one of the request parameters. Say search parameter like in example above. He will also encode script tags and other characters so that the victim user will not be able to guess it's the affected URL. Anyway well soon see a real example of this with working code and the fix. Now lets see persistent xss.

Stored or persistent XSS attack

This is even worst that then the reflected one because this xss attack vector is stored on websites server (perhaps in it's persistent DB) and it will get executed every time user navigates to the section that uses this xss affected code. Lets see an example.

Consider a forum used to discuss programming related QnA. Again if the site is not safeguarded against XSS attacks then an attacker can ask a question which seems normal and legit but at the end contains a malicious script/attack vector. Now when he publishes the question it gets stored in the sites persistent storage and when any user tries to visit this question this malicious script will get executed on his/her browser and again your sensitive data can be stolen.

It's not always about the victims sensitive data though. An attacker can use XSS attack to permanently change the websites appearance or change display texts. Consider the damage it can do. For eg. attacker can change the announcement made by a reputed company which can result in it's stock prices crashing.

Enough with the theory let's see a practical example -

Testing for XSS

Code for this demo is available on my git repository  -

• https://github.com/aniket91/WebDynamo

It's a web app. So you can download it and run it in a web server like apache tomcat. For this demo I will use my local setup.

NOTE : This web project has multiple workflows. The files you are interested in are -

• https://github.com/aniket91/WebDynamo/blob/master/src/com/osfg/controllers/XSSTestController.java
• https://github.com/aniket91/WebDynamo/blob/master/WebContent/pages/testXss.jsp

This demo also assumes you are familiar with webapps, JSP, Java, Spring etc. I have written multiple posts on these topics in the past. You can search those in this blog if you are interested.You can find everything starting from configuring and using ivy dependency management to developing sample Spring application to deploying apps on tomcat. Above web app uses all these.

Once you have deployed the web app you can open it in your browser. It should look like following -

You can add normal text in the search box and do a "Search" or a "Search Xss Protect". Everything should work fine. For eg. when I input - "I am groot!", it just shows me the query I have input -

Now lets do "Search Again" and perform a normal "Search". But this time we will search differently. Enter following query in the search box -

• I am groot!<script>alert(10)</script>

The result is -

As you can see we do see our normal result but we also see a prompt with 10 in it. Now if you revisit our input query we added a script tag at the end and the browser executed it. This was just for the demo, attackers script will execute silently in the background without prompts and steal/modify your data.

Now lets repeat the same search with text -

• I am groot!<script>alert(10)</script>

Only this time you press "Search Xss Protect". What do you see?

What happened here? No prompts? That's because we escaped out input so that it is not harmful which is exactly what the fix is. You need to escape your user inputs so that they are not executed by your browser as scripts. Now that you have seen a demo of how XSS behaves and how you could safeguard it lets see how it actually works from code perspective.

Code working

You need to revisit the JSP file -

• https://github.com/aniket91/WebDynamo/blob/master/WebContent/pages/testXss.jsp

The main culprit line here is -

• Your input : <%=query %> 

This essentially evaluates the query from Java. If this has script tags those will be evaluated too. What do we do? We escape it before this line is reached which is precisely what the code does when you press protected search -

        String xssProtect = request.getParameter("xssProtect");
        if(xssProtect != null && xssProtect.equalsIgnoreCase("yes")) {
            query = ESAPI.encoder().encodeForJavaScript(query);
        } 

NOTE : xssProtect is something I have internally used to differentiate between normal search and protected search for demo purposes. You need not worry about it. In production you should never have a normal search like scenario.

NOTE : ESAPI is a library that OWASP (Open Web Application Security Project) recommends. You can see a bunch of links in the related links section below. But you can technically use any library that escapes html like coverity security lib.

NOTE : Above was an example of reflected or non persistent XSS attack. What if we were storing this search queries in our internal DB and showing search history for a user? In that case it would be a persistent XSS attack.

Though above demo was a means to show you how XSS actually works and how it can be safeguarded you should never code it this way. JSP should never have such logic. All of this should be in backend logic possibly your servlets and controllers.

Related Links

• Cross-site Scripting (XSS)
• Testing for Cross site scripting
• XSS (Cross Site Scripting) Prevention Cheat Sheet
• Types of Cross-Site Scripting
• Cross-site scripting Wiki

Features in Using OWASP Zed Attack Proxy (ZAP)

Background

In last post we saw how to setup ZAP proxy - 

• Using OWASP Zed Attack Proxy (ZAP) and Plug-n-Hack as a proxy for your browser

 In this post I will show you some of the features of ZAP proxy that I have explored so far.

Spider And Active Scan

Whenever you decide to attack an URL that you see in ZAP's home page ZAP will crawl the page, find out other relevant links that the base URL may refer to in response. It also figures out GET/POST requests applicable. This is basically spider attack.

For demo purposes I am going to attack following URL - 

• http://ch01.mybluemix.net/ch01/

It' a simple problem where you have to exploit few vulnerabilities to guess the password :)

Next ZAP will scan all the relevant applicable URL with test request params. It shows various attributes like response code, response bytes etc. You can also see the raw request/response with right click the request entry in Active scan. You can also see list of applicable URLs in the left panel.

 NOTE : One good trick to inspect irregular behavior is to inspect the size of response and inspect further the ones you see fishy.

Resend Request

Another useful feature is "Resend" . Just right click the request on left panel and select resend. You can then edit the request as per your wish (edit request params, headers add cookies etc) and send.

 Encode/Decode/Hash

This is a very handy feature that I loved in ZAP. Input a String and it will give you it's Encoding/Decoding/Hash whatever you need -

You can access this from Tools -> Encode/Decode/Hash

 Fuzzer

If you don't know what fuzzing is -

"Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. "

More details -

• Fuzz testing(Wiki)
• Fuzzing(OWASP)

 ZAP has an in build fuzzer that you can use. Simply
select the URL you want to fuzz -> Right click -> Attack -> Fuzz

You will need to highlight the area you want to fuzz and select add payload. The highlighted area can be anything - request parameter, cookie value, header etc. Also payload can be anything list of strings, scripts to be injected random values , alphabets etc.


Sample example is screenshot below -

 In above example I have highlighted "ZAP" which is the password. So I am going to fuzz various values of passwords. Next click Add to add payloads. You can define your own sets of string as well. I am using inbuilt file fuzzer that provided pre defined sets of strings. Finally click "Start Fuzzer" to start fuzzing.

NOTE : Again as I mentioned before it is always advantageous to sort response size to check unusual response to exploit :)


So far I have explored these. Will keep you updated :)
Stay tuned!

Related Links

•  Using OWASP Zed Attack Proxy (ZAP) and Plug-n-Hack as a proxy for your browser(OSFG) 
• Intercepting Android network calls using Fiddler Web Proxy(OSFG)

Using OWASP Zed Attack Proxy (ZAP) and Plug-n-Hack as a proxy for your browser

Background

Some time back we saw how to use Fiddler proxy to intercept traffic from local browser or you Android devices. 

• Intercepting Android network calls using Fiddler Web Proxy

Recently I came across a more powerful proxy tool called OWASP Zed Attack Proxy or ZAP . It's not just a proxy tool. It is a tool used for ethical hacking. You can use it to attack sites and find vulnerabilities. Using ZAP you can do various things like -

• Web parameter tampering
• Fuzzing

etc.

You can read more about ZAP on their home page -

• OWASP Zed Attack Proxy Project

NOTE : You should use these ethical hacking tools only on sites that you have permission for. Using these on other sites may be treated as an offense.

In this post I am going to show you how to set up a simple proxy to redirect your browser traffic through ZAP.

 You can download the software from here. You can choose the download based on your operating system.

Once you download, install and open ZAP it would look something like below -

Using ZAP as proxy

Before we move on to browser to see how we can use ZAP as a proxy there lets see proxy settings in ZAP itself.

• Go to Tools -> Options ->Local proxy

Here you can see the Address and port the proxy is listening on. You can manually configure your browser proxy settings to use this.

 Now click on Plug-n-Hack on the ZAP home page or copy the URL pasted in browser.

Click on "Click to setup!"

And install the addon.

 Finally enable the browser to send traffic via our ZAP proxy -

NOTE :  If you are getting - "A provider with this name has already been configured.".

You can manually check the proxy settings.

Also if you want the automatic configuration you can clear it. Also from now on you can use

• zap
• pnh

command in firefox console  (Shift + F2)
 

You can use pnh command to clear and remove proxy settings from firefox

You should finally see something like below -

Related Links

• Intercepting Android network calls using Fiddler Web Proxy(OSFG)
• Features in Using OWASP Zed Attack Proxy (ZAP) (OSFG)