JSF Viewstate plugin

[Ailton Caetano]

Hello appsec-devs,

  i'm conducting an security analysis on a JSF Viewstate-enabled application and i found some tools like "ysoserial" (https://github.com/frohoff/ysoserial) and "inyourface" (https://github.com/frohoff/inyourface), but none of them has a GUI interface to make the visual analysis (therefore, the manipulation) easier.

  So i decided to ask if anyone has knowledge about a plugin for doing that in ZAP. Once past this initial phase, i'm thinking about implementing myself a ZAP script for the attack automation, but first i would need to know where to put the vectors, and that is why i'm studying about this class of vulnerabilities and in need of such a tool.

  With that being said, if you have that information, i'd be very grateful if you shared it with us.

Regards,

Ailton Caetano

[Colm O'Flaherty]

Hi Ailton.

ysoserial and inyourface are essentially payload generation tools.

In terms of implementing a ZAP plugin to detect Java serialisation vulnerabilities in the viewstate, I'd suggest the following (fairly high level) approach:

- identify parameters that would typically (or could) contain a JSF viewstate payload

- for each identified parameter, inject various payloads (from ysoserial, or using some internal payload generation mechanism) into the parameter.

- for each payload, send the request with the tampered parameter

- examine the response for the request. Does the behaviour / content match what you would expect to see, if the specific payload that you supplied were to have exploited the server side? If so, confirm it. If not, ignore it, and move on.

Note that this is a more specific case of the more general "Java serialisation" vulnerability.  In my view, that would be a better place to start.  Once that works, and successfully detects serialisation vulnerabilities more generally, it might be a good idea to implement  the more specific JSF viewstate Java serialisation vulnerability check (probably in a separate plugin, to allow the two to be enabled / disabled independently).

As you've probably guessed, I'm interested in this particular topic.

Colm

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAMtJAtp5KaNe_3FYLM-7_O2%3DOBwvjB1kaURZN19LM-8c%2BhxHGg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Ailton Caetano]

Hi Colm,

  thanks for the reply. Yes, i'm already studying how to generate the required payload - i've been watching the original Chris Frohoff and Gabriel Lawrence's AppSecCali 2015 "Marshalling Pickles" and Matthis Kaiser "Exploiting Deserialization Vulnerabilities in Java" video talks with the respective slides. I haven't watched Matthias's video 'till the end yet (gonna finish it tonight), but the OWASP San Diego's talk  by @frohoff "Deserialize my shorts" gives a much more detailed explanation than his "Marshalling Pickles" one.

  So, what i'm looking for is a tool that provides a GUI for visual analysis. It doesn't need to exploit the issue, just help with the viewstate objects structure visualization, so that i can spend less time in structure interpretation and more time in exploit development "So, this byte is the string length, this byte is a reference for an object structure that was defined before, this one represents an object array...".

  I found something that "looks more like it", but the it only works with ASP.NET viewstates - https://www.binaryfortress.com/ASPNET-ViewState-Helper/

  I also found Spiderlabs's "Deface" tool, but although it was develop for JSF 1.2.8, it cannot read my viewstate that comes from JSF 1.2. I able to read it by using simple gzip/base64 decoding, but looking that 8-char length collumn all day really sucks...

[]'s Ailton

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAOZ036G70q7pTc2iEca4tRgSAVa4DyAHqTfNQhGqHrVNFE%2BBCQ%40mail.gmail.com.

[Colm O'Flaherty]

My bad. I *assumed* you were interested in in attacking it from ZAP, as opposed to just visualising / decoding the JSF viewstate.

Perhaps if you started with the "InYourFace" decoding logic, and debug it against your sample data, you might find what it is about your sample data that it doesn't support.. It seems easier than writing your own, or starting from scratch.

ZAP has limited support for decoding the ASP.Net viewstate, so that might provide some ideas if you decided to write / extend a JSF viewstate decoder.

Colm

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAMtJAtq5QYrQ0w1Gt0aRvQDyg4o98d24_6cYJPtsPs9-aA7WbQ%40mail.gmail.com.

[Ailton Caetano]

Colm,

  i'm was actually thinking about exploiting it from ZAP, but from your answer i inferred that there is no plugin for that, as of now. Therefore, i extended my thought to a path that might lead me to some answer. Sorry for not being more clear about my goals. I thought about using a ZAP plugin's GUI for visualizing it, as that step would allow me to better perceive the available places for exploitation, be it from the ZAP plugin itself, a ZAP script or some other tool.

  Analysis from console scripts like "inyourface" lack the integration that would allow me to quickly change the desired bytes in time for not timing out the http request.

[]'s Ailton

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAOZ036GiNyNjaWnE3kPRAu_gchDxehUqA6bGg7VKxrvr8UWOFw%40mail.gmail.com.

[Colm O'Flaherty]

Hi.

No, to my knowledge, there is no jsf viewstate decoder or visualiser in zap.

I still think there's merit in debugging lnyourface for your sample data. If you have functional decoding code (and no licensing issues), we *could* potentially do some of the following in zap:
- implement a parameter variant (which would allow the individual viewstate fields to be attacked using existing scanners)
- implement a viewstate 'viewer', perhaps in the 'encode/ decode' screen.

Do you have a  specification for the viewstate fornat and some sample viewstate data, by any chance?

Colm

> To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAMtJAtrW1OSSAJG28jD9MLe7POEpYgyqLfaOB2p3ZtUAhkdEwQ%40mail.gmail.com.

[kingthorin+owaspzap]

This might give you some ideas: https://github.com/zaproxy/zap-extensions/pull/334

[Ailton Caetano]

Nice!

[]'s Ailton

2016-06-21 16:34 GMT-03:00 kingthorin+owaspzap <kingt...@gmail.com>:

This might give you some ideas: https://github.com/zaproxy/zap-extensions/pull/334

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/d65b8c64-a580-4b9b-8862-b1183c4c19e7%40googlegroups.com.

[Ailton Caetano]

Colm,

  do you have any link or other resource about Java deserialization exploit development? I'm having a little bit of a hard time trying to create my own payload...

  Can you help me?

[]'s Ailton

[Colm O'Flaherty]

I've used ysoserial payloads with 'great success' against both raw Java serialisation vulnerabilities, and against vulnerabilities introduced as a result of insecure components such as commons collections 3.2.1 and earlier.. Do you have a test case or two to work with? If not, I can point you at a nice sample: Jenkins versions prior to December 2015 are vulnerable, IIRC.

Does that help?

Colm

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAMtJAtr7bJdZV486sRx1CM7BNU-49hf_-%3DF%3DQu31PLBffcSX6A%40mail.gmail.com.

[Ailton Caetano]

Colm,

  Thanks for the reply. I'm actually interested in learning the process of developing it. The exploit construction is just a means to the real goal of gaining this knowledge, but i'll keep the information about Jenkins for later case studies.

  The point is that it is still not clear for me why the famous payloads were created the way they were, so i decided to search for resources that help me to create my own as a way of better understanding the process. This doubt is not on a specific step, i feel that i need a whole class on that. I saw all the videos/slides available from Chris and Matthias and blog posts all around the web about the issue, but something is not fitting in. Most blog posts about this don't delve into the specifics and nitty-gritty and i think that that is the kind of info i need.

[]'s Ailton

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAOZ036FYPug%2B7fpqb-%2BO_%2B-JY4Nyyg79Vp6uvtU5j3OcFD0MMA%40mail.gmail.com.