The Javascript Code Handling Options

The BrowserBruter is highly customizable & extendable tool based on the requirements of pentester to tackle many complex scenarios.

It has rich set of option to both customize & extend it's working, these options are - 

JavaScript and Navigation Handling:
  --auto-remove-javascript-validation
                        This switch will tell The Browser-Bruter to not remove common javascript input validations mechanisms. Useful if removing of javascript validation breaks the web app.
  --disable-events keypress,keydown,change,keyup
                        Disables specified javascript events, for example onClick, etc. Provide comma separated list of events.
  --javascript "alert(1);"
                        Javascript code to run on browser
  --javascript-after JAVASCRIPT_AFTER
                        Javascript code to run on browser after pressing and submitting the button.
  --javascript-file /path/to/javascript/file.js
                        Javascript file containing javascript code to execute
  --replace-code "alert(1);","alert(0);"
                        Replaces the code in response body with the code provided by user in following format - "CODE_TO_REPLACE1","REPLACEMENT_CODE1","CODE_TO_REPLACE2","REPLACEMENT_CODE2"
  --replace-files /path/to/validation_file.js
                        Replace the content of a file in HTTP responses.

The Art of Browser Automation using javascript - --javascript, -javascript-after and --javascript-file options

In simplest terms, the --javascript options takes javascript from pentester and executes it. The --javascript-after is same just executes javascript after --button is pressed. The --javascript-file is same as --javascript option just takes .js files to execute.

Looks generic, but in reality, this is one of the critical feature of the BrowserBruter as it extends its functionality beyond implemented unlocking countless possibilities of environment where BrowserBruter can run. [Note: the browser automation can also be done using python language which is more capable than using javascript option]

To give you an example of how powerful this feature is, following is an example of OWASP WebGoat 6.0 (Legacy).

Here, this is a JSON injection page from OWASP WebGoat 6.0 (Legacy). Here after enter names of the airports, the list of flights appears. Then after selecting the flight you can submit the form. Now though looks simple, there is no way to automatically fuzz this form BrowserBruter only. Because here we have first fill the airports fields to make the flights appear, then select the flight and then inject the payloads.

But by extending functionality of the BrowserBruter using javascript, we can even fuzz this types of navigations and forms easily.

Here, first understand the logic of how the flights are being fetched by inspecting the elements as shown below -

After understanding and the logic, write a javascript to automate these navigations, for example to tackle this webgoat example - 

 python3 BrowserBruter.py --target http://10.13.37.3:8080/webgoat/start.mvc#attack/1426618575/400 --elements travelFrom,travelTo,radio0,price2Submit --button SUBMIT --attack 1 --payloads fuzz.txt --inscope-urls "http://10.13.37.3:8080/webgoat/attack?Screen=1426618575&menu=400" --cookie ASP.NET_SessionId:fawx1oxcfm0fd4gvzmej5oco,JSESSIONID:5A0B131D432F8E0F832DC958F31AD6D4 --fill radio0 --reload-page --replace-code "return check()","return true" --javascript "
           document.querySelector('#travelFrom').value = 'BOS';
           document.querySelector('#travelTo').value = 'SEA';
           getFlights('http://10.13.37.3:8080/webgoat/attack?Screen=1426618575&menu=400');
"

And we have automate all of the navigation -

As we can see above, we are able to fuzz this form by extending the functionality of the BrowserBruter and the server is panicking due to unexpected malicious payloads.

Other less complex example of automating navigation using javascript is following where, we have wrote javascript to click two button to make the form appear before we inject the payloads into form.

python3 BrowserBruter.py --elements editBrandStatus,editBrandName,brandId --payloads sqli.txt --button editBrandBtn --target http://localhost/brand.php --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --attack 1 --delay-before 0.3 --fill editBrandName --javascript "document.querySelector('button.btn.btn-default.dropdown-toggle').click(); document.querySelector('a[data-target=\"#editBrandModel\"]').click();"

Note: For more complex task and navigation for example to crack captchas, fuzz multi page forms and so many things, it is recommended to use --python option if --javascript fails to solve the particular problem.

Hope on to the next section to learn about options of Python Scripting Engine and unleash the full potential of the Browser Bruter.

results matching ""

    No results matching ""