Sunday, April 15, 2018

BSides Iowa 2018: Windows COM: Red Vs Blue

Yesterday I gave my presentation at BSides Iowa 2018 titled, "Windows COM: Red Vs Blue". This was a discussion of Windows COM, background of Windows COM, why this technology still matters to red teams, and how blue teams can also use this knowledge. It was a lot of fun talking with folks, a great conference and venue, and had an awesome CTF. You should go next year, it'll be fun :D

Slides from my talk:

YouTube link coming soon!

Friday, March 16, 2018

OWASP Omaha Feb 2018 - 003 - Deserialization with the JS for the lulz

Now that we have the OWASP Juice Shop set up and we have our tools ready to go, let's start digging into the web app.

Environment setup
  1. Log into the Juice Shop VM

  2. Open up a Terminal, browse to the location of Juice Shop (e.g. Downloads/js642), type in, "npm start", and press Enter

  3. Open up ZAP (Applications > Other > OWASP ZAP)

  4. In ZAP, choose "Yes" (the top option) and click "Start"

  5. Open up Firefox

  6. In Firefox, click the three bars

  7. Click on "Preferences"

  8. Click on the wizard's hat (Advanced)

  9. Click on "Network"

  10. Click on "Settings"

  11. Go back to ZAP

  12. Click on the gear to access the options

  13. Scroll down to "Local Proxies" and verify that the proxy port for ZAP is 8080

  14. Click "Ok"

  15. Go back to Firefox and we should still be in the settings menu

  16. Click "Manual proxy" and configure the "HTTP Proxy" to be "localhost" on port "8080". Check the box to use the proxy for all protocols

  17. Scroll down to "No Proxy for:"

  18. Remove all entries in there

  19. Click "Ok"

  20. Close the preferences tab in Firefox

  21. In the first Firefox tab, browse to

  22. ZAP may take control and pop up a box talking about breakpoints. Click "Ok" if this pops up.

  23. In Firefox, you may see a warning saying that the server was restarted and our progress from the previous session was restored. We can either close this box (by clicking on the "x") or we can delete the cookie and start fresh. Click the box to delete the cookie and start over. You'll get a warning that you need to manually restart the application to start over.

  24. Go back to Terminal and press "Control+C" to force quit the running npm process.

  25. Press the up arrow to quickly get the command, "npm start"

  26. Press enter to re-run Juice Shop (by running running "npm start")

  27. In Firefox, refresh the page (

  28. Go back to ZAP

  29. We should see activity now that we're proxying our network traffic through ZAP

  30. Click the arrow next to "Sites"

  31. Click the arrow next to ""

  32. If we scroll a little, we see interesting directories

  33. If you click on "Alerts", you can see potential findings that were found passively

  34. Go back to Firefox

  35. Click on "Score Board"

  36. The five blue boxes should still be "pressed" and showing all of the challenges. Scroll to the bottom.

  37. We see that the RCE Tier 1 challenge involves some kind of denial of service. Now that we have ZAP running in the background, let's see if normal transactions can lead us to some kind of way forward with this.

  38. Go back to the Terminal and press "Control+C" to force stop the JuiceShop

Microsoft Visual Studio Code
  1. We need just one more tool in our toolbox to dive deeper into the JuiceShop. We're going to use Visual Studio Code! We're going to use VSCode for debugging this Node.js based webapp.

  2. To install VSCode on Linux, go t

  3. We're going to use the Red Hat instructions on this page. Do the two steps that start with "sudo" to add in the Microsoft key and their repository location.

  4. In Terminal, type in, "yum check-update" and press Enter

  5. In Terminal, type in "sudo yum install code, and press Enter. Follow any prompts to continue with the installation.

  6. In Terminal, browse to the folder location of the JuiceShop (e.g. Downloads/js642)

  7. In Terminal, type in "code ." which will start VSCode in the context of the JuiceShop application

VSCode is natively aware of Node.js applications and automatically has context of how to work with Node.js applications. We are going to use this to our advantage so we can natively run and debug this application to gain further insight into how this application works. In order to do this, we're going to examine the code that runs the web server for the Node.js application. This project uses "server" to do the heavy lifting for this application. The configuration for the web server is conveniently located in "server.js". We're going to evaluate the application from a white-box perspective where we get to see everything to better assess the security from this view.

There are a lot of ways to explore this application to derive where you can find the deserialization vulnerability. In my experience, the vulnerability lies where can you mess with data. With that, deserialization based attacks can be a problem thru APIs exposed as part of the application where data is more "freeform" (cough JSON) and more complex than a simple integer. An integer can have a simple bounds and type check to validate appropriate input. When you have JSON based data, that can be a little bit more messy depending on how data validation is performed.

Our white box assessment is going to demonstrate why JSON input can still be abused. The "classic" example of abusing JSON data to perform deserialization attacks has been demonstrated in .Net and Java based web apps. There's really no reason why this can't be an issue elsewhere like in a JavaScript based web app, like OWASP Juice Shop, which allows attackers and defenders to examine in a safe setting. Digging around in the app, if we peek at the web server running the application, we see that Swagger is used in the application. Swagger is great to help people understand your API and can give them a way to play with the API in a web based setting. The deserialization vulnerability with the JuiceShop is through the API. We'll dig more into the how and why later, but first let's explore the server configuration and get VSCode to run/debug the JuiceShop. This ability will allow us to examine step-by-step what's going on as the issue is exploited.

Running with the bulls... or VSCode
  1. In VSCode, you may get a warning about Git in your PATH being out of date. Click "Close" if you do.

  2. In the file explorer on the left (by default), you should see all of the files from the JuiceShop. Toward the bottom in the root directory you should see, "server.js". Click on the file to open it up on the right pane.

  3. Scroll through the file to about line 115 (at least that's where Swagger is specified at the time of this writing in this file). We can glean that the URL endpoint for the Swagger document is "/api-docs". That'll be the URL we use ( to see the Swagger file.

  4. Let's run the JuiceShop through VSCode

  5. On the left, click on the bug icon with the circle and line

  6. In this new debugging context, you should see a green play button next to the word "Debug". Click that.

  7. You should get an error saying that the launch.json file can't find an appropriate way to run the program. Click "Open launch.json" to delve into this file.

  8. In "launch.js" we see a simple configuration file to run the app. In the current configuration, it's broken.

  9. To fix this, add ".js" to the end of "app" to run our app.js file.

  10. Click "File | Save" to save it

  11. Click the "Explorer" icon (the top icon)

  12. Click the "Launch Program" play button at the bottom to run JuiceShop from VSCode

  13. We want to see the progress of launching the app through the "Debug Console". Depending on any number of factors, let's be sure we're looking at the same thing. At the top, click on "View" and select "Debug Console" to pull it up.

  14. If everything is good (it worked on my machine!) you should see the application running as normal on port 3000 and the bottom bar should now be orange

I'm going to save the next/last post in this series for the actual exploitation!

Thursday, March 15, 2018

OWASP Omaha 2018 - Slides

I got sidetracked with some side projects, but here are the slides from my presentation! It was a lot of fun talking about the more difficult vulnerabilities in the OWASP JuiceShop project.

I am still working on the blog posts as a companion to the talk and have been plugging away at it. They will come as soon as possible :)

Tuesday, February 13, 2018

OWASP Omaha Feb 2018 - 002 - Deserialization with the JS for the lulz

The OWASP Juice Shop project is great to learn about web app vulnerabilities and how to exploit them. I gave an introduction to web app hacking with the OWASP Juice Shop last year at BSides Iowa which you can see here. The YouTube link discussed web app hacking 101 and demonstrated how to exploit the easier challenges. The intent of these posts and upcoming talk are to skip ahead to the end and tackle more difficult challenges like deserialization. Without further ado, let's go!

  1. Log into the JuiceShop VM

  2. Go to Applications and launch Firefox

  3. In Firefox, browse to

  4. As you can see, this application runs on demand and is not up

  5. Go to Applications and launch Terminal

  6. In Terminal, browse to the location of the Juice Shop (e.g. Downloads/js624)

  7. Now we need to start up the Juice Shop, in Terminal type in, "npm start"

  8. Go back to Firefox and refresh the page

  9. Now that the Juice Shop is up, let's create an account. Click "Login".

  10. On the login page, click "Not yet a customer?"

  11. Fill in the details for a user account and click "Register". You can have Firefox remember your login details.

  12. Log into Juice Shop with your newly created account

  13. Now that we're logged in, we have more options at the top. Let's get the score board and see our list of challenges. Normally you would find this by looking at the source code of the main page, or any number of methods to find this page.

  14. In Firefox, browse to

  15. We can see we have solved a challenge!

  16. You can see the list of challenges and there are 9 one-star challenges, only 8 to go! If you scroll down, you'll see there aren't any more challenges!

  17. At the top, click the blue buttons to make the rest of them darker. That'll reveal the rest of the challenges in this build.

  18. If we scroll to the bottom with the 5-start challenges, we can see what we came for, the RCE Tier 1 challenge. This is a deserialization attack, but without clicking "unsolved" to get hints, let's walk through the app and see how this all works.

  19. Scroll to the top and click on the OWASP Juice Shop logo

  20. Click on the cart sign for "Apple Juice" to add this to our cart

  21. Click "Your basket" at the top

  22. Click the "x" for the solved notification message and then click "Checkout"

  23. All done! No, not really

  24. Click the back button in Firefox to return to the Juice Shop

Well, now we're going to have to get to work and bust out some tools to help us. We can use the Firefox (ideally Chrome) Developer Tools to help us solve some challenges, but we're going to need a bigger boat.

  1. Open a new tab in Firefox

  2. Browse to

  3. Click "Linux" and choose "x64"

  4. Click "Save file" and click "Ok"

  5. Open a new tab in Firefox

  6. Browse to

  7. Scroll down and click "Download ZAP"

  8. In the wiki Downloads page, scroll down a little and click "Download now" for the "Linux Installer" option

  9. Click "Save file" and click "Ok"

  10. Go to your Downloads folder to see the ZAP and Postman downloads

  11. Right click on "Postman..." and click "Open with Archive Manager"

  12. Click "Extract"

  13. Click "Extract"

  14. Click "Close" when the extraction finishes

  15. Close Archive Manager

  16. Move the tar.gz of Postman into the Postman folder

  17. Open a new Terminal application (since our first one is running Juice Shop)

  18. In Terminal, type in, "cd Downloads" and press Enter

  19. Let's see our contents; In Terminal, type in "ls -l" and press Enter

  20. We don't have execute permissions to run the ZAP installer. Let's give ourselves permissions.

  21. In Terminal, type in "chmod 577"

  22. In Terminal, type in "ls -l"

  23. Let's run the ZAP installer; In Terminal, type in "./"

  24. We get an error when we run it as our user account saying that we need to be root. In Terminal, type in "sudo ./" and enter root's password

  25. Click "Next" in the installer

  26. Review, accept the license, and click "Next"

  27. Let's go "Custom" to see what options we have and click "Next"

  28. Leave the path as default and click "Next"

  29. Leave the symlinks path as default and click "Next"

  30. Desktop icons are fun, click "Next"

  31. I checked the option for "Automatically download new ZAP releases" and left everything else checked. Click "Next"

  32. Install!

  33. Click "Finish"

  34. Go back to the second Terminal window that is in our Downloads directory

  35. "cd" into the "Postman" directory

  36. If we do "ls -l" in the Postman directory, we can see the Postman binary. Let's launch it.

  37. In Terminal, type in, "./Postman"

  38. PC Load Letter?

  39. Let's find out what can provide this missing shared object. In Terminal, type in "yum whatprovides".

  40. We can see that libXScrnSaver will provide this shared object. In Terminal, type in "yum install libXScrnSaver". NOPE. In Terminal, type in, "sudo yum install libXScrnSaver".

  41. Go through the prompts of the install

  42. Let's try this again, in Terminal, type in, "./Postman" and press Enter

  43. Yay! Postman works!

  44. To go further, you can sign in with a Postman account if you have one, sign up for one, or just skip this step for now. I'm going to skip this for now.

  45. You can choose to keep this helpful window on each launch; Go ahead and click the "x" in the upper right hand corner.

  46. Postman works, you can close this for now

  47. Go to Applications > Other and you should see "OWASP ZAP" in here

  48. Click on "OWASP ZAP" to launch it

  49. ZAP will load up and give you options of how you want to persist your sessions. Since this was just a test run to make sure the app runs, choose "No" and click "Start"

  50. Close ZAP

That's all I have planned for this post! The next post will actually do something! :)