Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string? Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and efficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.

1. HAWAS – Hybrid Analyzer for
Web Application Security
Lavakumar Kuppan
lava@ironwasp.org
https://twitter.com/lavakumark
https://ironwasp.org

2. About
Penetration Tester
5+ years of experience
Security Researcher
Flash 0-day
WAF bypass 0-day using HPP
Multiple HTML5 based attack techniques
5th best Web Application Hacking Technique of 2010
Attack and Defense Labs – http://andlabs.org
HTML5 Security Resources Repository – http://html5security.org

3. About
Developer
IronWASP (C# + Python + Ruby)
Ravan (PHP + JavaScript)
JS-Recon (JavaScript)
Shell of the Future (C# + JavaScript)
Imposter (C# + JavaScript)
Speaker
BlackHat
OWASP AppSec Asia
NullCon
SecurityByte
ClubHack

4. Automated Tools exist for finding:
SQL Injection
Cross-site Scripting
Command Injection
Code Injection
etc
4

5. But there is a lot more to Pentesting
CSRF checks
Access-control violations
Hidden Parameter Guessing
and
Identifying and testing for site-specific
custom attack vectors
5

6. HAWAS helps with the automation of the
second type of issues
6

7. What is HAWAS?
HAWAS is an open source tool that analyzes
HTTP logs and:
Lists out all Parameter names and values
Identifies encoded values and decodes them
Identifies hashed values and tries to crack them
Identifies potential Stored XSS candidates
Helps with automation of Hidden parameter
guessing, CSRF testing, Access-control checks and
more
7

8. Listing Parameter names
All Query, Body, Cookie, Header, Set-Cookie
parameters are listed for analysis.
Eg:
lang
user
pwd
id
…
…
logged_in
is_admin
…
…
Notice anything interesting? This can be probed
further manually 8

9. Listing Parameter values
All Query, Body, Cookie, Header, Set-Cookie parameter values
are listed for analysis.
Eg:
en
true
23944
…
…
Fy2010_11_report.pdf
Fy2011_12_report.pdf
…
…
http://partner.site/data.php
…
SELECT id FROM Users
9

10. Parameter Values say a lot
Fy2010_11_report.pdf – possible LFI vulnerability
http://partner.site/data.php - possible RFI / Open
Redirect vulnerability
SELECT id FROM Users – SQL queries created on the
client-side and executed on the server-side !!!
Ironically automated scanners might not detect this
type of SQL Injection!
10

11. Identifying Encoded values and
decoding them
HAWAS identifies base64 and hex encoded values
from the list of parameter values and decodes them
It tries to decode every single parameter value by
base64 and hex decoding.
If the result is a proper ascii string then it flags it as
an encoded value
11

12. Why this is important?
Do you see anything interesting in the strings below:
asdljz2398sdsdsdsdkss
z23sds9sd9a;sdk=awe
bgf2yto6c2vjcmv0mtiz
646973636f756e743a323125
2238019jadja8498434dfdf
Lsjflosow2384fkshfl
12

13. How about now?
asDljz2398sdYDKus3lns
z23sdE9sd9Asdk=awe
bGF2YTo6c2VjcmV0MTIz –Base64 Decode-
> lava::secret123
646973636f756e743a323125 –Hex
Decode-> discount:21%
2238019jadja8498434dfdf
lsjflosow2384fkshfl
13

14. Identifying Hashes and cracking them
All parameter values are checked to see if
they look similar to MD5, SHA1, SHA256,
SHA384 or SHA512 hashes.
If any matches are found then the hashes
are cracked using the entire list of parameter
values are dictionary
Both cracked and uncracked hashed
parameter values displayed to user
14

15. Stored XSS candidates identification
Analyzes all responses for reflection of any of the
input parameters
If user input is reflected back in other responses
down the line then it is highlighted
Rarity of reflection is given higher priority to reduce
noise in the results
15

16. Interactive Testing
CSRF testing, Hidden parameter guessing and Access-
control checks all follow the same 3 step process
Step 1: Pick a request and corresponding base-line
‘good response’
Step 2: Add or edit any of the parameters in the
request and send the it again
Step 3: Compare this response with the base-line
response
16

17. HAWAS automates this
Ability to select one or more requests from
log for check
User specifies which parameter must be
changed or added to the request
The response for the new request is
compared with the baseline and results
displayed to user
Ability to support logout detection, auto
login, CSRF token updating etc through
Session Plugins 17

18. Thank You!
18