Ochaun Marshall: Samurai Web Training Framework 5.0

[Music]

[Music] hello um welcome to my session on samurai wtf i promise you it stands for web training or web testing framework a little bit about me and who i am and what do i do my name is oh sean marshall i code i teach i hack i'm a full-time developer full-time offensive security consultant and when i'm not doing either of those things i'm teaching you how to take over the world so i whether it's through blogs whether it's through videos whether it's through rants and memes on social media i really in love introducing people to sort of the professionally evil mindset the tagline of my company not my company as i own it company i

work for let's be clear um and the professionally evil mindset is being able to adopt the mindset of an attacker to in order to better assess security so here i'm going to be inviting you into that same mind state chances are if you're attending an event like b-sides i'm preaching to the choir here but one thing as security practitioners we need is to not waste so much time cramming into the last minute trying to get this demo to work and samurai wtf is intended to help not just new people in security but also industry veterans as well all right so here are the questions that we're going to answer today in the agenda what is samurai wtf

why not just use cali bro um is what i get there's another question i get a lot when i tell people it is a utility security vm uh next we'll do a deep dive into what's under the hood uh base looking at the what's in the repo and how it's structured and finally since this is an open source project and it lives and thrives by the people we can share i'll share with you how you can get involved and how you can contribute out of the way so what is samurai wtf what is a samurai but a warrior and his blade samurai wtf is a utility vm for application security training so this is an oauth project that's been in

development since way back in 2008 in in 2016 one of my coworkers mick rewrote the thing from scratch using vagrant and now it is been augmented through docker ansible packer to automatically provision hope to automatically provision tools and hosts and um for and make sure that this utility vm is ready for class on day one so that's samurai as a whole now katana is a special unique samurai focus project it is a light package manager and it what its intention is is how many times as instructors or as as people as people just trying to work on ctfs and labs and doing self-study elsewhere how many times were you sunk hours upon hours of just

trying to get the thing to work and katana is really focused in on trying to simplify the process of spinning up installing starting and uninstalling hosts and so there's a web app that's just point and click simple to use and there's the cli tool that gives you uh knitting the nitty gritty and deep dive into logs and we'll demonstrate katana in a sec but then another question that i get so often is why not just use cali bro um and here's the thing about kali linux and i'm not i'm not downing county linux when i say this but it doesn't quite fit where we need to be like and let me be uh perfectly clear

kalia linux is the burning finger of information security vms it is the getsuga 10 show it is the rasingan and kagebushinojutsu it is exodia it is pikachu it is the kamehameha wave it is a really good tool it is a really good tool set that should be in every practitioner's pocket like you sh if you're not using cali when you're on things like a network pen test especially you're kind of putting yourself at a disadvantage and it has a whole bunch of tools that are really useful for network penetration testing and some tools that more focus on the appsec side and those are wonderful except what are you going to aim it at and that's that's the problem here when

you've got when you've got like metal gear nuclear warheads this huge tool that you can use to attack something it's kind of overkill when you don't have a target to aim at and sure there are websites designed to be vulnerable designed to be poked at and prodded at like hack the box and other things but usually for those sorts of sites you don't need cali in order to use it what we need is what someone is doing self-study or what someone needs when teaching a class what we need is a place where you've got the tooling that you need and nothing more else and targets automatically provision and that is what samurai wtf it's the place where the

pupil and the practitioner come together with the right tools and targets for the job and teach web application and api penetration testing and this and so here are some labs for samurai samurai wtf now these are exclusive labs they're built into the vm and they're they're built into katana which is also automatically installed into the vm when you provision it there's our space and that is normally used for our pecsec class and that is con that is cloud security cloud and container security then we've got musashi where we'll spend most of our time here today and that's just demo tools to explain the more difficult nuance types of things for application security whether it's a csp

how exactly does a csp block cross-site scripting payloads and cores as well as jw as well as a jwt lab and then there's also wayfarer which is another vulnerable app that has a react front end with just node and express very common now and it has an oauth identity intentionally vulnerable oauth identity problem and i've been talking for about a good 10 minutes so now we just need to just hop in and do a demo so here's here is um samurai wtf and of course i've got my virtual box i've downloaded the ova it's at tiny si samurai and you can download the ova and you can run this on this as well so when you start katana

you will get that and go to katana.wtf you will get this page and this is in this web app and here you've got your targets first and then your tools at the bottom now i and the people i work with we are like a burp sweep shop but this is an awas project and we're need things that are open source as well so you can if you want to install zap or any of these other or any of these other tools and then get that and then get that running

and when things fail as things often do you can also use the seal you can also use the cli tool so katana list and this shows you all of the this shows you all of the targets and the tools that we use here so katana

and

yep

and with along with the tooling you can also use set you can also use samurai wtf to install other others like dvwa and once you've started a project and once you've installed a project the spinning up the container make sure that making sure that you can route to it all of that is done through nginx anyway locally on the machine so you can just hit hit start and you can open things like for example dojo bass for example dojo basic and here start and i know and i wait only a few seconds because sometimes when you start it the route hasn't provisioned yet so i've done enough of a delay and see you've got other

targets available such as dvwa and you can just create the database log in and i'll give you a hint the login pat what one login credentials for dvw day is admin password and so this is sort of like demoception if you get what i mean we're demoing we're i'm doing a demo of things that i would normally demo during uh normally demo during um application security class so things like uh stored or reflected cross-site scripting who in one easy way to test one easy way to test um

this vector in shot and one easy to way to test and i'm thinking that this was set into a different mode yep because it's got object inco it's got object and coding in to it yeah so in addition oh there's another demo there's another tool that i wanted to show you real quick so musashi and this is and we'll start over with the and we'll start with the would you start musashi and note that like all of the urls are pretty easy um when you highlight and hover the link it's like dojo basic that dojo dash basic wtf course dojo.wtf dvwa so on and so forth and so there's cores and then there's also the csp

now csp i'm sorry dojo that wtf and so here we're going and i'm going to go ahead and check the cfp right here oh it's not set which is good which is what we want here we're introducing and normally for a full-on course we go on what a csp is a content security policy is generally intended as a document to prevent um to limit what sources or what um sources are allowed within your application so whether for the script source tag it specifies whether all what javascript where the javascript is supposed to come from as well as there's a styles tag and directive tag but if you have a web application that does not have a

content security policy set you can just get quick and easy reflected across that scripting payload and also dom base and i'm going to demonstrate something to you that i guarantee it's not going to work alert to and this is mostly because again this is dom based x success and there's a paid and the payload's supposed to be yeah payload's supposed to be here so i can just inspect f12 whoa not not quite i just need the devtools inspect elements and it's hearted there's not much to see because like script alert whatever is not to be seen and the reason why again this is just if you're just trying script tags when you're looking for cross-site scripting

it's not going to work because again dom based you need something that will render in the dom and this is an oauth project so oaus cheat sheet you can use an image tag instead source to something that you know is going and as no was going to fail like root directory and on error set that equal to

thinking the quotes are necessary i just like doing that just in case we could try and we can try it either way and there we go and the payload executes because it's of course broken image so when you're going and when you're going through a class and you're teaching i'm sort of meta now this is going anyway when you're teaching in class you can demonstrate these things using csp now once you set actually set the csp so for example contact directive self and then hit submit now when we go back to home this isn't just not going to work and it's not going to work because the content security policy is blocking it now default um

default src you now with a concept security policy like this i really doubt will be any sort of anything that's functional remotely into the in the world so usually when constructing a csb cfp you allow self and then you would say what other third party are you domain that you're using for this so or sub domain so like api dot example dot com that sort of thing and so you can set the so you can set the csp so you can set the csp you can run it and there are also some demo some additional demo exercises in the csp csp dojo now back to the court now back to the course demonstrator so and i'm wondering should i should i run

through the install of burp for this or is this fine just to use the the dev tools because

burp is here and oh no that is way too tiny yep uh yep that is way too tiny and they do not allow resize windows that's fine but you know that you can install you can install tools through katana and run them so we can it's fine we can do that through all there's some parts of this demo that aren't so we'll hop in and set that up as we're going along so for logging in test test of course this is normal it doesn't matter what credentials you set it will respond with a 200 and it will set the login cookie for the credentials and this is the default is no cores or same origin and

to just briefly touch on cores because normally you spend 45 minutes to an hour discussing this with developers and like a two days class but the quick rundown of of cross uh of course is it's a policy that allows you to it'll policy allows you to loosen the same origin poly same origin policy that is by default because normally you're not supposed to be able to issue requests from one domain to another core's kind of just loosens that up just a little bit so that you can do things like have an api hosted at a different sub domain or and then have your website on another subdomain

so when you get list get list items and that does not work you get no you get no response and that is because same origin policy same origin policy is in place and there's no course present at all now if you loosen this up to be reflected now when you send the request release list items you can get it you you get it it runs through the network just fine the problem here

and will the dev tools yeah will the dev i'm usually used to using burp and so using the dev tools i think kind of makes it all easier and kind of just slims down it sums it down so usually you could take the if you have reflected origin you can use evil site dot com and then issue random request and issue requests using reflected cores and then send is there now where is that send button yep and that is and that is successful even though origin yeah even though it's evil site.com that's not you're not supposed to be able to do that cross origin like that because imagine if for example you're logged into wells

fargo on on one tab and then imagine if you're logging in wells fargo or any other banking institution on one tab and then other sites can just send arbitrary requests to it to using a different or forwarding your credentials in another tab and so that's issue and that's one security issue of course so you're not supposed to just reflect the origin whatever origin is passed in the final thing is like reg regex and so this specific use case covers when you use like you allow certain sub all the sub domains of a given i p so like api.example.com or blog.example.com so on and so forth and so you widen that permission and you use regex

but you don't anchor the tag correctly so sometimes you you'll find in during tests is that you can do cross origin requests if you're just doing if you host something malicious that happens to be on those lists of approved subdomains or if they don't anchor the tap if they don't anchor the regex at the end so like for example instead of example.com example.community which is also a top level domain with com as the first three characters i've seen that in pen test as well so we hop back over to the presentation

and this is what's under the hood sam uh here you've got samurai wcf is been rebuilt using vagrant so when that vagrant so when you clone the repo you can use main or if you want to be at the cutting bleeding edge use next get clone use that then you clone and then you just do vagrant up if you're not familiar with vagrant vagrant is just open source hashicorp product used for provisioning vms and so when you do vagrant up all you do is just spin up and deploy the vm the provisioners will run for a while so just let that not let that provisioner script run before you sort of mess with it and then continue on

and then pack and then you use packer within the vm to packer to sort of pull down the base box and set that and do those sorts of configurations i should say so katana we know is this is the light utility cli package manager it's got rspace musashi wayfarer it's also got tools and also third party open source targets like dvwa and so most of the key repositories are bundled into the samurai wtf organization and so i'm not forget the slide we we just got to hop into the cone we just got to hop into the code so samurai wtf is the main repo um there's a deprecated sourceforge download don't do that you can get

you can contact us with slack and make issues but what i wanted to focus in on is the vagrant file and that's sort of where the magic happens with vagrant up and so the first part of it and you can configure and when you clone the repo you can change these configurations just like you do in the ui for a virtual box and so set the number cpus set um the graphics card as well as so set number cpu set the graphics controller and part of that provisioning process is in the provision.sh and so it pulls in the base box does these configurations and then goes into provision shell script and the first part of this honestly

all of this is probably for thematic for themes and background in the ui just because you have to have that awesome samurai picture in the back but after that you get into the real stuff um some of the new things that we're trying to do is make sure that all the dev all of the targets have ssl enabled so that's why we're doing make cert and so but the bottom part is actually the installing the katana launcher and so part of the provisioning process is okay let me just auto install katana for you and now we hop into the katana repo and so most of this you will not have to deal with or mess with

um if you want if you want a deep dive we use a lot of pip so there's a requirements.txt um to sort of hint and we use a lot of python for this the most if your chances are if you're trying to add features to samurai and features by features meaning hey there's this brand new appsec tool that you gotta know that i've been using or i wrote and i just really wanted to be in samurai that you put it into modules and so under tar under tools you see you've got burp suite yaml and you've got burp suite zap sql map and so on and so on for the tools and for the targets

it's the same thing dvwa musashi and musashi and the others when you hop into a module and this is the same commands that i was running like katana install or katana or cantana remove or katana start katana stop all of these are just simple modules written in yaml so we specify what repo that this will go out to get to where it's hosted this destination its destination on the operating system and then we also pre do some nginx configurations so for example this the cores demo is on localhost 3000 to 3021 you can travel that you can do localhost and that's what we normally did but trying to remember which ports is awful so what would be easier is just using uh

a dot wtf domain that's routable and so that's what these configurations are for and so different actions so like remove which file what services need to be stopped and what files need to be removed in that sort in that case so that is katana and if you and since we're already in here you need to understand that katana as well is also is also a katana module so it's looping within itself and so it sets up nginx configurations and it has its own modules like removing katana removing katana updating katana katana tact update will usually get the latest from maine and pull that and pull that in and of course under the repo targets that we make in-house or samurai

wtf those have their own repository like musashi

so now that you know everything about samurai and where to go and all of that we go into how to contribute and this is really important number one thing is use it whether it's come whether it's going into the repo cloning it and using vagrant up or just going to tiny si samurai and just downloading the ova that is we just want to make sure that this is open source for a reason it is available to for everyone to use and we especially at security is we especially want you to use it as as a competitor because we are practitioners in the information security field as well so if we go to the conference and we see samurai wtf

that the speakers you that are speakers using samurai

the good thing is bug fixes and features so if you for open source lives and breathes by people so whether it's adding a new vulnerable web app as a target to host locally or just new application security testing tools just add a module one of these modules is for postman that's not a security tool but we use it for api testing all the time and next is just to spread the message talk about as just talk about samurai wtf hashtag samurai of utf on social media or whatever i'll throw in links at the end i'll throw in little links later on and so we can go into how to harass me and find me on social

media but yeah spread the message if you only do one and three that will make that will help this project along and so went through things went through things really fast samurai wtf find us on github on all of the repo's both the slack channels and for me personally just go to my link tree you'll find me on pretty much everything you want to follow now i've been keeping an eye on the chat um any question any questions things to throw at me through things to throw at me virtually

no we're good

let's see got a few people all compliments all good

um nothing else so matt elliott asks um let's say i go full bore install is there a limit to what you can install at one time no not really and you can see that sometimes when i have to when i have to use the cli i'm just running things provisioning things so there's no real limit on what you can so to answer your question matt there's no real limit on how many tools you can run you can get bored with one target move on to the next and so on and so forth and the cli and you can see the cli is a huge benefit is because it sort of streamlines the logs i'm can tell you

how many times i've been a part of a class or a demo and you can't and actually conducted demos and you've had to you know troubleshoot a little bit you know uh rut try to remember like oh what was that command and so on and so forth this sort of streamlines it so if something breaks you know exactly where to go but generally it streamlines it so you wouldn't have to dig in

and yeah um you're welcome stefan

i don't have this running in my lab be surprised yeah thank you yeah thanks so well thanks timothy i don't know i don't know if that's all right and thanks again cody for coming over so if there are no other questions i'm going to be here for the conference i'm also in the slack channel and also not slack discord channel i'm oshan probably the only ocean in the world but i'm ocean 2723 so you can find me on the discord you can find me in slack and i'll be hanging around besides it's keller airy for a while