Application Security Testing Tools

Any globally public web site will be attacked. There various types of attacks:

• DDoS - Distributed Denial of Service
• Phishing attacks
• ATO - Account Take Over, e.g. password break using brute force for common passwords
• SQL Injection
• and many more...

On this post, I would like to address other type of attacks: Inventory Denial, and Web Scraping.

Inventory Denial attack, depletes the stock by starting a purchase process, but never commits the transaction. A known example is a flights company web site, that allows ordering flights seats online. Once a seat is selected, it is reserved for the customer for a limited time, e.g. 15 minutes, allowing the completion of the payment transaction. An attacker could use bots to preserve the flights seats every 15 minutes. This would mean a catastrophic implications for the flights company, whose plane would departure empty.

Web Scraping attack, scans a site to retrieve valuable information and create an unfair advantage for competitors. For example, if I can find out the price of every item in my competitor web site, I can tune my web site items' price to be just a bit lower. 

Both of these attacks have a common attack vector: repeated requests to the web site from one of more web clients. Most of the protection solutions address this by identifying bots request. Assuming that the attacker uses a bot army to run many requests, the protection solution blocking the bots would prevent the attack. A question to be raised here is, what if the web clients are not bots, but instead, a cheap human labor army? But, lets focus, for now, on the bots.

Assuming that we are using a protection solution to protect our site. How can we check that it is indeed protection our site? For this we can use several tools:

• Burp Suite
• Google Chrome extensions:
• IPFuck
• User Agent Switcher
• Scraper.io

Burp Suite

The Burp suite community edition allows populating a header with a value from a predefined list of values. This can be used to repeatedly send a request, without letting the server side understand that it is actually the same request.

To change a header, use the Burp Suite Community Edition, and then:

• Open Burp Suite
• Click on Proxy, Intecept
• Change to "intercept is on"
• Send the request that you want to reshape
• Select the request on the Burp Suite
• Click on Action, Send to Intruder
• Change to "intercept is off"
• Select the value of the header that you want to change, and click the Add$ button
• Set Attack type to Pitchfork
• Select the Payload tab
• Choose a file containing a simple list of the values
• Mark the URL encode characters checkbox
• Click the Start Attack button

IPFuck

The IPFuck chrome extension allows simulating multiple clients IPs. This tests the protection solution ability to handle a distributed attack from multiple web clients.

Notice that the IPFuck cannot actually change the the source IP, as the communication TCP packets must be valid when sent to the next router. The IPFuck changes the source IP by adding an HTTP header of the client source IP, as if it was added by a proxy in the middle. When using IPFuck, you can selected which header you want to use: XFF, client-ip, and via.

User Agent Switcher

The User Agent Switcher chrome extension allows simulating various user agents, hence simulating different browsers. This tests the protection solution fingerprinting abilities.

Using this extension, you can simulate predefined user agents, and also custom user agents. The simulation is done by setting the "User Agent" HTTP header.

Scraper.io

The Scraper.io chrome extension allows sending multiple requests to a site, while changing one or more parameters in the request each time, and collecting back values from the response. This extension can be easily used for an inventory denial attack.

You can, for example, set the scraper Start URL as:

http://mysite.com/product_info?id=[1-100]

This would send 100 requests to get the first 100 products info.

Final Note

The tools listed here enable a simple test of a site without any code programming. They can be used together to perform a basic check for your protection suite.

A more enhanced test can be used by actually purchasing a bucket of real IPs, and using custom hand made programmed binaries.