If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we've also ushered in a new year and in celebration SensePost is releasing source code for our in-house web proxy, Suru, under a BSD-style license.

When released in 2006, Suru introduced a number of unique features to the world of inline proxies including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements include timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own. Since then, most of these features have been incorporated into more full-featured commercial proxies, negating the need for Suru.

Internally, Suru use has dwindled and at this point the code is in maintenance-only mode. As such, it's being released to the world along with the rider that the software is end-of-life and unsupported.

Source code is available off the Suru webpage. Code will compile cleanly on VS 2005 though you'll need to add your own certificate in order to get SSL intercepts working.

Have a great year.

H said that there is a tool that will do the HTTP Mangler functionality out of the box.

So here goes. WebScarab-NG is the tool that will do the trick. First we select the feature that will allow us to setup the proxy listener as seen in the image below.

Then we need to configure the proxy listener to the ports etc we need as seen below.

And pretty instantly we have the HTTP Mangler functionality. Apparently this is going to become a feature of SURU as well!

So - here's the scenario.

Lohan is busy testing an application which uses remote web-services on a server called (example) www.target.com, but the program bypasses all proxy servers etc, making it impossible to trap and mangle requests.

So, we do the following:

1 - We make a note of the IP address of www.target.com (in this case, we'll assume it is 196.310.150.126 )

2 - Add a host entry in hosts, mapping www.target.com to 127.0.0.1

3 - Fire up a quick C# app written by yours truly which listens on 127.0.0.1:80

4 - Fire up a proxy server

5 - Configure the C# app to use proxy server 127.0.0.1:port of proxy
Now, the C# app does the following:

1 - Intercepts the HTTP request addressed to www.target.com

2 - Mangles the HTTP request to convert it into a proxied request (ie: Request "GET / HTTP/1.0" now becomes "GET http://196.31.150.216/ HTTP/1.0")

3 - Writes the request to the proxy server

4 - Writes the response back to the application

So, we're now able to intercept, fuzz, mangle etc all the requests and responses between the application and the web service. Not really rocket science, but rather handy...

The screenshot shows something similar, but using a web browser in place of the application here. I am using paros in this example because I am still doing large chunks of work on Suru...

/ian

A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying..

Normally i would have used crowbar, Suru or a ugly mangled Python script, but the application was strangely difficult..

i.e. the login process is multi staged, with new cookies being handed out at various stages. 302 redirects are used heavily and then to top it off a healthy dose of JavaScript is sent back in replies that also affect your navigation.. Now all of this can be scripted (obviously) but i figured i would try automating Safari with applescript to get the same effect..

Co-opting the browser means i dont have to worry about redirects and javascript and (other stuff i didnt want to be messing with on new years day).. and so..

(click for full-size)

So this script effectively fires up Safari and iterates through my list of usernames. It then uses JavaScript to fill in the parts of the forms i need to fill in (only a few samples left in this example) and clicks submit when needed.. It uses username+123 as a password. Once it jumps through all the hoops it needs to, it screenshots the result and saves it in ~/captures/XXXX.png (where XXXX is the username being tested).

This was quick and dirty, if i had more time i would have chosen to read the results and only screenshot results that didnt match "your credentials are invalid".. ahh.. for another day..

*** a word of warning.. AppleScript is described as "an English-like language used to create script files that control the actions of the computer and the applications that run on it." This english-like-ness makes it extremely obtuse at times..

In a subsequent version of the brute force, i wished to use the username from my list, and the users First Name as his password. Now this is an obvious call for a hash/dictionary/associative array.. The sparse documentation that i was able to find on AppleScript records did not appear to help me a jot (but this could just be poor google skills).

Instead i opted for saving the username and password as a ":" delimited string. I then split the string at runtime and submit as before.. ugly, but effective..

its not perfect, but its neat and a nice tool to keep in your arsenal..

/mh

We are pleased to announce the release of Suru version 2.0, our MITM proxy.

Suru has now been rewritten to work with the .Net 2 runtime environment and includes all the features of the original 1.x stream, as well as numbers of enhancements and upgrades.

Features which have been added since the last 1.1 stable release include the following:

• Upstream proxy support
• Response timing for timing-based attacks
• Highlighting of search terms in the request editor and the browser
• Neater and sortable request and fuzz list boxes
• Request interception

There is currently a known bug when using Suru 2.0 with Mac OS/X and Parallels, but we hope to have the issue ironed out as soon as possible and will release a fix for this in the very near future.

Please visit http://www.sensepost.com/research/suru for more information.