By Stuart Rorer, Security Consultant

Conflicts of Time

“Time is of the essence”, an idiom of immense truth. Being one of our most valuable commodities, it often feels as if the hands of time have wrapped themselves around every aspect of our lives. It would come as no surprise then, that time is also one of the most important parts of a penetration test. On the surface, the first thing that may come to mind is the timing of the test itself. While this is definitely one of the most important decisions when constructing the penetration test, there are actually other areas where time, or I should say the ability to mess with time, can be very affective.

Freezing Time

There are many times that I have personally wanted to freeze time. I’d love to freeze time for a few hours for more sleep, again to extend a day to get more done, and especially after a late night eating binge so I don’t have to worry about the wonderful increase on the scale the next morning. Thankfully, when it comes to penetration testing, we can do something that feels like stopping time!

Proxy Intercepts

Every now and then I’ll come across a developer who has no idea that there are tools available which allow anyone to pause traffic going from client to server over HTTP(S). These tools are called intercept proxies. While there are many out there, both paid and open source, I have long been a fan of PortSwigger’s Burp Suite (Burp).

With a tool like Burp, we can configure the proxy with our browser to allow us to intercept the traffic coming from the server to our client. The examples below show a brief demonstration of configuring the browser and proxy intercept together. First, we need to setup Burp to create an HTTP proxy on port 8080 (first image below), then we need to configure the browser (in this case, Firefox) to use the same port for an HTTP proxy (second image below)

By intercepting the traffic, we can pause that moment in time and observe the information that we are sending to the target web server. As a tester this is important, as this is one of the primary avenues in which we can manipulate values and test the application for potential security issues. By changing the information in transit, we can bypass client side filtering or sanitization done in the browser or with JavaScript.

Session Woes

For the longest time, most web application developers rarely enforced session timeouts. One of the tests I perform, for example, is to login to the application and leave the session idle for a few hours to see if it remains logged in. If so, I then do that test again and leave it logged in overnight to see if there is any session timeout at all. Often, I would find that the application would stay logged in indefinitely. However, over the years, many developers have become more aware of attacks that can take advantage of long, or non-existent, session timeouts.

With this mindset, session timeouts are often enforced, and sometimes within just a few minutes. Countless times I would be in the middle of testing something, go to the kitchen and come back to a login screen. When dealing with large web applications, it meant I had to find that little niche area I was testing again, just adding to my frustration.

Reload Extensions

The quickest way I found to resolve this was to add an extension to reload the page every so many minutes. This would keep the session alive, and trips to the kitchen were no longer cause for concern except for my waistline.

There are many extensions out there to do this, and it all depends on which browsers you are using to test. My main advice would be to vet the extension, and make sure it isn’t a malicious extension. For Firefox, I currently use Tab Reloader. The image below shows a quick example of configuring the tab to reload. As you can see there are many additional options that can be performed, including running specified JavaScript on the reload.

Conclusion

While we can’t actually stop time, it’s nice to know we have tools in our arsenal that can help us test more efficiently and overcome obstacles in our path; and until we can, we have to just make the best out of the time we have. After all, “time waits for no man!”

About Stuart Rorer, Security Consultant

Stuart has worked in the IT Industry for more than twenty years and has worked within Cyber Security for the past twelve. In the past he has held jobs in the education, government, and private sector, and for the last few years has specialized in web application penetration testing. Stuart has performed testing on clients in all sectors, many of which have been in the Fortune 500. He enjoys spending time in research and exploring new penetration testing tactics, and techniques.

Certifications:

CPT, ECPPT, ECSA, CEH, SEC+