Doing security analysis on Windows 8 Metro Apps with Zed Attack Proxy

This is the first in a series of articles about attacking Windows 8 applications using Zed Attack Proxy, or ZAP. Windows 8 is the new version of the venerable Windows operating system from Microsoft. It has a new Windows programming model that is heavily based in a new API for Windows development, called WinRT. ZAP is a web proxy for security analysis of applications by OWASP. It is free.

Setting up ZAP for Windows 8

After installing ZAP, it needs to be made ready to act as a proxy for Metro applications. As most Metro applications make heavy use of the Internet for data storage, information access and communication with the Windows Store, use of a proxy is a great place to start to test the underlying security.

1) Press the Windows button and type Internet Options.

2) Press the Settings tab on the right of the Start Screen.

3) Select the Internet Options control panel.

4) Click the Connections tab.

5) Click the LAN Settings button

6) Change the Provy Server settings like Figure 1. Check the 'Use a proxy server' checkbox, then set the address to 'localhost' and the port to '8080'.

 

Figure 1 - configuring a proxy

7) Click OK, then click OK.

Finally, you have to configure the app you are testing to allow the loopback (locakhost) address as a proxy, which by default AppContainers aren't allowed to do. You can do this with PowerShell, but it is a lot easier to download Eric Law's excellent EnableLoopback utility, which will do the work for you. You just need to find the app you want to test and select the checkbox, then click Save Changes, like Figure 2.

 

Figure 2: the EnableLoopback Utility

Not your machine is configured to use ZAP as a proxy. While these settings are set, you will have to have ZAP running to use the Internet. Also, enabling the loopback address circumvents important security controls placed on Metro apps. Only use it on a test system.

Testing your settings

To test your settings, run ZAP by pressing the Windows key and typing ZAP then pressing enter. Then run an installed Metro app, like the Finance app, which you have configured for loopback. In ZAP, all of the services being called by the application will appear in the Sites pane, and all of the individual calls will appear in the History tab. Figure 3 shows my results.

 

Figure 3 - Finance Test results

 Each of these represents an HTTP call being made by the Finance app to populate it's screens. Apparently, the developers of this app chose not to use SSL for any of the calls, which makes our job easier - although since we have a man in the  middle the analysis can still be carried forward. Either way, this gives us a ripe field to begin our analysis.

Attacking underlying services

You can now use ZAP to test the underlying services with the fuzzer.

1) Select a service to test in the Sites pane. I selected the api.bing.com/appex service.

2) Highlight a parameter to fuzz in the Request pane, right in the querystring. I selected the 'a' parameter in Figure 4.

 

Figure 4 - Setting the fuzzing dictionary

3) Right click and select Fuzz. The dialog that appears is also shown in Figure 4.

4) Select the Fuzz category in the dropdown. I selected SQL Injection in Figure 4.The list of pre-installed fuzzers appear in the Fuzzers listbox. These are known attacks that work against a variety of databases. As this is a Microsoft service, we can assume that MSSQL is probably the database, although other test tools could be used to ascertain this. In Figure 4 that is the fuzzer I selected.

5) Click Fuzz to begin your attack. ZAP will begin to call the service with the attacks in the SQL Injection file.

And ... it didn't work at all. The Fuzzer tab shows each attack, and all of them have a 404 error in the result column. Apparently that field is being used as a controller method name - I should have thought of that!

Oh wrell, let's try something else. Select the 'q' parameter and try again with a SQL attack. This one is a lot better - every result comes back as a 200. Awesome.  Click on a line in the Fuzzer tab to see the result in the Response tab.

{
   "BdiGeneric_BingResponse_1_0":{
      "AppNS":"AppEx",
      "Responses":[

      ],
      "Errors":[
         {
            "Code":1002,
            "Message":"Parameter has invalid value.",
            "Parameter":"AppExNewsVerticalRequest.AppId",
            "Value":"'create user name identified by pass123 temporary tablespace temp default tablespace users; "
         }
      ]
   }
}

What have we here? A error code 1002? Aah, 'Parameter has invalid value.' -- they are using parameterized queries. I suppose one would expect a well vetted service like Bing to be hardened against the #1 exploit on the OWASP Top 10 though.

In the next in this series we will look at an exploitable app and try and test the services that make up its data storage facility. Thanks for reading!

Comments (2) -

Psiinon
7/20/2012 2:14:42 AM #

Hey Bill,

Really nice article.

I've just linked to it from the ZAP wiki:

http://code.google.com/p/zaproxy/wiki/BlogPosts

http://code.google.com/p/zaproxy/wiki/FAQmetro

Many thanks!

Psiinon

Admin
7/20/2012 6:37:50 AM #

Wow, thanks a lot! I'll have more coming this weekend, I hope. ZAP is one hell of a tool.

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList