PentestWebhooksServer

Author: Nick Coblentz

Creating this project was possible thanks to my employer and friends at: https://www.virtuesecurity.com

Some online services or APIs invite consumers to provide a "callback" or WebHook URL. That URL is then called by the online service in response to an event occurring or to provide the results of an asynchronously processed request. To test those webhooks or callbacks, penetration testers need a platform to respond with custom HTTP responses containing various test cases to attempt to identify weaknesses in how the callback or webhook receives and processes that data. That is the purpose of this project. The following test cases are included in the project:

• The ability to accept HTTP as well as HTTPS (with a self-signed certificate) or HTTPS (with a trusted certificate) to test TLS support/enforcement
  • There is code commented out to accept HTTP2 traffic, but you must disable the other listeners to use it and its not fully tested
• Responding with any (including non-standard) 3XX, 4XX, and 5XX HTTP response status codes, including a redirect location for the 4XX responses
• Responding with a 302 redirect with a Set-Cookie header
• The ability to respond with a custom xml, html, txt, or json payload (read from a file) and response code
• The ability to define test cases (custom_body_0.txt,custom_body_1.txt,...) and access them with a custom content-type and status code through /bodyfromfile/200/0?contenttype=text/html, /bodyfromfile/200/1?contenttype=application/json, ...
• The ability to delay the response an arbitrary number of seconds and then respond with a 200 or 302 response
• 302 Redirect Test Cases
  • Redirect to file:///C:/Windows/System32/drivers/etc/hosts
  • Redirect to file:///etc/hosts
  • Redirect to various localhost or private IP address options with a few common filter evasion techniques
  • Redirect with various cross-site scripting payloads in the location header
  • Use the arbitrary 3XX and location parameter to redirect to a subdomain you control that points at 127.0.0.1 as well as private IP addresses
• 200 OK with several of the following test cases:
  • Cross-site scripting payloads
  • XML entity injection
• Prompt for Authentication
  • Basic Auth
  • NTLM
  • Negotiate, NTLM

Install

Windows

$ choco install nodejs-lts

Linux

https://snapcraft.io/node

$ snap install node --classic

Post Install

$ npm install express fs http https morgan yargs readline-sync body-parser spdy

Choose Certificate

Options:

• Use a valid TLS certificate, for example one signed by Let's Encrypt
• Generate a self-signed Certificate

Generate Self-Signed Certificate

$ openssl req -x509 -newkey rsa:4096 -nodes -sha256 -keyout self_key.key -out self_cert.crt -subj "/CN=callbacks.myexampledomain.com" -days 180

Running the Application

Help

$ node app.js --help
Options:
      --help           Show help                                       [boolean]
      --version        Show version number                             [boolean]
  -p, --httpport       Http Port number      [number] [required] [default: 8080]
  -s, --httpsport      Https Port number     [number] [required] [default: 8443]
  -k, --key            Key file               [string] [default: "self_key.key"]
  -c, --cert           Certificate file      [string] [default: "self_cert.crt"]
  -a, --chain          Certificate chain file             [string] [default: ""]
  -b, --burpcollaburl  Base URL of the Burp Collaborator Server
                                          [string] [default: "http://localhost"]
$ #With Cert from Let's Encrypt
$ node app.js -b="https://aaaaamtf17fce056wuuij.oastify.com" -p 80 -s 443 -k /etc/letsencrypt/live/trace
myexamplesite.com/privkey.pem -c /etc/letsencrypt/live/myexamplesite.com/cert.pem -a /etc/letsencrypt/live/myexamplesite.com/chain.pem 
$ #With Self Signed Cert
$ node app.js -b="https://aaaaamtf17fce056wuuij.oastify.com" -p 80 -s 443 -k self_key.key -c self_cert.crt
Payloads with a callback will send requests to: options.burpcollaburl=https://aaaaamtf17fce056wuuij.oastify.com
logging to the console.
logging to the file: http_logs.txt
All Routes: [
  '/',
  '/bodyfromfile/:code(\\d{3})/:testcase(\\d+)',
  '/bodyfromfile/:code(\\d{3})/xml',
  '/bodyfromfile/:code(\\d{3})/html',
  '/bodyfromfile/:code(\\d{3})/json',
  '/bodyfromfile/:code(\\d{3})/txt',
  '/4XX/:code(4\\d{2})',
  '/4XX/basic',
  '/4XX/ntlm',
  '/4XX/ntlmnegotiate',
  '/4XX/toomany',
  '/5XX/:code(5\\d{2})',
  '/delay/200/:seconds(\\d+)',
  '/delay/302/:seconds(\\d+)',
  '/302/file/windows',
  '/302/file/linux',
  '/307/cookie',
  '/3XX/:code(3\\d{2})',
  '/3XX/testcase/:testcase(\\d+)',
  '/xss/testcase/:testcase(\\d+)',
  '/xml/testcase/:testcase(\\d+)'
]
HTTP server listening on port 80
HTTPS server listening on port 443