Raider: A tool to test authentication in web applications
Open source project aims to offer ‘unlimited flexibility’ for security researchers
Daniel Neagaru, who created the tool, told The Daily Swig: “The HTTP protocol is stateless, while the authentication itself is stateful. So to effectively run tests, Raider treats the process as a finite state machine.
“Each state contains the HTTP request, response, and inputs/outputs associated with this information exchange.”
Neagaru told The Daily Swig that the configuration files are written in Hylang, a Lisp dialect on top of Python, which offers “unlimited flexibility”. Due to its architecture, users “can easily add new features without messing with the main code”, he said.
Originally devised to “scratch his own itches”, Neagaru said Raider can be used by both security researchers and organizations.
“Researchers could write attack scenarios and reuse them on other applications they are testing,” he explained.
“On the other hand, organizations could set up the configuration files, write a set of tests to run, and even integrate them into their CI/CD pipeline to ensure that authentication works as expected and that no new bugs get introduced.”
Gap in the market
Raider was developed after Neagaru decided that other popular web vulnerability testing tools didn’t quite produce the results he needed.
Neagaru told The Daily Swig: “Like everyone else, when testing the authentication myself, I was using classic web proxies like ZAProxy and Burp Suite. However, they don’t work well for authentication.
“For example, if I wanted to brute-force the multi-factor authentication code, but after each wrong try, the application requires repeating the login process from the start, it gets complicated.
“I believe most authentication bugs in the wild have been discovered by writing custom Python scripts specific to the application in question. With Raider, those kinds of attacks are easy to reproduce.
“Also, you can reuse the working configuration files in the future to try some new attacks.”
While Neagaru admits that there are barriers to using the tool – namely that the user needs to know both Python and Hylang – he said there is a “growing interest” from the security community, based on their metrics.
He added: “At the moment, Raider is in the process of getting approved by OWASP projects, so hopefully, soon, it will get a new home there.
“The next step would be to build a community around it so that users can learn from each other and share their configurations.”
YOU MAY LIKE Top Hacks from Black Hat and DEF CON 2021