Tool: WStalker – an easy proxy to support Web API assessments

tl;dr

Have you ever faced a situation where you have a number of web services to test but no one is able to provide full working examples of each API call? WStalker is a work aid to help developers / functional testers record API traffic to help facilitate security assessments by security testers and other tooling.

Zero knowledge API testing is …

We have all received a text file with a list of endpoints or a screenshot of the request that should be issued to a web API endpoint.

Sometimes we may receive the information using Postman or Swagger, which is a far better alternative, but these still rarely include working examples of the parameters to be used.

These situations may cause us to spend a lot of time trying to guess the content of some non-obvious parameters and the sequence of requests. Especially when the development team isn’t around and in situations when application state requires that the information obtained from one request is used in further request.

Introducing WStalker the flight recorder

To address situations such as these NCC Group developed WStalker.

WStalker is a super simple HTTP proxy written in golang, which requires no configuration.

Developers can configure the same tools they use for functional testing and run their benchmarks using WStalker as a proxy and it will create a wstalker.csv file with all the information recorded. Developers can use the already compiled binaries for Windows, Linux and macOS or they can compile it themselves. Both options are already available from NCC Group’s Github.com page.

Running and using WStalker is simple

WStalker can be executed without any parameters.

$ ./wstalker
2019/10/18 09:19:30 Creating HTTP Proxy
2019/10/18 09:19:30 Starting in 127.0.0.1:8080
2019/10/18 09:19:31 Saving Request in wstalker.csv
2019/10/18 09:19:31 Stalking Connections...

Now, it is necessary to configure the tool that we are using (e.g a Browser or any other tool that you are using to test your web services) to use http://127.0.0.1:8080 as a proxy. You will receive a TLS warning about the certificate.

You will need to accept the warning but PLEASE DO NOT install the CA, since the CA private key is included in the tool, which was necessary to keep the tool configuration minimal.

When we start running requests, wstalker will start showing one line per request.

2019/10/18 09:20:53 GET - http://ifconfig.co/
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://ifconfig.co/favicon.ico
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt
2019/10/18 09:20:54 GET - http://detectportal.firefox.com/success.txt

When all the tests have been performed, wstalker can be stopped by pressing CTRL+C or closing the window.

2019/10/18 09:21:01 Closing wstalker

Shipping the data

A file wstalker.csv will be generated, containing information about each request:

[REQUEST_IN_BASE64],[RESPONSE_IN_BASE64],METHOD,URL.

Each new execution of WStalker appends the new requests and responses to the existing file.

WARNING: This file could contain credentials and critical information, so it is recommended to send it encrypted or using other secure mechanisms.

Importing and using the data

Once you have received this file, there are a couple of ways to import this format into Burp Suite, which we cover in the next blogpost.