Breaking Point: How Browser Breakpoints Can Unmask Encryption and Compromise Security
Unveiling the Risks of Client-Side Encryption: Insights and Remediation
Introduction:
Have you ever explored the depth of tools available within your browser's developer console? Among these tools, breakpoints stand out as a powerful feature for debugging, but they also unveil significant insights into a web application's security. In this post, we'll dive into how breakpoints can bypass encryption mechanisms, illustrating why security should never rely solely on the client side.
Breakpoints:
What are breakpoints?
In software development, breakpoints are critical debugging tools that allow developers to pause the execution of a program at a specified point. This pause happens within a development environment or debugger tool, enabling the inspection of the current state of the application. Developers strategically place breakpoints on specific lines of code or on conditions that need close examination, enabling a granular view of program execution, variable states, and computational processes at those points.
From a security perspective, while breakpoints are invaluable for debugging, they also present an attack vector if not managed correctly. An attacker with access to debugging tools or scripts running in the client's browser can use breakpoints to intercept and manipulate data, uncover how encryption and authentication processes work, and exploit other sensitive operations handled by the client-side code.
How are Breakpoints Used in Debugging?
Code Inspection: By stopping the execution at certain points, developers can inspect variable values and the state of the application. This direct insight helps verify the correctness of logic and data handling, ensuring variables and functions behave as expected up to those points.
Step Execution: Breakpoints allow developers to execute code step-by-step (step-in, step-over, step-out). This capability is crucial for understanding logic flow and identifying where things may deviate from expected behavior, such as incorrect loop operations or faulty conditional statements.
The arrow to the right is used to step over the next function call
The arrow down is used to step into the function call
The arrow upwards is used to step out of the function call
Condition-based Halting: Setting breakpoints based on specific conditions or expressions can help debug more complex issues that might only occur under certain circumstances. For example, developers might set a breakpoint to trigger when a variable reaches an unexpected value or when a particular error is thrown.
The Power of Breakpoints in Security Testing:
Examining JavaScript files using breakpoints
Breakpoints are a crucial tool for developers, but they are equally important for security testing, particularly when examining JavaScript files in web applications. By setting breakpoints within the browser’s developer tools, security testers can pause the execution of JavaScript at strategic points, which allows for a thorough inspection of the code's behavior and its interaction with the web environment. Sometimes you will not find the hardcoded iv, secret, and private keys in javascript files but if you set breakpoint and check js code line by line those keys generate on runtime and you can see them in js code, I will show you how I found a similar issue in my real-time pentest engagement.
How Breakpoints Can Reveal Hidden Data and Logic in the Browser
Exposing Sensitive Data: Breakpoints can be used to intercept data during its processing stages before it's encrypted or sent over the network. Testers might uncover sensitive information such as passwords, tokens, or personally identifiable information (PII) stored in variables or data structures.
Manipulating Logic and State: By altering the values of variables during breakpoint pauses, testers can manipulate the state of the application. This can reveal how the application behaves under anomalous or malicious conditions, which might not be evident under normal operation. For example, disabling certain security flags or bypassing client-side checks can expose server-side vulnerabilities.
Revealing Business Logic: Often, complex business rules are enforced client-side in JavaScript. By using breakpoints, testers can understand these rules in detail and potentially find ways to circumvent them. This might lead to unauthorized actions or access within the application.
Case Study: Bypassing Encryption
During one of my recent pentest engagements, I uncovered a critical misconfiguration that enabled the extraction of private encryption keys directly from a client-side JavaScript application on runtime by setting up breakpoints. I will outline the methods I used to identify and exploit this vulnerability, highlighting the critical importance of secure encryption practices.
Since the actual proof of concept (POC) from the penetration test cannot be shown for security and confidentiality reasons, a lab environment setup will be used to demonstrate the issue.
The website I was examining has a login page where passwords are encrypted before being submitted.
As usual, I was inspecting the JavaScript files for hardcoded keys and discovered that the encryption logic was implemented on the client side. They were utilizing an initialization vector (IV) and a secret key for payload encryption. (In this lab environment, I'm only using a single key to encrypt the password.)
In the real world, it's not easy to find such logic; you have to inspect each JavaScript file to pinpoint where encryption and decryption occur. However, there's a shortcut. You can access the network tab, select the request you want to examine, and then navigate to the Initiator tab. There, you can see which JavaScript file was utilized when calling that specific endpoint.
Now that we've analyzed the JavaScript, we can set a breakpoint in the JavaScript file. As you can see, I've set the breakpoint below. After clicking the login button, the request is paused. You can now use the arrow buttons to navigate inside the function call or to the next function call.
As evident below, the encryption key is utilized to encrypt the password. This serves as an example of weak encryption logic crafted by developers.
Now that we have obtained the encryption key, which is also utilized for decryption on the server side, we can use that key to decrypt the password. In a real-world scenario, you might encounter different payloads to decrypt.
As per my last blog, I have demonstrated how you can utilize ChatGPT to write a custom code for the decryption process
This understanding only scratches the surface of debugging tools. If OTP logic is implemented on the client side, it's possible to bypass OTPs, but it requires a thorough grasp of JavaScript code. I'm actively learning and researching more about this topic. Additionally, debugging tools are useful alternatives to Burp Suite in certain scenarios.
Remediation:
Server-Side Encryption: Implement encryption and decryption processes on the server side rather than relying solely on client-side encryption. This reduces the risk of exposure to sensitive data and encryption keys.
Secure Key Management: Employ secure key management practices, such as using hardware security modules (HSMs) or secure key vaults, to store encryption keys securely. This prevents unauthorized access to keys, even if client-side code is compromised.
Code Review and Testing: Conduct thorough code reviews and security testing to identify and remediate vulnerabilities in client-side code, including insecure encryption implementations and hardcoded keys.
Also refer to the remediation section available at: https://offensivebytes.com/exploiting-exposed-encryption-keys
Conclusion:
In conclusion, exploring the capabilities of browser developer console tools, particularly breakpoints offers not only insights into debugging but also reveals critical aspects of web application security. Breakpoints, although primarily intended for debugging purposes, can serve as potent tools for security testing by allowing testers to inspect JavaScript files, uncover sensitive data, manipulate application logic, and reveal hidden business rules. Through a case study demonstrating the bypassing of encryption, the importance of robust encryption practices and thorough security testing is underscored. This article underscores the need for a comprehensive understanding of debugging tools and JavaScript code to address potential security vulnerabilities effectively. While this discussion provides only a glimpse into the topic, it emphasizes ongoing learning and research to stay ahead in the realm of web application security. Additionally, it highlights the significance of debugging tools as viable alternatives to traditional security testing suites like Burp Suite in certain scenarios.