goRE

A modular bug hunting, pentesting and webapp reverse engineering framework written in Go.

If you want to learn more about how this idea came about and how I went about writing this, you can read this blog post. However, note that a lot has changed in the architecture since I wrote that post.

goRE is an created for web pentesting and reverse engineering. It leverages the Chrome Dev Tool protocol to intercept HTTP responses as you conduct pentest with Chrome via the use of go plugins.

goRE plugins

goRE plugins are essentially modules that you can use to modify or audit web responses. There are two different types of plugins (so far):

• Processors: processors plugins alter the response before it is rendered in the browser. This can be useful for things like modifying JavaScript code, changing HTML directives, unhiding elements in the page, highlighting areas of interest, etc.

• Inspectors:: inspectors conduct analysis on responses. For instance, you may want to record all references to API calls made by the application by inspecting JavaScript code. This way, rather than waiting until the browser makes a call to /api/admin/adduser, you may be able to find a reference to that path in the client side code. JS Framework specific inspectors could also be used to inspect things such as services, controllers, authorization controllers, etc. Inspectors do not modify responses.

Recompiling goRE plugins

At the moment there are constant changes on the module package. A change in that package would require that plugins are recompiled. This can be a pain as every module would need to be recompiled, so we have automated that task. Just run the below command and all modules will be recompiled:

go run main.go -p

Using goRE

1. Create a configuration file that uses the structure used by the config.yaml file in the root directory of this repo.
2. Make sure the plugins that you want to use are compiled. You can compile all available plugins by running go run main.go -p
3. You can find information about any plugin by running this command:

   go run main.go -i -m "/the/path/of/the/module/"

4. To run goRE:

   go run main.g -c "./path/to/your/config/file.yml"

If run successfully, a new Chrome window should open up with two tabs. Use the second tab to navigate to the site that you are currently pentesting. Press ctrl + c to end the session (TODO: make a more effective way to end sessions).

Ok, but what can I actually do with goRE?

There are 7 modules available at the moment. You can find information about each plugin by running go run main.go -i /path/to/module/

Here are some fun things that you can do right now. Each task is followed by a code snippet showing how your config would look like to enable the right plugins. Note that you can enable multiple plugins at the same time.

1) Force Angular 2 application to load in development mode

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  processors:
    - path: "/data/modules/processors/angular/prodModeHijacker/"
      options: {}

2) Hijack and alter a function loaded by a web application

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  processors:
    - path: "/data/modules/processors/generic/functionhijacker/"
      options:
         Indicator: "isLoggedIn"
         NewBody: "{return true}"

3) Record API calls in a file

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  inspectors:
    - path: "/data/modules/inspectors/generic/apifinder/"
      options:
        FilePath : "./logs/apifinds.txt"

4) Inject code in an existing function

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  processors:
   - path: "/data/modules/processors/generic/injector/"
      options:
        FunctionName: "isAdmin"
        Injection: "console.log('function called, injection confirmed!');return true;"}

5) Set all ngIf and ng-if attributes to always return true (applies to Angular apps)

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  processors:
    - path: "/data/modules/processors/angular/unhider/"
      options: {}

6) Simple find and replace

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  processors:
    - path: "/data/modules/processors/generic/findreplace/"
      options:
         Find: "isAdmin=false"
         Replace: "isAdmin=true"

**7) Unhide all hidden input and add highlight what the input is used for

scope: "example.com"
verbose: False
flags: ["-na", "--disable-gpu", "--window-size=1200,800", "--auto-open-devtools-for-tabs","--disable-popup-blocking"]
modules:
  processors:
    - path: "/data/modules/processors/generic/unhider/"
      options: {}

Creating your own gorp plugin

The power of gorp is in the plugins. Creating your own plugin is simple.

1. Create a file called gorpmod.go under /data/modules/processors or /data/modules/inspectors, depending on your type of plugin (see above for the differences between an inspector and a processor.

2. Depending on the type of plugin, your code must implement either the Processor or Inspector interface, which are declared in the modules package. Both module types must accept a struct parameter of type modules.WebData which gives your module access the response body, headers and type. The type can be Document, Script or Request (Request types have not been implemented yet but that is my list of priorities for this gorp).

3. Your plugin must include a symbol to be used by gorp. The symbol should be declared like this:

   //apifinder is just the name of your plugin
   type apifinder struct {
       Registry    modules.Registry
       Options    []modules.Option
   }

4. Make sure to export the symbol at the end of your plugin, like so:

   var Inspector apifinder

5. Compile your plugin like so:

   go build -buildmode=plugin -o gorpmod.so gorpmod.go

6. Now you are ready to use your plugin with gorp.

Addtional Debugging Options

Injecting Custom Debugger Code

Gorp now allows you to inject code used for automating debugging tasks from the console. To do so do the following:

1. Create a JS files where you will enter your custom code.
2. Add any logic/code you want to your file.
3. You will need to add any intialization logic inside a function call gorp(). Gorp will call gopr() on page loads.
4. Add the following to your config.yml file:

   script:
     path: "/path/to/scripts.js"
   

5. Lunch gorp and make use of your functions from the cosole.

XHR Based Breakpoints

You can now also setup breakpoints based on XHR logic. Let's say you want to pause execution and examine variables when a calls to /v1/accounts and /v1/api_keys are made by the front end. Simple add the following to your config file to do so:

xhrBreakPoints:
  - "/v1/accounts"
  - "/v1/api_keys"

Immediate Needs

• I have not found a JS beautifies and deobfuscation go library yet. Worst-case scenario, I could either write one (kinda of a project of its own) or use node libraries via system calls.

Todo

• Add a fancy, interactive shell-like CLI.
• Rad CLI colors and functions for fancy cli printing
• Create more plugins for tasks such as:
  • Keep track of values such as user GUIDs and show alarms when certain conditions occur while you explore an application (helpful for finding IDORs).