Reconnect To Chaos!

OWASP Raider: a novel framework for manipulating HTTP processes of persistent sessions
29.12, 12:00–13:00 (Europe/Berlin), RTC-Bühne (Sparti)

Raider was created to fill a gap in current tooling for pentesting the authentication process. It abstracts the client-server information exchange as a finite state machine. Each step comprises one request with inputs, one response with outputs, arbitrary actions to do on the response, and conditional links to other stages. Thus, a graph-like structure is created. This architecture works not only for authentication purposes but can be used for any HTTP process that needs to keep track of states.


A few years ago, the author had the task of helping developers to build OAuth directly from RFCs, supporting them with security topics and questions. In the beginning, the project ran into some challenges. Early on, we faced the fact that authentication is a stateful process, while HTTP is a stateless protocol.

BurpSuite and ZAProxy were incepted when the web did not have states, so they inherited a stateless architecture. REST APIs became popular some years after those tools were created. They have workarounds like Burpsuite macros and ZAP Zest scripts to pass information between requests, but we found that functionality lacking and too complex to implement.

So the author wrote custom python scripts to pentest this. It worked fine, but doing this makes the scripts usable only on this system. Therefore, the author decided to create a tool that fills that gap.

Raider's configuration is inspired by Emacs. Hylang is used, which is LISP on top of Python. LISP is used because of its "Code is Data, Data is Code" property. It would also allow generating configuration automatically easily in the future. Flexibility is in its DNA, meaning it can be infinitely extended with actual code. Since all configuration is stored in cleartext, reproducing, sharing or modifying attacks becomes easy.

Links to the project:
- Website: https://raiderauth.com/
- Source: https://github.com/OWASP/raider
- Documentation: https://docs.raiderauth.com/en/latest/
- Twitter: @raiderauth
- Mastodon: @raiderauth@infosec.exchange

Daniel Neagaru is a 30-year-old penetration tester with 5+ years working in the security industry and 5 more in IT, mainly as a system administrator. He dropped out of university to pursue his passion for security, which wasn't taught back then in many places. He created Raider 2 years ago, which later became part of the OWASP family.