OWASP Raider - Web authentication testing framework.

OWASP Raider is a framework designed to test authentication for web applications. It treats the authentication process as a finite state machine. Each step is a different stage, with its own inputs and outputs. Those can be cookies, headers, CSRF tokens or other pieces of information.

The configuration files for Raider are written in Hylang, which enables it to be extremely flexible, and with some effort, any authentication mechanism can be replicated.

OWASP Raider

Features

Infinitely extensible architecture logo

Infinitely extensible architecture

Raider was developed with modularity in mind, and adding new features is easy without messing with the main code.
Hylang (Lisp) configuration logo

Hylang (Lisp) configuration

Using Lisp for the configuration makes it possible to define even the most complex authentication mechanisms in an easy to understand format.
Reproducible attacks in cleartext logo

Reproducible attacks in cleartext

With Raider it's possible to represent HTTP based attacks in cleartext format (not limited to authentication).
Finite state machine modelling logo

Finite state machine modelling

By abstracting the authentication process using finite state machines, Raider allows defining unlimited authentication steps, with unlimited inputs/outputs and conditionally deciding the next steps.
Interact with authentication elements logo

Interact with authentication elements

Raider abstracts authentication concepts using Python objects, with which the user can interact.
Fuzz arbitrary inputs logo

Fuzz arbitrary inputs

Fuzz any defined input, either for authentication process (considering the defined authentication flow) or for arbitrary requests as an already authenticated user..

Getting started

Due to Raider's architecture there is a certain entry barrier before one can start using it effectively. To help you navigate the learning curve, here's the roadmap for the journey towards becoming a Raider master. You might already know some of those things so feel free to skip the ones not relevant to you.

1. Learn Python basics

You should know enough Python to be able to write and debug short scripts. Get comfortable reading documentations for the things you don't know. You need to have an understanding of Python concepts in order to learn Hylang, which is essential if you want to use Raider.

2. Learn Hylang basics

Raider's configuration files are written in Hylang, a Lisp dialect on top of Python. You can't really use Raider if you skip this step. But you also don't have to learn macros or other exotic features the language offers, you just have to learn to accept the Lisp paranthesis and write simple scripts like you should already be able to do with Python. If you're already familiar with Lisp and Python, this step will be easy for you.

3. Get comfortable with a web proxy

Pick up a web proxy you like, and learn how to use it properly. We recommend BurpSuite, ZAProxy or mitmproxy. You will need this to reverse engineer the authentication process of arbitrary web applications.

4. Learn the basics of authentication

Now that you already know how to use a web proxy, you should learn how the authentication works on web applications. Log into different websites while using the web proxy, and try to understand how it works, i.e. what information is being sent to the server, what does the server responds with, and where each piece of information comes from. Try first with simple websites, and gradually move to more complicated until you understand the process.

5. Read Raider documentation

Start with reading the Raider's architecture since it's essential if you want to set this up. Then get yourself familiar with the rest of the documentation. You will need this when writing the configuration for the next step. You can also check the tutorials in the community forum.

6. Configure your first application

Pick up a web application with a simple authentication mechanism first. When you learn how to do it you can move to more complex ones. Use the web proxy to check the traffic generated by the application when you log in. Remove the HTTP requests that are irrelevant to the authentication process, like the static files. Now, the easiest way to proceed is by going backwards. Pick up one HTTP request that can be completed only with an authenticated user, and try to find out what piece of information in that request indicates the user is authenticated by removing piece by piece the irrelevant information. It's usually a header, a cookie, or both. Identify where this piece of data comes from. Define it using Raider Plugins. When this is done, move on to the next request, until you reach a HTTP request that needs no inputs. At this point, the normal authentication flow is complete. Expand the configuration to cover other flows (Multi-factor authentication, bad credentials, etc...). When you're satisfied with the current setup, move on by building attack scenarios.

7. Write attack/automation scenarios

At this point you have a configured application in Raider. Using Python, you can already successfully authenticate and do other cool stuff, like fuzzing inputs. By now you should already know what you want to achieve with raider, and you'll only need to write the Python code to do that.

8. Write your own Plugins/Operations

If you feel like you need more from Raider than it currently supports, good news! Raider provides you with an API to easily extend it and write your own Plugins and Operations, so you don't have to mess with the main code to do that. Expanding with new features only requires you to write a simple class in Hylang.

9. Help others in the community

With your current knowledge you can already help others learn Raider and you're encouraged to do so in our community forum. Join us there, write your own tutorials, engage in discussions, leave feedback, and help us make Raider even better.

10. Contribute to the development

If you've reached this far, you probably want to help us make Raider better, so the next logical step would be for you to read the source code and make improvements to the code. Start by writing new Plugins and Operations to extend Raider's existing features. Open Github issues, fix bugs, and tell us what can be improved.