BURP SUITE BASICS

Burp Suite is a framework that aims to provide a one-stop-shop for web application penetration testing and commonly in mobile application testing. At the simplest level, Burp can intercept, capture and manipulate web requests (and sometimes responses) before the are received by the intended recipient. 

Whilst there versions of Burp with more features, they are also considerably more expensive, so I will be using Burp Community edition. The features I will mainly focus on using are:

  • Proxy: Burp Proxy allows us to intercept and modify requests/responses when interacting with web applications.
  • Repeater: Allows us to capture, modify, then resubmit the same request numerus times. This feature can be invaluable when we need to submit payloads through trial and error. For example a SWL injection or when testing the functionality of an endpoint for flaws.
  • Intruder: Allows us to spray an endpoint with requests, often used for brute forcing or to fuzz endpoints.
  • Decoder: Allows us to encode or decode intercepted data.
  • Comparer: Compares two pieces of data at either word level or byte level.
  • Sequencer:  We usually use Sequencer to assess the randomness of tokens such as session cookie values. If the the algorithm is not generating truly random values then this could open up avenues for attack.
  • Extender: Allows us to add or purchase extensions in order to add to the functionality of the Burp framework.

NOTE: In order to use Burp Suite with Firefox, we will need to use FoxyProxy which redirects all traffic through 127.0.0.1:8080. It is also important to ensure FoxyProxy is on in the Firefox browser. Visit this null-byte article for more info.

The Dashboard



The dashboard is split up in to four quadrants: 
  1. Tasks: Allows us to define background tasks for Burp to run whilst we use the application.
  2. Event Log: Tells us what Burp is doing and information about any connections we are making through Burp.
  3. Issue Activity (exclusive to Burp Pro): List of all the vulnerabilities found by the automated scanner.
  4. Advisory: Gives more information on the vulnerabilities found as well as references and remediations. These can then be exported to a report.
NOTE: If we need help with any sections, click on the question mark for more information about a feature.

User Options




There are four main sub-sections to the User tab:
  • Connections: Allows us to control how Burp makes connections to targets. For example, we can set a proxy for Burp to connect through.
  • TLS (Transport Layer Security): Allows us to enable or disable various TLS options, as well as giving us a place to upload client certificates should a web app require one for a connection.
  • Display: Allows us to change how Burp Suite looks.
  • Misc: Contains a wide variety of settings, including keyboard shortcuts.

Burp Proxy

The Burp Proxy tool allows us to capture requests and responses between ourselves and our target. These requests and responses can then be manipulated or sent to other tools for further processing before being sent to their intended destination. Any traffic captured will not be sent to the intended destination until we choose to, which gives us complete control of our web traffic.




With the proxy active, when we make a request to a website, the request will hang and the request will appear in the Proxy tab. We can then choose to edit and/or forward or drop the request. We can also send the request to other Burp modules.



Even if interceptor is turned off, Burp will capture and log any WebSocket communication by going to "HTTP history" and "WebSockets history" sub-tabs.

The Options sub-tab for Proxy contain important options, such us intercepting only responses to requests or only intercepting from a URL that is within a target scope. The Match and Replace section allows us to perform regexes on incoming and outgoing requests, which can be useful to emulate a different web browser or by removing all cookies.

Proxy Scoping and Targeting

In order to ensure only the intended targets web traffic is captured, we can use the scope function. This can either be done by going to the Target tab, right clicking the target and clicking Add to Scope. Alternatively there is a Scope sub-tab which allows us to include or exclude domains/IPs.




So far we have only disabled logging of out of scope traffic, if we wish to disable the interception of out of scope traffic, we need to go to the options in the Proxy tab.


Site Map and Issue Definitions

There are three sub-tabs under Target:

Site Map: Allows us to map out target apps in a tree structure. This can be achieved by browsing the target with Site map active. This can be particularly useful if we want to map out an API as whenever we visit a page any API endpoints that the page retrieves data from whilst loading will show up here.

Scope: Allows us to control Burps scope for the project.

Issue Definitions: Whilst not available to Burp Community, we still have access to a list of all vulnerabilities it looks for. We can use this resource when we need citations for a report or describing a vulnerability.


Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more