THM – Burp suite – Part 11
Intro
Burp Suite is a framework of web appliccation pentesting tool. It is used to perform web app testing.
To install burp suite follow this guide. https://portswigger.net/burp/documentation/desktop/getting-started
Overview of Features
- Proxy – What allows us to funnel traffic through Burp Suite for further analysis
- Target – How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.
- Intruder – Incredibly powerful tool for everything from field fuzzing to credential stuffing and more
- Repeater – Allows us to ‘repeat’ requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned Intruder
- Sequencer – Analyzes the ‘randomness’ present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies
- Decoder – As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.
- Comparer – Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.
- Extender – Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!
- Scanner – Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.
Proxy
Proxy servers by definition allow us to relay our traffic through an alternative route to the internet. Be used for different reasons; education filtering (common in schools where restricted content must be blocked) or accessing content that may be otherwise unavailable due to region locking or ban.
For web application testing, a proxy allows us to view and modify traffic inline at a granular level.
Burp will by default be set to ‘intercept’ our traffic: Means a few things:
- Requests will by default require our authorization to be sent.
- We can modify our request inline similar to what you might see in a man in the middle attack and then send them on.
- We can drop requests we don’t want to be sent. Can be useful to see the request attempt after clicking a button or performing another action on the website.
- We can send requests to other tools such as repeater and intruder for modification and maipulation to unduce vulnerabilites.
Target Definition
Most important feature in Burp is Target Tab.
Target tab allows us to perform some of the most important parts of a web application penetration test: defining our scope, viewing a site map, and specifying our issue definition.
When starting a web app test you will be provided with a few things:
- The application URL
- A list of different user roles withing the application
- Various test accounts and associated credentials for those accounts
- A list of pieces/forms in the application which are out-of-scope for testing and should be avoided.
Happy path: Browsing the web app to discover the full extent of the site. Browse from the lowest privileged account and browsing the site as a normal user would.
After happy path, go through and start removing various items from the scope. These items typically fit one of these criteria:
- The item (page, form, etc) has been designated as out of scope in the provided documentation from the client
- Automated exploitation of the item (especially in a credentialed manner) would cause a huge mess (like sending hundreds of passwords reset emails)
- Automated exploitation of the item (especially in a credentialed manner) would lead to damaging and potentially crashing the web app
Once we’ve removed any restricted or otherwise potentially dangerous items from our scope, we can move onto other areas of testing with the various tools within Burp Suite.
TASKS
Before leaving the Proxy tab, switch Intercept to disabled. We’ll still see the pages we navigate to in our history and the target tab, just having Intercept constantly stopping our requests for this next bit will get old fast.
Navigate to the Target tab in Burp. In our last task, Proxy, we browsed to the website on our target machine (in this case OWASP Juice Shop). Find our target site in this list and right-click on it. Select ‘Add to scope’.
Clicking ‘Add to scope’ will trigger a pop-up. This will stop Burp from sending out-of-scope items to our site map.
Select ‘Yes’ to close the popup.
Browse around the rest of the application to build out our page structure in the target tab. Once you’ve visited most of the pages of the site return to Burp Suite and expand the various levels of the application directory. What do we call this representation of the collective web application?
Site map
What is the term for browsing the application as a normal user prior to examining it further?
Happy path
One last thing before moving on. Within the target tab, you may have noticed a sub-tab for issue definitions. Click into that now.
The issue definitions found here are how Burp Suite defines issues within reporting. While getting started, these issue definitions can be particularly helpful for understanding and categorizing various findings we might have. Which poisoning issue arises when an application behind a cache process input that is not included in the cache key?
Putting it on repeater
Repeater allows us to repeat requests we’ve already made. Requests can either be reissued as-is or with modificaitons. Used for expermientation or more fine-tuned exploitation wherein automation may not be desired.
Tasks
To start, click ‘Account’ (this might be ‘Login’ depending on the version of Juice Shop) in the top right corner of Juice Shop in order to navigate to the login page.n Done
Try logging in with invalid credentials. What error is generated when login fails?
But wait, didn’t we want to send that request to Repeater? Even though we didn’t send it to Repeater initially via intercept, we can still find the request in our history. Switch over to the HTTP sub-tab of Proxy. Look through these requests until you find our failed login attempt. Right-click on this request and send it to Repeater and then send it to Intruder, too!
Now that we’ve sent the request to Repeater, let’s try adjusting the request such that we are sending a single quote (‘) as both the email and password. What error is generated from this request?
Now that we’ve leveraged Repeater to gain proof of concept that Juice Shop’s login is vulnerable to SQLi.
Next, click on ‘Customer Feedback’ (depending on the version of Juice Shop this also might be along the top of the page next to ‘Login’ under ‘Contact Us’)
With the Burp proxy on submit feedback. Once this is done, find the POST request in your HTTP History in Burp and send it to Repeater.
What field do we have to modify in order to submit a zero-star review?
Submit a zero-star review and complete this challenge in Juice Shop!
Intruder!
Can be used for fuzzing to brute-forcing. Serves one purpose: automation.
Common uses for intruder:
- Enumerating identifiers such as usernames, cycling through predictable session/password recovery tokens, and attempting simple password guessing.
- Harvesting useful data from user profiles or other pages of interest via grepping our responses
- Fuzzing for vulnerabilities such as SQL injection, cross-site scripting (XSS), and file path traversal
Intruder has four different attack types:
- Sniper – Most popular attack. Cycle through selected positions, putting the next available payload in each position in turn. Uses one set of payloads.
- Battering Ram – Similar to sniper. Uses one set of payloads. Puts every payload into every selected position.
- Pitchfork – Allows us to use multiple payloads sets and iterate through both payload sets simultaneously.
- Clusterbomb – Allows us to use multiple payloads sets and iterate through all combinations of the payload lists we provide.
Tasks
Return to the Intruder in Burp. In our previous task, we passed our failed login attempt to both Repeater and Intruder for further examination. Open up the Positions sub-tab in the Intruder tab with this request now and verify that ‘Sniper’ is selected as our attack type.
Burp attempts to automatically highlight possible fields of interest for Intruder, however, it doesn’t have it quite right for what we’ll be looking at in this instance. Hit ‘Clear’ on the right-hand side to clear all selected fields.
Next, let’s highlight the email field between the double quotes (“). This will be whatever you entered in the email field for our previous failed login attempt.
Now click ‘Add’ to select our email field as a position for our payloads.
Next, let’s switch to the payloads sub-tab of Intruder. Once there, hit ‘Load’ and select the wordlist you previously downloaded in question five that is attached to this task.
Almost there! Scroll down and uncheck ‘URL-encode these characters’. We don’t want to have the characters sent in our payloads to be encoded as they otherwise won’t be recognized by SQL.
Finally, click ‘Start attack’. What is the first payload that returns a 200 status code, showing that we have successfully bypassed authentication?
Sequencer
Represent a core tool in a proper web app pentest. It’s a tool for analyzing the quality of randomness in an applications session’s tokens and other important data items that are otherwise intended to be unpredictable. Commonly analyzed items include:
- Session tokens
- Anti-CSRF (Cross-Site Request Forgery) tokens
- Password reset tokens (sent with password resets that in theory uniquely tie users with their password reset requests)
Tasks
Switch over to the HTTP history sub-tab of Proxy.
We’re going to dig for a response which issues a cookie. Parse through the various responses we’ve received from Juice Shop until you find one that includes a ‘Set-Cookie’ header.
Once you’ve found a request response that issues a cookie, right-click on the request and select ‘Send to Sequencer’.
Change over Sequencer and select ‘Start live capture’
Let Sequencer run and collect ~10,000 requests. Once it hits roughly that amount hit ‘Pause’ and then ‘Analyze now’
Parse through the results. What is the effective estimated entropy measured in? Bits
In order to find the usable bits of entropy we often have to make some adjustments to have a normalized dataset. What item is converted in this process? Token
Read through the remaining results of the token analysis
Decoder and comparer
Lesser tools withing Burp.
Decoder is a tool that allows us to perform various transforms on pieces of data. Vary from decoding/encoding to various bases or URL encoding.
Comparer is a tool used to comapre different responses or other pieces of data such as site maps or proxy histories (Good for access control issue testing). Similar to linux tool diff.
Common uses:
- When looking for username enumeration conditions, you can compare responses to failed logins using valid and invalid usernames, looking for subtle differences in responses. This is also sometimes useful for when enumerating password recovery forms or another similar recovery/account access mechanism.
- When an Intruder attack has resulted in some very large responses with different lengths than the base response, you can compare these to quickly see where the differences lie.
- When comparing the site maps or Proxy history entries generated by different types of users, you can compare pairs of similar requests to see where the differences lie that give rise to different application behavior. This may reveal possible access control issues in the application wherein lower privileged users can access pages they really shouldn’t be able to.
- When testing for blind SQL injection bugs using Boolean condition injection and other similar tests, you can compare two responses to see whether injecting different conditions has resulted in a relevant difference in responses.
Tasks
Previously we discovered the scoreboard within the site JavaScript. Return to our target tab and find the API endpoint highlighted in the following request:
Copy the first line of that request and paste it into Decoder. Next, select ‘Decode as …’ URL
What character does the %20 in the request we copied into Decoder decode as? Space
Burp Suite Addon (Extender)
- Logger++ – Adds enhanced logging to all requests and responses from all Burp Suite tools, enable this one before you need it 😉
- Request Smuggler – A relatively new extension, this allows you to attempt to smuggle requests to backend servers. See this talk by James Kettle for more details: Link
- Autorize – Useful for authentication testing in web app tests. These tests typically revolve around navigating to restricted pages or issuing restricted GET requests with the session cookies of low-privileged users
- Burp Teams Server – Allows for collaboration on a Burp project amongst team members. Project details are shared in a chatroom-like format
- Retire.js – Adds scanner checks for outdated JavaScript libraries that contain vulnerabilities, this is a premium extension
- J2EEScan – Adds scanner test coverage for J2EE (java platform for web development) applications, this is a premium extension
- Request Timer – Captures response times for requests made by all Burp tools, useful for discovering timing attack vectors
Burp Suite Scanner
Allows us to passibely and actively scan and spider the website we are testing for vulnerabilities. Can launch these scans (Scanner and Spider) from the dasboard and let them run in the background while we continue to examine the web app.