Embed Size (px)
Citation preview
Burp Suite – Web Application Pen testingAPRIL 2016FABDULWAHAB.COM
Overview
Easy to use , Written in Java language , Cross platform Integrated platform for web application security Includes multiple tools Developed by PortSwigger Ltd http://www.portswigger.net/ Two editions
Free Professional
Automatic scanner … more features
Local web proxy to intercept Http/s requests Acquires site details by visit pages , scripts , prams …
Integrated Tools
Target Aggregate all web application resources
Proxy Spider
Crawler to discover new pages and prams Scanner
Security scanner , available only with prof version Intruder
To customize and automate web requests using fuzzing Repeater
To manually modify and re-issue web requests
Integrated Tools
Sequencer Verifying the randomness and predictability of tokens , cookies …
Decoder To encode and decode data
Comparer A visual diff tool to detect changes between web pages
Installation
What do I need? 100 MB disk 2 GB RAM OS (Windows , Mac or Linux) JRE 1.6+ or OpenJDK (but not officially supported) Recommended browser is Firefox
Download the file and then unpacking it To start it , from cmd run java -jar burpSuite.jar
Installation
Or to specify the amount of memory java -Xmx2g -jar burpsuite_v1.4.01.jar
-Xmx2g is used to increase up to 2 gigabyte (or -Xmx2048M) Common errors include wrong permissions or incorrect paths http://docs.oracle.com/cd/E13150_01/jrockit_jvm/jrockit/jrdocs/refman/optionX.html
#wp999528
Or start it by double click on .jar file (but you can’t customize the memory , allocate the Max)
Has API to extend its functionality using Extender tool (can be written in Java, Python, or Ruby)
https://portswigger.net/bappstore/default.aspx
Proxy Configuration
Default on port 8080/Tcp Proxy | Options (check running box) In case of errors, you will notice the presence of exceptions in the alerts tab If loopback enabled, then it will accept requests from local machine only (can’t access Burp remotely) For standalone clients or mobile applications using http/s then select support invisible proxying for non-
proxy-aware clients Why Firefox is recommended?
Doesn’t include any embedded Ant-XSS filters to interfere your testing Use Profile feature Only send browser HTTP/s requests
Configure proxy for the browsers Remove all exceptions from the No Proxy for field
Disable extensions like disable flash ,NoScript …
Proxy Configuration
FoxyProxy Standard is a Mozilla Firefox add-on to get fine-grained control over proxy traffic Automates the processing of settings To ensure only send selective traffic to Burp Suite You can configure multiple proxies
Install it , Add New Proxy , configure URL patterns (*example.com/* ) Also add *burp/* (required) Select the mode as Use proxies as their pre-defined patterns and
priorities
Plug-n-Hack
Firefox add-on supported with Burp https://blog.mozilla.org/security/2013/08/22/plug-n-hack/ Install .xpi and then go to Add-on manager Open http://burp/pnh This tool help you to configure Burp in simple way
Test configuration
Browser web site Go to Proxy | Intercept tab (make sure intercept is on) Check Target | Site map
A tree of resources Burp can be configured as MITM to eavesdrop all requests
To avoid invalid certificate warning , add Burp root certificate or add exception from browsers
HTTPs
SSL/TLS to prevent eavesdropping, tampering, and MITM attacks Browsers and servers exchange X.509 certificates, which are signed by
certificate authorities Visit http://burp (used to confirm burp is up) , download CA Certificate Then import it to browser trusted certificates Configure SSL Proxy
SSL Settings
In iOS or android Send certificate as an email and then install the root certificate on
devices It may not be possible to intercept SSL traffic, Burp will show an SSL
negotiation error in the Alerts tab For example when a mobile application utilizes certificate pinning
In this case we still want to continue working with other parts of the application so we can use SSL pas-through list or check the box to make it automatically
Invisible proxy
A thick client is a software that usually runs outside of the browser framework
We need to trick it into sending all its traffic to the machine where the Burp proxy can listen
For example , if the application need to connect to example.com then in host file
Also need to add new listener on port 80 or 443 Also if the site is using HTTPs then
Invisible proxy
Then we need to send the traffic from Burp to the original server Options | Connections | Hostname Resolution
Invisible proxy
To intercept traffic from TV, iOS and android devices Options >> Proxy You can add multiple listeners (make sure it ‘s running) Use different port to avoid confusing
Scope
Limited by domain , subdomain , folder name or filenames Under Target tab >> Scope You can edit it or use regular expression Also you can load… the targets from file URL patterns can either be inclusive or exclusive Options >> Drop all out-of-scope requests (good to go with this
option)
Testing 01
Start browsering to allow Burp to proxying your web site At the top of Burp proxy our website tab:
Intercept: to inspect and modify the request Options: proxy configuration , and advanced preferences History: to see all intercepted traffic to analyze (focus on Params)
When you browse the web site , Burp will wait for your action to Forward the request
Or drop it then the user will get a warning message from Burp
Testing 01
When you browse the web site , action button become active to import the current request to any other tool of Burp
For example you can decode the request by clicking on send to decoder
To stop forwarding , set intercept off (but still recording without stop the request)
You can intercept responses matching specific patterns Check Intercept server response from Options tab For example only inspect response with 200 status code
Testing 02
Inspect the requests Raw: simple text Prams: show all entry points for potential vulnerabilities Headers Hex: good for binary content
History tab , show the original and modified requests Double click to see the content details Each request identify by unique number
You can color them , highlight them Filter by if URL has pram , status code or by scope In Prof version, you can search by text or regular expressions
Tampering web requests
To inject the user inputs … Edit raw view during intercept , change for example ?key=test value Then click forward button Result , from HTTP history then double click on it and go to Params tab Also you can add a new pram , header …
Match and replace
For example to intercept the website as mobile version from local PC Options | match and replace Create new rule , select request header to match Type ^User-Agent.*$ (to match all agents) Then in second field , type Mozilla/5.0 (iPhone; U; CPU like Mac OS X;
en) The above format match only iPhone browser (In replace field) Then let Burp intercept the request (it will modify it based on the
match rule)
HTML modification
By default, Burp doesn't intercept responses Intercept Server Responses
Ideally only intercept if the request is modified A request is intercepted The request is in scope
Burp Proxy | options (Response Modification), to remove JavaScript or modify HTML You can use it to remove client side validation or tamper the request You can unhide hidden form fields Remove input length limits Remove JavaScript validation
Using the target site map functionality
Enumerate resources You can reduce the scope by right click (add item to scope)(add
root URL) To filter by domains , Target | site map | Filter Good to filter with only in-scope items option You can edit the scope items , use regular expressions You can exclude from scope like logout function After defining scope , you can use context menu to spider , scan... Also to reproduce HTTP requests , choose request in browser with either use the
current browser session or the original session (Good to verify risks) Copy the URL and paste it to browser
Using the target site map functionality
Resources that have been already requested by the tool are marked in black, whereas endpoints that are linked by other resources, but haven't been retrieved by Burp, are marked in gray
Crawling web application with Spider
Crawling a web application with Spider (web crawling) To retrieve visible and hidden resources (based on links in previous requests
…) Website with Ajax and Flash based content may not completely crawled Default options is enough but you can have more options in Options tab Change Maximum link depth represents the maximum number of
redirections to follow for a resource Reduce Number of thread count if you have limited resources To provide spider username and passwords for login application
Crawling web application with Spider
You can also define form fields to submit during crawls You can define fields based on regular expression to define emails Then run spider (Burp Spider uses the scope defined)
Crawling web application with Spider
All results from the discovery are automatically added to Target | site map Also it is very important to properly map all application resources by
manually browsing the website Burp show you the progress Check the alerts tab during running spider
Lunching automatic scan
Lunching automatic scan Included in prof edition only Scan for common security flaws Active/Passive scan (Passive only analyze the requests offline)
https://portswigger.net/burp/help/scanner_scanmodes.html#passive Use this site for testing http://google-gruyere.appspot.com/ By default, Burp Scanner is configured to perform passive scanning (You can change it from Live
scanning section) You can run it against scope or specific branch If you choose active scan , wizard will start To exclude resources like images , CSS , … Next to exclude pages like delete users , logout
Lunching automatic scan
You can configure more options to enable or disable for example : To tamper :
URL parameter values in GET Body parameter values in POST Cookies Header AMF string parameter for Adobe flex application REST URLs
You can choose attacks to enable or disable Also to limit the number of threads
Lunching automatic scan
You can resume , delete or pause for specific resource Check the Issue activity and Scan queue tabs Confidence: An estimation of the tool's confidence (Certain, Firm, and
Tentative) Sometime you need to validate it manually
You can change report information like Severity or Confidence You can save the result as HTML or XML (select Issues from Issue activity
and then Right click to generate report) You can open it in other tools like Metasploit You can customize the report like what data to show ,
Customized attacks with intruder
Automatic customized attacks with intruder To iterate using fuzzing (like login form) First step to send the request to intruder from history tab Then go to target tab to configure host and port (no need to change) In positions tab , select payload for attack (By default it will highlighted
them) Click clear to add your own by highlight it and then click add Auto to get the default parameters Choose attack types as following:
Customized attacks with intruder
Sniper : Each of the selected parameter is fuzzed using a single payload sequentially
Battering ram: the payload is sent to all the selected parameters at the same time then same for the second payload …
Pitchfork: each parameter is fuzzed using a defined payload Cluster bomb: to test the parameters using all the combinations of the
payload
Customized attacks with intruder
Note , some attacks required more than one payload list Then Configuring payloads (list of string to injected)
The Pro version of Burp comes with a lot of attack payloads ,also good practice to add FuzzDB , Web App URLs and OWASP DirBuster Project
Types Preset list: the user can load a list of attack vectors (wordlist) from external text files or can define them manually Numbers: automatically generate numbers based on the specific configuration Dates: automatically generate date from and to a specific day Bruteforce: generate all possible strings permutations given a characters set and the min/max length of the
resulting string For example , to create attack list to detect SQL injection
Select preset list Add ‘– Add ‘
Customized attacks with intruder
By default , Intruder will URL-encode all characters specified in Payload encoding text field
Payload processing example :To lower case rule, add prefix , Hash , Encode … In options tab , you can configure No. of threads Also grep option , to enable you search for strings or regular expressions to be
searched in the web responses (highlight these requests) To detect common error strings or exceptions or invalid access word
To lunch the attack , intruder | start attack (you can save the confirmation and then load it from the menu to add more customizations)
Observe the results in result table (pay attention to HTTP status code and length)
Dealing with Repeater
To repeat request and modify it To make sure endpoint is secure or insecure You can modify the request and send it multiple times From history tab , select request and send to repeater Modify the request , like change request method
Repeater Menu You can modify the Content-Length automatically The follow redirects option allows to select whether Burp Repeater should
display the actual web response or, instead follow all redirects (302 Redirect status code) and display the landing page
Dealing with Repeater
By selecting the process cookies in redirections option, it is possible to ad operate the request's session tokens during the application redirects
Burp Repeater allows to create, delete, or rename tabs
Randomness with Sequencer
Analyzing application data randomness with Sequencer To analyze the predictability of application data, such as session cookies and
anti-CSRF tokens , user activation token … Sequencer does not perform any injection attack In history tab , select login request and sent to sequencer In select request table , select the request In Token location section , within live capture tab , we need to tell Burp how
to analyze data within the response Cookie and form fields show parameters are present in the page and you
can manage it manually
Randomness with Sequencer
Go to Manual load and load your test tokens Click on analyze now to see the results to show how many tokens passed Summary tab to show an overview report
Randomness could be good or bad Also you could see character-level analysis or
bit-level analysis reports at char or bit position http://www.portswigger.net/burp/help/sequencer_tests.html
Decoding and encoding
Decoding and encoding data with Decoder For encoding and decoding strings in multiple formats Also Burp Decoder allows to create message digests for common hash
functions, including MD2, MD5, SHA, SHA256, and SHA512 Smart decode button, Burp will attempt to decode the content of a string by
looking for recognizable formats
Comparing site maps
Comparing site maps Help in covering access control issues For example, you can browse the application with a standard user account
and then reiterate all requests using an administrative user Also many times with Blind SQL injection, there can be tiny differences in
HTTP responses, and the tool can help you identify exactly what is different Bytes or words comparison
Allows to compare two site maps and highlight differences
Comparing site maps
Note: it doesn’t make injection or remote attacks For example in Site map , select Account folder and click compare
site maps So define site map 1 (source) Then select branches to be included or items in scope only Then define site map 2
Comparing site maps
Let us assume our first site map recorded as User1 session In site map 2 , we need to invalidate our cookies and use the new session Minimize the compare site maps wizard and go to Project options | sessions Click on view cookie jar, This is the repository of all session tokens used by
Burp Tamper cookies value to simulate non-
authenticated user and then close the windows Click on edit, on the right-hand side of
the session handling table
Comparing site maps
Burp will open a new window, named Session handling rule editor. Go to the scope tab and select the target checkbox in the Tools scope section
Click on Done and get back to the compare site maps
Leave all options as they are and proceed further
Use the default settings Burp will start requesting site map 1
resources with the modified session, in order to build site map 2
Comparing site maps
Burp will automatically compute all differences and display the results to the user
Sync selection, Burp will sync resources from the two sites, enabling you to simultaneously scroll down the two panels and items with visual differences
Other Utilities
Engagement tools is a Pro-only feature of Burp Suite Search : to find relevant information very quickly
In target site map , you can export comments Dynamic update allows us to automatically update the search results
based on our term if more responses contain the term Analyze target : to quickly figure out how many dynamic and static links you
are dealing with in a website Also tell you how many parameters are required for each of the links To calculate time and effort required to test the application Picks information from the site map, and it does not do any scanning
of its own
Other Utilities
Engagement tools is a Pro-only feature of Burp Suite Content Discovery : to discover content, including brute-forcing file and
folder names Task Scheduler : to automate the process like backup burp session ,
scanning (start , resume ,pause and spidering) CSRF proof of concept Generator :takes any request and automatically
writes the HTML code for doing a PoC to check if the application check for CSRF risk
Generate HTML and JavaScript to auto submit the form
Save our work
It is a Pro-only feature of Burp Suite For free edition , use OWASP ZAP to proxy the session You can set password to secure the sensitive information There is no way to save the state for Intruder. What you can do is save the
attack configurations with payloads Options | Misc under Automatic Backup
To save the work automatically Options | Misc | Logging
to log each and every HTTP request and response for the different tools
Help
http://www.portswigger.net/burp/help/ http://portswigger.net/burp/faq.html http://www.securityaegis.com/pentesting-with-burp-suite-takingthe-web-back-from-automated
-scanners
http://console-cowboys.blogspot.com/2012/07/setting-up-burpdevelopment-environment.html http://vimeo.com/11553558 http://forum.portswigger.net/ http://blog.portswigger.net/ https://twitter.com/PortSwigger https://twitter.com/carste1n https://twitter.com/_ikki
References
Burp Suite Starter , PACKT book , 2013 Burp Suite Essentials , PACKT book , 2014 PenQ tool for for spidering, advanced web searching, fingerprinting,
and much more
![Advanced XXE Exploitation Exercise 2: External DTD …...Burp Suite Professional VI .7.37 - Temporary Project - licensed to GoSecure Inc. [13 user license] Burp Intruder Repeater Window](https://img.pdfslide.net/doc/110x75/5e4ba579afa678245e6773ab/advanced-xxe-exploitation-exercise-2-external-dtd-burp-suite-professional-vi.jpg)
![[BurpSuiteJapan]Burp Suite回答編](https://img.pdfslide.net/doc/110x75/5a648c617f8b9a27568b6353/burpsuitejapanburp-suite.jpg)
