Hello friend so today my topic after the previous post of How To Setup Burp so now i will cover all other useful parts with in Burp Suite it self so lets get started.
Burp Suite is a web application penetration testers Dream tool and the most powerful tool out there on the internet can it can be used to cover everything full in depth that you ever wanted. So i will be my best to thoroughly explain all the details as there are a lot of things to cover. Here is a quick list of Burp Suite components:
- Intercepting Proxy – This part of Burp lets to inspect and modify all the requests and responses that your browser make to the target application.
- Spider – It is a very handy tool for listing out all the directories and files on the server and its functionality.
- Web Scanner* – The important part as it detects list of vulnerabilities present in the site.
- Intruder – This is used to create and perform customized attacks to find and exploit unexpected errors.
- Repeater – Modify and re-send any individual requests.
- Sequencer – To test the randomness of the tokens (csrf , authenticity_token etc )
- Extensions* – Allow you to write and add you own custom designed plugin or download pre-made plugins, to performs complex and fully customized attacks.
* Donates those features which are only available in pro version
Introduction To Burp :-
The intercepting proxy is is the first step and leads the foundation of any web application penetration test you are conducting. Burp Suite proxy syncs well with all other tools present with in it. The first step of using the intercepting proxy is to setup the proxy listener (Found under proxy -> Options). I have mine set to the default setting which is localhost (127.0.0.1) and port 8080:
you can always change it by clicking on the listener then click on “Edit” or by adding a new one. Once you have it setup just go to the browser network setting and manually configure the proxy settings:
Now you can start your testing and you can view all the requests that are being sent by the target application. Go to Proxy > Intercept and double check that “Intercept is on” and now you can tarp all the requests:
Now you can modify the request and forward it to the target application and also there are a lot of more option under Action which you can use to further testing.
If you want to go back and want to check all the request made to the target server you can see all that in Proxy > HTTP history tab can you can check all the details about that.
Burp Suite’s spider tools is really great and helpful when you are doing your starting tests for the web application. It will create full list of the URLs found on the site HTML responses as you navigate your way around . To use it go to Target tab then click on the domain and Add to Scope :
All the domains which you will add to the scope you can see them in Target > Scope and in here you can also add domains manually or modify previously added domains or all those domain which need to excluded from the test (for example, if you want to avoid running automated tests against a ‘About Us’ form):
If you want to check the controls of Spider go to Spider tab and the Control in here you can see that there are some URLs which have been Queued by the spider. And it will only run against the domains in the scope:
Now back in the Site Map, we can see a list of all URLs. A black URL means that we have successfully navigated to that page or the spider have found that on the site and have confirmed it as valid. And a gray URL means that the spider has found it in site the HTML code of the response but is still nor confirmed as valid :
And to the most cool tool present in Bur Suite and my personal favorite. Intruder is a very useful and flexible tool for harvesting data form web applications. We can use it for Brute-forcing, enumeration, Vulnerability fuzzing or what ever you can think off in your hearts desires and collect data from the results.
I’ll use a basic example to walk you through the setup. We will try to use brute force attack to hack into admin panel on the login screen taking in consideration that there is no account lockouts in place. First of all got the HTTP history and right click on the request we want to test and select “Send to Intruder”:
Now in the Intruder tab and prepare our attack vector of the site. The Target tab will automate the whole process for us under the Positions tab we can see the request we’ve selected adn set the position for our attack. You can do it by highlighting the value of the parameter and then clicking on Add on the right hand and you can also chose more than one position at a time:
At the top you will see the type of attack. For example we will leave it as sniper, but each attack type has a specific use :
- Sinper – This uses a single payload set. It target each payload position in turn, and places each payload in that place in turn. This attack type is use full for fuzzing attacks to find common vulnerabilities. The total number of requests generated in the attack is the product of the number of positions and the number of payloads in the payload set.
- Battering Ram– This uses a single set of payloads. It iterates through the payload and place the same payload in the other positions present in the request for testing. This is use full when the attacker is testing single payload in different positions in the request.
- Pitchfork – This uses multiple set of payloads. There is a completely different set of payload for every defined position. And this attack goes through all payload sets simultaneously and place single payload into each defined position. This attack type is useful where an attack requires different but related input to be Used in Different places within the request. The total number of requests generated in the attack is the number of payloads in the smallest payload set.
- Cluster bomb – This uses multiple payload sets. There is a different payload set for each defined position. The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested. This attack type is useful where an attack requires different and unrelated or unknown input to be inserted in multiple places within the request. The total number of requests generated in the attack is the product of the number of payloads in all defined payload sets.
Now that the positions are set, we can start and to do that move to the Payload tab and set what data will be used during the attack process. On the top you will see the payload set.
Below we can set the payload options each payload type has different options which can be modified for your test as here we are going with the password list.
Now what you have to do is click on start attack by clicking on the “Start Attack” button in the top right. A new window will open with the intruder session running on it.
Note: The free version on Burp Suite severely throttles intruder. The pro version is significantly faster.
Repeater, decoder, and comparer are also very helpful tools to have. They’re very simple to use, just right-click on your request or highlighted portion of the request and select “Send To”. PortSwigger did an amazing job of making this suite of tools very intuitive, I don’t think I need to cover those.
I hope you enjoyed, stay tuned for more tutorials!