In this article, we are going to see another powerful framework that is used widely in pen-testing. Burp suite is an integration of various tools put together to work in an effective manner to help the pen-tester in the entire testing process, from the mapping phase to identifying vulnerabilities and exploiting the same.hongkexy.com

In the figure above, we see the various features of this tool, like proxy, spider, intruder, repeater, sequencer, decoder and comparer. As we move ahead in the tutorial, we shall learn how to make use of them seamlessly.

Burp-Proxy

This lets you intercept the traffic between the browser and target
application. This option works like the man-in-the-middle attack vector.
Below I shall show you one of my favorite examples in demonstrating
this feature.

Here,
we are seeing a Wikipedia login form (dummyuser:dummypassword) and we
shall see how the intercept is put. Initially we need to switch the
intercept mode ON, in the suite. The FORWARD option allows you to send
the packets coming from the source IP to the destination IP. The DROP
option allows you to drop the packet if you feel it’s not a potential
packet that needs analysis.

In this figure, we see that the login credentials of en.wikipedia.org
are being captured. The point here to note is that Wikipedia uses HTTP
instead of HTTPs and thus, the login credentials are captured in clear
text.

The burp proxy listener is enabled on Port 8080 of the local host.
There are various options for intercept set-up, like request methods,
matching file extensions, and URL scope for the client requests. Other
options like request type, content types, and URL scope in the server
responses are available to be set-up based on the attack scenario.

I have used Mozilla Firefox here. The same holds for any other browser.

The following steps can be many from this phase. The capture can be
dropped, or sent to spider, sequencer, comparer etc. There is an option
of changing the request methods from GET to POST and so on.

Burp-site Map and Site Scope

In this section, we are seeing the Burp site maps and site scopes.
This section shows us the various sections of a particular domain. Here,
we can choose the scope of our security testing. We see a huge number
of sub domains when we hit on www.google.com. The figure shows the
site-map and site scope. We can also see the pages visited which are
darkened, and unvisited pages are grayed.

This particular instance in the screenshot shows the searches that
are done by the user. I have searched for “Security research”, and using
the key word finder, I have highlighted the word “security”.

The figure to the left shows the site-map of Google. Google is just
used here for a demo. The target web application can be anything under
analysis.

Burp Spider

The spider tool is used to get a complete list of URLs and parameters
for each site. The tool looks into each page that was manually visited
and goes through every link it finds in the testing scope. Make sure
when using spider tool that your proxy and interceptors are switched
off. The more links you manually visit, the better spider you are going
to get. It simply gives the spider a larger coverage area.

Setting up the spider is done using the options menu. The two main
things we need to set are the authentication and the thread count. The
authentication field can be set with a username and password
combination. The reason we set up this is because when the spider comes
across a login page, it can go through the authentication process in an
automated manner, giving more scope to spider the target.

Thread count is the number of concurrent threads that are being used.
For a local testing, this count can be high. A higher thread count
would imply faster processing but also a larger load. Occasional pop-ups
occur asking for changing the scope. Depending on the set up we can
choose either a yes or a no.

Once we are done spidering the target, we use the scanner. I am using
a free edition of the Burp suite, so the scanner is disabled in this.
The professional edition has fully functional scanners. The scanner is
used to make tests. There are two types of tests: active and passive.
Active tests send data and analyze the possibilities. Passive tests
examine all traffic and determine the vulnerabilities present in the
application. It’s left to the user’s discretion to choose the type of
tests that need to be done on the target.

Burp-Intruder

The intruder has 4 panels as seen in the figure, namely target, positions, payloads and options.

Target: This panel is used to specify the target
host (the URL), the port to use for the connection, and also it gives
options for using SSL encryption depending on our scenario. The figure
below shows the target panel.

Positions: This panel is very important in
automating attack strings on the target. There are various kinds of
attack vectors, such as sniper attack, battering ram attack, pitchfork
attack and cluster bomb.

On observing the figure, we see that the payload positions are
automatically highlighted with a “§” character. This happens when you
click on the auto button to the right. You can add markers and customize
too. A clear option is used to clear all the markers on the page.

A sniper attack is used as a single set of payload. Here, only one
value is replaced in the entire payload positions, one after the other.
Battering ram is also another form of single payload attack. This is
used when a single value is needed in the payload position. The
Battering ram works fine when the password quality rules, the policies
set are allegedly weak in nature. A lot of enumeration has to be gone
through before using this form of attack, since it works in a scenario
where, for example, the username and password both would have the same
values.

A pitchfork attack, as we are going to see, is used when we need a
multiple payload-set. A cluster bomb is another form of a multiple
payload attack vector. In a cluster bomb attack, there are two lists;
every word in the first list runs against every word in the second list.
It is effectively used when the target has a login form which has to be
breached.

In this section, I am going to demonstrate a SQLi attack on the demo
page of etopshop at the following URL:
http://www.etopshop.com/demo/pcstore/admin.asp

SQL injection testing using Burp-intruder

After capturing the page as described, I custom chose my payload
markers as Username fields and Password fields. From here, I deduced
that since the attack requires two parameters, I need a multiple payload
attack. I chose pitchfork attack vector from the dropdown menu. The
figure shows the options being set for the attack. I chose the preset
list for adding my SQL attack strings to be tried out at the target.

In the figure, we see that we can add, save the preset list of
payloads, etc. We have lot of options under the payload set. To mention a
few, we have character based, number based, random characters based,
brute force, dates, etc. As you can see, I have used the preset list.

The figure shows the process of SQL injection, once you click on
start-attack. The results tab shows the payloads being sent to the
target. The request tab shows the HTML source and how the payloads are
placed at our chosen markers.

Another tab of interest is the response tab. Here, we see that the
injection succeeded and we have been welcomed as the store manager when
we analyze the HTML source. To see the web page, we can even click on
render.

In the figure, we see the successful penetration of the web
application, using the famous SQL injection vulnerability. Similarly,
XSS attack vulnerabilities can be checked, which I shall leave it to the
intuition of the reader, on how to go about it.

Burp-Repeater

In this section, we shall see the Burp-repeater. This tool is
generally used to manually modify the HTTP requests and test the
responses given by the page. This can even lead to probing for
vulnerabilities on the web-page. Basically, this is used to play back
requests to the server.

Understanding XSS with Burp-Repeater

We shall use a vulnerable web application at:
http://www.steve.org.uk/Security/XSS/Tutorial/simple.html for
understanding and analyzing XSS (Cross site scripting) Vulnerability in a
webpage.

In the figure, I have highlighted the attack spot on the webpage,
which takes the input, and we will try probing for XSS vulnerabilities.
Now, we pass a script tag, the attack string I use is a very simple
JavaScript like:

<iframe src=”javascript:alert(‘Xss’)”;</iframe>

We see that the iframe code is injected into the source of the web
page. When checked on the browser to confirm, if there is a XSS bug
present in the application, we see that there is a reflected XSS
vulnerability on the target as shown in the figure.

Burp Sequencer

If we want to check for the extent of randomness in the session
tokens generated by the web application, this is a tailor made tool to
carry out such tests. Brute force attacks enumerate every possible
combination for gaining authentication to the web application. This
makes it a serious concern to have the high degree of randomness in the
session token IDs. Let’s start with sending a request which contains a
session token.

In this figure you can see the token request to the site Google.com.
The right side of the screen shot has the token start and token end
expressions. We can either specify an expression like “Google” or even
set the offset from where the token has to start. The same thing holds
at the token end panel, where we can set the delimiter, or a fixed
length for the capture to start. After fixing these parameters, we can
click START CAPTURE.

The start capture action panel looks like the screenshot above. It
sends requests to the target and gives a detailed analysis of the
randomness in the cookie tokens. We can pause/stop the analysis when we
wish to. I stopped the scan mid-way to see the results of the analysis
until the paused values. The screenshot below explains the results
better.

The scan components are as follows:

  1. Overall result
  2. Effective Entropy
  3. Reliability
  4. Sample size considered

Burp automatically analyses this aspect and generates this report in
this sequencer tool. Other analysis types are character level analysis,
which tells us the degree of confidence in the randomness of the sample
through a graphical display. Similarly, the bit-level analysis is the
analysis done at the bit level. You have the choice to pad characters in
the options panel and also to decode in base64 if needed.

Burp Decoder

This tool enables you to send a request to the decoder. Within the
decoder, we have multiple options to encode the request into various
formats like base64, URL, etc. There are also options to convert the
same to hashes like MD5, SHA-1, etc.

The above screenshot shows the Burp decoder for a request. If we have
an encoded request like the one in the following screenshot, then the
upper part is a request encoded in the base64 format. The lower part is
the request decoded in the clear text. I have encoded the entire
request. We can also selectively choose a portion of the request to be
decoded/encoded here.

This aspect mainly comes in to use when there is a client side
encryption of username and password in commonly used hashes or encoders.
The username/password field can be selectively decoded and the contents
can be viewed in clear text form.

Burp Comparer

Burp comparer is used when we have to compare between two sets of
data. The two sets can be a comparison of responses received for two
different requests. We can compare on the word scale or a byte scale.
The comparison shown here is of two different requests to a website. The
screen shot below shows the comparison.

The comparison can be done in two ways – Bit-by-Bit comparison and
word-by-word comparison. Burp automates this process for the user and
compares the two requests or responses accordingly.

This ends the tutorial on Burp-suite. The extent to which Burp-suite
can be used can only be left to the imagination of the user. The scanner
is not covered in this series because it’s not available in the free
edition of Burp. In the commercial edition, the scanner module is fully
functional, though with some false positives like any other application.

About the Author

Shathabheesha is a cyber security researcher at Infosec Institute and
works for a private firm in India. His interests are mainly in system
exploitation and vulnerability research.

Burp Suite教程(英文版)的更多相关文章

  1. Burp Suite Walkthrough(英文版)

    Burp Suite is one of the best tools available for web application testing. Its wide variety of featu ...

  2. Burp Suite详细使用教程

    Burp Suite详细使用教程-Intruder模块详解 最近迷上了burp suite 这个安全工具,百度了关于这个工具的教程还卖900rmb...ohno.本来准备买滴,但是大牛太高傲了,所以没 ...

  3. kali linux Burp Suite使用教程

    设置Firefox并配置代理 配置Firefox Burp Suite包含拦截代理. 要使用Burp Suite,您必须配置浏览器以通过Burp Suite代理传递其流量. 这对于Firefox来说并 ...

  4. Burp Suite扫描器漏洞扫描功能介绍及简单教程

    pageuo 2017-07-25 共852828人围观 ,发现 15 个不明物体 工具新手科普 * 本文作者:pageuo,本文属FreeBuf原创奖励计划,未经许可禁止转载 众所周知,burpsu ...

  5. Burp Suite 入门教程(BURP SUITE TUTORIAL )

    参考链接1:https://www.pentestgeek.com/what-is-burpsuite 参考链接2:https://www.pentestgeek.com/web-applicatio ...

  6. Burp Suite详细使用教程-Intruder模块详3

    Burp Suite使用详细教程连载的第三章.0×02 Intruder—内置有效负荷测试使用技巧内置有效负荷测试选择项如下图: 今天的小技巧使用的是 numbers,给大伙科普下:Numbers 数 ...

  7. 安全测试工具(1)- Burp Suite Pro的安装教程

    啥是Burp Suite 用于攻击web 应用程序的集成平台 程序员必备技能,不仅可以拿来做渗透测试.漏洞挖掘还能帮助程序员调试程序 Bug 它包含了许多Burp工具,这些不同的burp工具通过协同工 ...

  8. Burp Suite 使用教程(上传突破利器)

    Burp Suite是一个免费的网站攻击工具. 它包括proxy.spider.intruder.repeater四项功能.该程序使用Java写成,需要 JRE 1.4 以上版本 下载该程序的源代码, ...

  9. burp suite 使用教程详解(外文翻译转)

    Burp Suite是Web应用程序测试的最佳工具之一,其多种功能可以帮我们执行各种任务.请求的拦截和修改,扫描web应用程序漏洞,以暴力破解登陆表单,执行会话令牌等多种的随机性检查.本文将做一个Bu ...

随机推荐

  1. 关于SQL语言的优化(Oracle)

    SQL优化的原则 尽量使用列名 --SQL 优化2: where解析的顺序 : 右--> 左 Select * from zl_yhjbqk   where   dy_dj = '1K以下'   ...

  2. cisco通过控制口或者通过远程配置交换机

    学而不思则罔,思而不学则殆,每天坚持一小步,则成功一大步 下面我们通过Cisco Packet来模拟交换机和路由器的远程和控制台登录配置交换机. 交换机console口的连接与配置方法 (1),在Ci ...

  3. 使用SQL Server 2005 新的语法ROW_NUMBER()进行分页的两种不同方式的性能比较

    相比在SQL Server 2000 中使用的分页方式,在SQL Server 2005中使用新的语法ROW_NUMBER()来分页效率要高出很多,但是很多人在使用ROW_NUMBER()这种分页方式 ...

  4. C语言变参函数/Variadic fucntion

    几个重要的 宏/类型 定义 Macros Defined in header <stdarg.h> va_start enables access to variadic function ...

  5. 使用Notepad++将多行数据合并成一行

    1.按Ctrl+F,弹出“替换”的窗口: 2.选择“替换”菜单: 3.“查找目标”内容输入为:\r\n: 4.“替换为”内容为空: 5.“查找模式”选择为正则表达式: 6.设置好之后,点击“全部替换” ...

  6. install xdebug on fedora

    Compiling There is a wizard available that provides you with the correct file to download, and which ...

  7. Apache虚拟主机设置

    Apache支持两种虚拟主机,一种是基于IP地址的,一种是基于域名的. 基于IP地址的虚拟机现在使用的很少,它需要一台服务器需要拥有多个IP地址.基于域名的虚拟主机要求服务器有一个IP地址就可以了,只 ...

  8. 自定义弹出div对话框

    <style type="text/css"> html,body{height:100%;overflow:hidden;} body,div,h2{margin:0 ...

  9. HttpWebRequest中的SendChunked

    MSDN上说:When SendChunked is true, the request sends data to the Internet resource in segments. The In ...

  10. Java中的Inner Class (一)

    Inner Class看起来是一个简单的Code-Hideing机制,但是Java的Inner Class和C++的有所不同 - Inner Class能够和外部类(Surrounding Class ...