PranjalUncodes
Burp Suite

Burp Suite

Pranjal Ruhela's photo
Pranjal Ruhela

Burp Suite is a framework that is used for pentesting web apps.

Before using Burp Suite you need to get a CA certificate.

In cryptography, a certificate authority or certification authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key.

BurpSuite acts as a proxy between your browser and sending it through the internet — It allows the BurpSuite Application to read and send on HTTPS data.

Moving on, Burp has some componentes →

  • Proxy — What allows us to funnel traffic through Burp Suite for further analysis
  • Target — How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.
  • Intruder — Incredibly powerful tool for everything from field fuzzing (A Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion) to credential stuffing (A type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application)and more
  • Repeater — Allows us to ‘repeat’ requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned Intruder
  • Sequencer — Analyzes the ‘randomness’ present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies, analyze randomness in different pieces of data such as password reset tokens.
  • Decoder — As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.
  • Comparer — Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.
  • Extender — Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!
  • Scanner — Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.

Using Burp Suite proxy grants us a granular level of control over the traffic.

By default, Burp will be set to ‘intercept’ our traffic. This means a few things:

1. Requests will by default require our authorization to be sent.

2. We can modify our requests in-line similar to what you might see in a man-in-the-middle attack and then send them on.

3. We can also drop requests we don’t want to be sent. This can be useful to see the request attempt after clicking a button or performing another action on the website.

4. And last but not least, we can send these requests to other tools such as Repeater and Intruder for modification and manipulation to induce vulnerabilities.

By default, the Burp Suite proxy listens on only one interface. → localhost (127.0.0.1:8080)

Do you know what protocol is used by google docs?? It uses WebSockets protocol over TCP.

Target tab

The target tab allows us to view sitemap, defining scopes, and specifying issue definitions.

The “happy path” → is the technique of defining our scope of burp moving from a user which is least priviledged to the user which has the most elevated privileges for a testable Web App. We are talking of automating the task of Burp exploits.

When you have added the target url to the scope you can expand the directories’ tree-like structure this is referred to as the “site map”.

Intruder

Intruder can be used for many things ranging from fuzzing to brute-forcing. At its core, Intruder serves one purpose: automation.

Intruder is meant for repeat testing once a proof of concept has been established

  • Enumerating identifiers such as usernames, cycling through predictable session/password recovery tokens, and attempting simple password guessing
    - Harvesting useful data from user profiles or other pages of interest via grepping our responses
    - Fuzzing for vulnerabilities such as SQL injection, cross-site scripting (XSS), and file path traversal.

Cross-site scripting (XSS) is a type of security [vulnerability](en.wikipedia.org/wiki/Vulnerability_%28comp.. "Vulnerability (computer science)") typically found in [web applications](en.wikipedia.org/wiki/Web_application "Web application"). XSS attacks enable attackers to [inject](en.wikipedia.org/wiki/Code_injection "Code injection") [client-side scripts](en.wikipedia.org/wiki/Client-side_script "Client-side script") into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass [access controls](en.wikipedia.org/wiki/Access_control "Access control") such as the [same-origin policy](en.wikipedia.org/wiki/Same-origin_policy "Same-origin policy"). Cross-site scripting carried out on [websites](en.wikipedia.org/wiki/Website "Website") accounted for roughly 84% of all security vulnerabilities documented by [Symantec](en.wikipedia.org/wiki/NortonLifeLock "NortonLifeLock") up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner [network](en.wikipedia.org/wiki/Computer_network "Computer network").

Intruder has four different attack types:

1. Sniper — The most popular attack type, this cycles through our selected positions, putting the next available payload (item from our wordlist) in each position in turn. This uses only one set of payloads (one wordlist).

2. Battering Ram — Similar to Sniper, Battering Ram uses only one set of payloads. Unlike Sniper, Battering Ram puts every payload into every selected position. Think about how a battering ram makes contact across a large surface with a single surface, hence the name battering ram for this attack type.

3. Pitchfork — The Pitchfork attack type allows us to use multiple payload sets (one per position selected) and iterate through both payload sets simultaneously. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling the smallest payload set provided.

4. Cluster Bomb — The Cluster Bomb attack type allows us to use multiple payload sets (one per position selected) and iterate through all combinations of the payload lists we provide. For example, if we selected two positions (say a username field and a password field), we can provide a username and password payload list. Intruder will then cycle through the combinations of usernames and passwords, resulting in a total number of combinations equalling usernames and passwords.

SEQUENCER

[Session Randomness Analysis with Burp Suite Sequencer - Infosec Resources
Users of web applications are identified by session IDs. An attacker can impersonate users when generated sessions are…resources.infosecinstitute.com](https://resources.infosecinstitute.com/topic/session-randomness-analysis-burp-suite-sequencer/ "resources.infosecinstitute.com/topic/sessio..")

DECODER

Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding. We chain these transforms together and Decoder will automatically spawn an additional tier each time we select a decoder, encoder, or hash.

Comparer

Comparer, as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.

some common uses for Comparer are as follows:

- When looking for username enumeration conditions, you can compare responses to failed logins using valid and invalid usernames, looking for subtle differences in responses. This is also sometimes useful for when enumerating password recovery forms or another similar recovery/account access mechanism.

- When an Intruder attack has resulted in some very large responses with different lengths than the base response, you can compare these to quickly see where the differences lie.

- When comparing the site maps or Proxy history entries generated by different types of users, you can compare pairs of similar requests to see where the differences lie that give rise to different application behavior. This may reveal possible access control issues in the application wherein lower privileged users can access pages they really shouldn’t be able to.

  • When testing for blind SQL injection bugs using Boolean condition injection and other similar tests, you can compare two responses to see whether injecting different conditions has resulted in a relevant difference in responses.