05 Repeater and Sequencer

Repeater

This tool is generally used to manually modify the HTTP requests and test the responses given by the page. This can even lead to probing for vulnerabilities on the web-page. Basically, this is used to play back requests to the server.

Sequencer

If we want to check for the extent of randomness in the session tokens generated by the web application, this is a tailor made tool to carry out such tests. Brute force attacks enumerate every possible combination for gaining authentication to the web application. This makes it a serious concern to have the high degree of randomness in the session token IDs. Let’s start with sending a request which contains a session token.

In this figure you can see the token request to the site Google.com. The right side of the screen shot has the token start and token end expressions. We can either specify an expression like “Google” or even set the offset from where the token has to start. The same thing holds at the token end panel, where we can set the delimiter, or a fixed length for the capture to start. After fixing these parameters, we can click START CAPTURE.

The start capture action panel looks like the screenshot above. It sends requests to the target and gives a detailed analysis of the randomness in the cookie tokens. We can pause/stop the analysis when we wish to. I stopped the scan mid-way to see the results of the analysis until the paused values. The screenshot below explains the results better.

The scan components are as follows:

  1. Overall result
  2. Effective Entropy
  3. Reliability
  4. Sample size considered

Burp automatically analyses this aspect and generates this report in this sequencer tool. Other analysis types are character level analysis, which tells us the degree of confidence in the randomness of the sample through a graphical display. Similarly, the bit-level analysis is the analysis done at the bit level. You have the choice to pad characters in the options panel and also to decode in base64 if needed.

Advertisements

04 Intruder: attack the app

Intruder is a tool for automating customised attacks against web applications. It has four panels: target, positions, payloads, options.

Target: This panel is used to specify the target host (the URL), the port to use for the connection, and also it gives options for using SSL encryption depending on our scenario. The figure below shows the target panel.

Positions: This panel is very important in automating attack strings on the target. There are various kinds of attack vectors, such as sniper attack, battering ram attack, pitchfork attack and cluster bomb. Different attack types in detail:

  1. Sniper: used as a single set of payload. Here, only one value is replaced in the entire payload positions, one after the other.
  2. Battering ram: also another form of single payload attack. This is used when a single value is needed in the payload position. The Battering ram works fine when the password quality rules, the policies set are allegedly weak in nature. A lot of enumeration has to be gone through before using this form of attack, since it works in a scenario where, for example, the username and password both would have the same values.
  3. Pitchfork: used when we need a multiple payload-set.
  4. Clusterbomb: another form of a multiple payload attack vector. In a cluster bomb attack, there are two lists; every word in the first list runs against every word in the second list. It is effectively used when the target has a login form which has to be breached.

Burp Suite Free Edition v1.5_006

After capturing the page as described, I custom chose my payload markers. I use Fuzzdb as a payload collection under Kali Linux you can reach it via /usr/share/wfuzz/wordlist/fuzzdb/. The figure shows the options being set for the attack.

Burp Suite Free Edition v1.5_007

In the figure, we see that we can add, save the preset list of payloads, etc. We have lot of options under the payload set. To mention a few, we have character based, number based, random characters based, brute force, dates, etc. As you can see, I have used the preset list.

 

06 Decoder, Comparer and Extender: further tools

In this article I’ll discuss the usage of the last 3 components of Burp Suite.

Decoder

This tool enables you to send a request to the decoder. Within the decoder, we have multiple options to encode the request into various formats like base64, URL, etc. There are also options to convert the same to hashes like MD5, SHA-1, etc.

Burp Suite Free Edition v1.5_003

The above screenshot shows the Burp decoder for a request. If we have an encoded request like the one in the following screenshot, then the upper part is a request encoded in the base64 format. The lower part is the request decoded in the clear text. I have encoded the entire request. We can also selectively choose a portion of the request to be decoded/encoded here.

This aspect mainly comes in to use when there is a client side encryption of username and password in commonly used hashes or encoders. The username/password field can be selectively decoded and the contents can be viewed in clear text form.

Comparer

Burp comparer is used when we have to compare between two sets of data. The two sets can be a comparison of responses received for two different requests. We can compare on the word scale or a byte scale. The comparison shown here is of two different requests to a website. The screen shot below shows the comparison.

Burp Suite Free Edition v1.5_004

Word compare of -2 and -3  (2 differences)_005

The comparison can be done in two ways – Bit-by-Bit comparison and word-by-word comparison. Burp automates this process for the user and compares the two requests or responses accordingly.

Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways. Extensions can be written in Java, Python or Ruby. You can load and manage extensions, view details about installed extensions, install extensions from the BApp Store, view the current Burp Extender APIs, and configure options for how extensions are handled.

Burp extensions can customize Burp’s behavior in numerous ways, such as modifying HTTP requests and responses, customizing the UI, adding custom Scanner checks, and accessing key runtime information, including the Proxy history, Target site map and Scanner results.

You can find further information and tutorials about the useage of extensions on this site:

https://pro.portswigger.net/bappstore/ (official)

http://www.burpextensions.com/ (third party)

Some of the most interesting extensions:

  • Browser Repeater (Automatically renders Repeater responses in Firefox.)
  • HeartBleed (Checks whether a server is vulnerable to the Heartbleed bug)
  • Session Auth (Identifies authentication privilege escalation vulnerabilities)

Unfortenately I couldn’t test that funcionality, because that tool is only avialable in the full version of Burp Suite.

03 Scanner: inspect the app

It is a tool for automatically search for vulnerabilities in the web application. After the spidering with this tool we can make tests. Unfortunately in the free edition of Burpsuite the Scanner is shipped with a really reduced functionality.

There are two types of tests: active and passive. Active tests send data and analyze the possibilities. Passive tests examine all traffic and determine the vulnerabilities present in the application. It’s left to the user’s discretion to choose the type of tests that need to be done on the target.

  • Passive scanning of all requests and responses made through Burp Proxy, to identify flaws such as information disclosure, insecure use of SSL, and cross-domain exposure. This lets you safely find bugs without sending any additional requests to the application.
  • Active scanning of all in-scope requests passing through Burp Proxy. This lets you use your browser to walk Burp Scanner through the interesting parts of the application’s functionality that you want to actively scan. Burp Scanner will then send numerous additional requests to the target application, to identify vulnerabilities such as SQL injection, cross-site scripting and file path traversal.
  • User-directed scanning of selected requests. This lets you select specific requests within any of the Burp Suite tools, and send these for active or passive scanning. This usage is ideal when you are manually testing individual parts of an application’s functionality, as you can use Burp Scanner to automatically test for a wide range of vulnerabilities while you focus your effort on tasks that require human intelligence to perform.

On the following link you can see a sample report created by Burp Scanner:

http://portswigger.net/burp/samplereport/BurpScannerSampleReport.html

02 Spider: mesh the application

I discuss the Sitemap and Sitescope functionality in this article, because it’s strongly connected with the spider tool. With the Sitescope tool you can choose which part of the webapplication you want to test.

Burp Suite Free Edition v1.5_001

Spider is a tool for mapping the web application. It generates a list of URLs and paramters for the websites.

By default the Spider tool is running in passive mode, it’s collect a map of entries of the web application (as you navigate on the web application, so the more link you visit, more information the spider will collect). The tool looks into each page that has been visited and goes through every link it finds within the testing scope. You can see the structure of the website on the Target tab, than you can choose which part of the application you want to test. Spider is recording all of the request that we make on the website (via Burp Proxy) and parses the responses.

The two most important options of Spider is the authentication section and the thread count. The authentication field can be set with the username and password combination so that when Spider comes across a login page it can automatically go through the login process. The thread count is the number of concurrent threads that are being used. For a local testing, this count can be high. A higher thread count implies faster processing, but also a larger load.

Burp Suite Free Edition v1.5_002

Once Spidering is done we can move on to scanning the web application and testing specific parts of it.

01 Proxy: the heart of Burpsuite

Burpsuite Proxy is an interactive HTTPS proxy between the web application and the browser (man-in-the-middle). It allows users to intercept, inspect, modify the raw traffic that passes through.

1. Set up your browse

In order to use Burpsuite you have to set up your browser to use Burpsuite as a proxy. In Iceweasel you can install a plugin called foxyproxy, where you can easily change the proxy settings. Burpsuite is running by default on loopback interface port 8080.

FoxyProxy Standard_001

FoxyProxy Setup

2. Burpsuite proxy options in detail.

There are 3 tabs under the proxy tool: Intercept, History and Options.

On the Intercept tab you can do several operation on the packages. If the Intercept is on then the proxy halts the package and you can inspect it, change any data you want, than decide whether you want to Forward it or Drop it. There are 4 tabs where you can inspect further the packets in different views.

Burp Suite Free Edition v1.5_002

Burpsuite Proxy Intercept mode

 

On the History tab you can monitor what packages Burpsuite captured and you can send them to different tools for further analysis.

Burp Suite Free Edition v1.5_001

Burpsuite Proxy History

Finally, on the Options tab you can customize the behavior of the proxy tool.

Another important tool for conducting security testing is the Target tab. There you can choose which pages/object you want to examine. For example I’m logged in to DVWA so in the Target tab I can see some content from the website (picture).

Burp Suite Free Edition v1.5_002

Burpsuite Target