BSides Lisbon 2013 - All your sites belong to Burp

3,849 views

Published on

This talk is going to be all about Burp. I will explain why is such a great tool and how it compares with similar ones.
Its going to have a quick walkthrough of its main features, but the juicy part is going to be about how to fully explore its main tools, such as the scanner, intruder and sequencer, to increase the number and type of vulnerabilities found.
In addition, I will provide an overview of the Burp Extender Interface and how to easily and quickly take advantage of extensions to increase its awesomeness. I will show how easy is for an pentester to translate an idea to a extension and (I hope) publicly release one plugin to further help pentesters.
The talks objective is to increase your efficiency while using Burp, either by taking advantage of its excellent tools or by adding that feature that really need.

Presented at BSides Lisbon at 04/10/13 (http://bsideslisbon.org)

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,849
On SlideShare
0
From Embeds
0
Number of Embeds
1,312
Actions
Shares
0
Downloads
97
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

BSides Lisbon 2013 - All your sites belong to Burp

  1. 1. All your sites are belong to Burp Tiago Mendo - @tmendo tiagomendo at gmail.com - tiago.mendo at telecom.pt
  2. 2. this.person • Pentester at SAPO • Web division of Portugal Telecom, +100 webapps • Uses Burp as much as the browser • Speaker at Codebits • Likes cars, travelling and burgers • @tmendo
  3. 3. Why this talk? • Burp Suite • A reference tool • Everybody uses it • Extension capabilities • Share how I use it • Share how developers can use it • Learn how to use it even better
  4. 4. Outline • Burp for developers • Proxy • Repeater • Before starting • Finding vulnerabilities • Automation • Extending Burp • Tips
  5. 5. Disclaimer • I am not affiliated with PortSwigger. • The contents of this talk are solely of my responsibility, and not of my employer.
  6. 6. Burp? • That relief noise...
  7. 7. Burp? • “Burp Suite is an integrated platform for performing security testing of web applications.”
  8. 8. Burp? • Actually, the icon is a burping face in profile
  9. 9. Burp? • Actually, the icon is a burping face in profile mouth nose
  10. 10. Burp Suite • Burp is a set of tools, all tightly integrated • Proxy • Spider • Scanner • Intruder • Repeater • Sequencer • API • Save, search, compare, decode, filter
  11. 11. Burp Suite • Burp is a set of tools, all tightly integrated • Proxy • Spider • Scanner • Intruder • Repeater • Sequencer • API • Save, search, compare, decode, filter
  12. 12. Burp Suite • Burp is a set of tools, all tightly integrated • Proxy • Spider • Scanner • Intruder • Repeater • Sequencer • API • Save, search, compare, decode, filter Free
  13. 13. Burp Suite
  14. 14. Burp for developers • Can developers take advantage of it?
  15. 15. Burp for developers • Can developers take advantage of it? • Yes • debug • functional testing • security testing
  16. 16. Burp for developers • But, normally, developers don’t have access to: • a web security team (in-house or outsourced) • time to test stuff • money
  17. 17. Burp for developers • Use the free version • Integrate Burp with your development process • Do simple tests
  18. 18. Proxy • Always use a proxy with your browser • use a separate browser to hack • have it sent all traffic trough Burp proxy • Easily done with Firefox • multiple profiles • proxy is not system wide • lots of plugins
  19. 19. Proxy • Send “all” traffic to Burp
  20. 20. Proxy • Filtering further
  21. 21. Proxy • Auto-scroll • just sort by # desc
  22. 22. Proxy • What to look for when using the proxy? • failing requests • error and debug messages • sensitive information • missing headers • If want to get active • input: URL parameters, postdata, headers, cookies
  23. 23. Proxy • You can do simple, yet powerful, tests in two ways • intercepting requests • repeating requests
  24. 24. Proxy
  25. 25. Repeater • Intercepting requests with the proxy is good for single tests • or when you have a single shot • For deeper testing use the repeater • allows arbitrary replay and modification of requests
  26. 26. Repeater • From proxy to repeater
  27. 27. Repeater
  28. 28. Repeater • With the repeater you can just play with the requests, whatever is your objective • debug • functional • security • Lets focus on security :)
  29. 29. Repeater • XSS - a simple payload to get 80/20 • "><img src=a onerror=alert(1)> • Using the repeater avoids browser defensive measures • auto URL encoding • XSS filters
  30. 30. Repeater
  31. 31. Repeater • SQLi - you don’t have to test for it because you use prepared statements
  32. 32. Repeater • SQLi - you don’t have to test for it because you use prepared statements • Just in case • ‘ • and benchmark(10000000, md5(md5(1))) --%20
  33. 33. Repeater
  34. 34. Repeater • OWASP Top 10 - A4 Insecure Direct Object References • “Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for.” •
  35. 35. Repeater • Very easy and fast to test • repeat the request with a different object id from other user • photo_id, id, userid, etc. • Automated tools dont find A4, you need to do it manually!
  36. 36. Repeater
  37. 37. Going pro • The free version is enough for developers and simple tests • A security professional will need the professional version • automation • speed • coverage • save • search
  38. 38. Before starting • Ensure you always load a clean Burp with a prepared configuration • tools clean of requests • auto backup • proxy setup • plugins • keyboard shortcuts
  39. 39. Before starting • URL blacklist • avoid session termination
  40. 40. Before starting • URL blacklist • avoid destruction
  41. 41. Before starting • parameter blacklist • also block CSRF tokens and test them manually
  42. 42. Before starting • boolean based SQLi • avoid destroying the DB if testing something that uses UPDATE • UPDATE users SET email=X WHERE email=Y OR 1=1
  43. 43. Finding vulnerabilities • So...what is the most effective way to find vulnerabilities with Burp? • The scanner?
  44. 44. Finding vulnerabilities
  45. 45. Finding vulnerabilities • Right...you can just point the scanner and wait • not time-effective • scans .woff, .js, etc. • scans similar pages (think of news sites) • http://edition.cnn.com/video/?/video/ us/2012/06/10/world-burping- contest.cnn
  46. 46. Finding vulnerabilities • There are multiple approaches to find vulnerabilities with Burp • proxy, spider and then scan blindly • proxy, spider, intruder and then scan targeted • <your own combination of tools>
  47. 47. Finding vulnerabilities 1. Hit every functionality manually • gets recorded in the proxy • you get to know the target 2. If possible, maximize the coverage • spider the target • actively scan the target
  48. 48. Finding vulnerabilities • Spidering and scanning blindly might destroy the target (and your job) • boolean-based SQLi • deletion of content
  49. 49. Finding vulnerabilities • Spidering and scanning blindly can take time
  50. 50. Finding vulnerabilities 3.Manual investigation • where all the fun begins • where you justify your income • test for the vulns Burp won’t test • confirm Burp guesses
  51. 51. Finding vulnerabilities • Find a juicy request and sent it to the repeater
  52. 52. Finding vulnerabilities • Modify if and send it!
  53. 53. Finding vulnerabilities • Find a juicy request and sent it to the intruder
  54. 54. Finding vulnerabilities • The intruder can be used to do precision scanning • you can select any part of the request • similar to the * marker in sqlmap • useful for custom protocols
  55. 55. Finding vulnerabilities
  56. 56. Finding vulnerabilities
  57. 57. Finding vulnerabilities • The intruder can automatize what you do in the repeater • brute-force • defeat CSRF tokens • ECB block shuffling • fuzzing • scan with your own payloads
  58. 58. Finding vulnerabilities • Multiple types of attacks • Sniper • Battering ram • Pitchfork • Cluster bomb
  59. 59. Finding vulnerabilities
  60. 60. Finding vulnerabilities • grep content, look at HTTP codes or lengths
  61. 61. Finding vulnerabilities • grep content, look at HTTP codes or lengths
  62. 62. Finding vulnerabilities • grep content, look at HTTP codes or lengths
  63. 63. Finding vulnerabilities • Proxy + spider + scanner • ensures coverage in breadth • Proxy + repeater + intruder/scanner • ensures coverage in depth
  64. 64. Automation • One way to automatize your life is through Macros • “A macro is a sequence of one or more requests.”
  65. 65. Automation • Consider a site with authentication • eventually, your session will die • enqueued requests will fail • you will notice that a few minutes/hours later • you will repeat login and repeat the requests • you will be annoyed
  66. 66. Automation • Consider a site with authentication • eventually, your session will die • enqueued requests will fail • you will notice that a few minutes/hours later • you will repeat login and repeat the requests • you will be annoyed • add constantly changing CSRF tokens for extra annoyance
  67. 67. Automation • On each request, I want Burp to • check if session is still valid • if not valid • get current CSRF token • login • re-issue the request
  68. 68. Automation
  69. 69. Automation
  70. 70. Automation
  71. 71. Automation
  72. 72. Automation
  73. 73. Extending Burp • Burp has an API called Burp Extender • loads arbitrary code • hooks into most functionalities • UI customization • supports Java, Python and Ruby
  74. 74. Extending Burp • Creating an extension is easy • download empty extension with Netbeans project • or download one of the example extensions
  75. 75. Extending Burp • addScanIssue • doActiveScan • excludeFromScope • processHttpMessage • newScanIssue • and getters/setters for almost anything
  76. 76. Extending Burp • OwnDB - our ownage DB
  77. 77. Extending Burp
  78. 78. Extending Burp
  79. 79. Tips • Copy as curl command
  80. 80. Tips • Copy as curl command • curl -i -s -k -X 'GET' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0' -H 'Referer: https://accounts.google.com/ ServiceLoginAuth' -b 'GoogleAccountsLocale_session=pt_PT; CheckConnectionTempCookie279=549576; VISITOR_INFO1_LIVE=7bdUV8vsAGg; PREF=f1=50000000&fv=11.8.800; YSC=OH5XpXtqdf0' 'https://accounts.youtube.com/accounts/ CheckConnection?pmpo=https%3A%2F %2Faccounts.google.com&v=254239808&timestamp=13807963 57054'
  81. 81. Tips • Burp to sqlmap • Burp is good at finding SQLi • sqlmap is better exploiting them • There is a plugin for that • Gason
  82. 82. Tips
  83. 83. Tips • Alternative • right-click request -> Copy to file • sqlmap -r <savedfile>
  84. 84. Tips • More at www.burpextensions.com • Proxy Color - colorize requests based on regexp • JSBeautifier - beautifies JS
  85. 85. End • @tmendo • tiagomendo at gmail.com - tiago.mendo at telecom.pt • https://www.facebook.com/ap2si • Confraria de Segurança da Informação • informal security presentations • last Wednesday of each month • free

×