Burp Suite is a free and professional Java-based tool for testing web application security. It includes several integrated tools like Proxy, Spider, Scanner, Intruder, Repeater, and Sequencer. The Proxy is used to intercept, modify, and replay HTTP/S requests. The Spider crawls the web application to discover hidden resources. The Scanner automatically scans for vulnerabilities. Intruder allows for customized attacks through fuzzing. Repeater replays requests for manual testing. And Sequencer analyzes randomness of tokens. It has both free and commercial editions, and supports Windows, Mac, and Linux.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. Burp contains several tools that work together to carry out virtually any task you will encounter in your testing. It can automate all kinds of tasks in customizable ways, and lets you combine manual and automated techniques to make your testing faster, more reliable and more fun.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. Burp contains several tools that work together to carry out virtually any task you will encounter in your testing. It can automate all kinds of tasks in customizable ways, and lets you combine manual and automated techniques to make your testing faster, more reliable and more fun.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Firewall is a network security system that controls the incoming
and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted Stand-alone firewalls exist both as firewall software appliances to run on general purpose or standard industry hardware, and as hardware-based firewall computer appliances.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Firewall is a network security system that controls the incoming
and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted Stand-alone firewalls exist both as firewall software appliances to run on general purpose or standard industry hardware, and as hardware-based firewall computer appliances.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
Getting the Most out of Burp Extensions. How to build a Burp extension, techniques for passive and active scanners, defining insertion points, modifying requests, and building GUI tools. This talk presents code libraries to make it easy for testers to rapidly customize Burp Suite.
BSides Lisbon 2013 - All your sites belong to BurpTiago Mendo
This talk is going to be all about Burp. I will explain why is such a great tool and how it compares with similar ones.
Its going to have a quick walkthrough of its main features, but the juicy part is going to be about how to fully explore its main tools, such as the scanner, intruder and sequencer, to increase the number and type of vulnerabilities found.
In addition, I will provide an overview of the Burp Extender Interface and how to easily and quickly take advantage of extensions to increase its awesomeness. I will show how easy is for an pentester to translate an idea to a extension and (I hope) publicly release one plugin to further help pentesters.
The talks objective is to increase your efficiency while using Burp, either by taking advantage of its excellent tools or by adding that feature that really need.
Presented at BSides Lisbon at 04/10/13 (http://bsideslisbon.org)
Creating Correlation Rules in AlienVaultAlienVault
Make a correlation between events, rules and security enforcement. Learn why correlation rules are the heart of SIEM, how to effectively correlate threats with protections, and how to link your rules to policies.
Nowadays, like the technology itself, hacking activities against mobile phone is growing very rapidly, both for mobile devices (operating system) or mobile applications, some applications providers even dedicate a penetration testing activity for applications that they created right before it gets released to the public, while others open a bug bounty programs, and sadly the rest just watch and do nothing.
On the other side, malware developer arround the world also already move their main target and has been developing malware to take over the mobile devices which surely keep all our personal/private and our work, some of it even make us to pay for getting it back.
This talks will be focusing more on the trend of mobile device security lately, mobile security penetration testing activity, also in practice, showing several types of common weaknesses/vulnerabiliies within the mobile applications and how the exploitation is done by the attacker, malware is created and planted, until it is successfully to take over the target mobile device.
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
Malware Command and Control: Evasion Tactics and Techniques
Malware is designed to perform malicious actions without catching attention of the user. Malware Authors keep on developing new ideas to stay undetected by security technologies. In order to remain undetected, communication channels between attacker and malware needs to be stealthy and evolving. Making Command and control with attacker to receive on demand commands is an essential phase of the Cyber Kill Chain.
As a result, we are observing continuous advancement into communication channel for Malware Command and control.
In this session, we will try to cover some of the advanced techniques used by Malwares nowadays to communicate with it's command and control.
Shodan is basically a search engine which helps to find (routers, switches, Scada etc.) mainly vulnerable systems on the internet .It is widely known as Google for hackers
It was launched in 2009 by computer programmer John Matherly. It is mainly a search engine of service banners in which metadata (data about data) is sent from the server to client. Shodan currently probes for 50+ ports.
Push notifications allow your users to opt-in to timely updates from sites they love and allow you to effectively
re-engage them with customized, engaging content.
In this session Solutions Architect, James Tramel of Planet Technologies delivers an understanding of various Networking concepts as it relates to the performance, authentication, and internal and external access of SharePoint.
Using Proxies To Secure Applications And MoreJosh Sokol
The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.
When SaaS companies use Blendr.io – an embedded integration platform – to boost their native integrations offering, we often receive the question – “What is a good API”? At Blendr.io, we have been working with hundreds of API’s and compiled an API Checklist for SaaS companies.
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.
Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.
This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.
These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?
The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?
Are we able to determine?
* Supported HTTP Request Methods.
* Current Service Pack.
* Patch Levels.
* Configuarations.
* If an Apache Server suffers from a "chunked" vulnerability.
Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.
Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.
Prerequisites:
General understanding of Web Server technology and HTTP.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Monitoring Java Application Security with JDK Tools and JFR Events
Burp Suite Starter
1. Burp Suite – Web Application Pen testing
APRIL 2016
FABDULWAHAB.COM
2. Overview
Easy to use , Written in Java language , Cross platform
Integrated platform for web application security
Includes multiple tools
Developed by PortSwigger Ltd
http://www.portswigger.net/
Two editions
Free
Professional
Automatic scanner
… more features
Local web proxy to intercept Http/s requests
Acquires site details by visit pages , scripts , prams …
3. Integrated Tools
Target
Aggregate all web application resources
Proxy
Spider
Crawler to discover new pages and prams
Scanner
Security scanner , available only with prof version
Intruder
To customize and automate web requests using fuzzing
Repeater
To manually modify and re-issue web requests
4. Integrated Tools
Sequencer
Verifying the randomness and predictability of tokens , cookies …
Decoder
To encode and decode data
Comparer
A visual diff tool to detect changes between web pages
5. Installation
What do I need?
100 MB disk
2 GB RAM
OS (Windows , Mac or Linux)
JRE 1.6+ or OpenJDK (but not officially supported)
Recommended browser is Firefox
Download the file and then unpacking it
To start it , from cmd run java -jar burpSuite.jar
6. Installation
Or to specify the amount of memory java -Xmx2g -jar burpsuite_v1.4.01.jar
-Xmx2g is used to increase up to 2 gigabyte (or -Xmx2048M)
Common errors include wrong permissions or incorrect paths
http://docs.oracle.com/cd/E13150_01/jrockit_jvm/jrockit/jrdocs/refman/optionX.html#wp999
528
Or start it by double click on .jar file (but you can’t customize the memory , allocate
the Max)
Has API to extend its functionality using Extender tool (can be written in Java, Python,
or Ruby)
https://portswigger.net/bappstore/default.aspx
7. Proxy Configuration
Default on port 8080/Tcp
Proxy | Options (check running box)
In case of errors, you will notice the presence of exceptions in the alerts tab
If loopback enabled, then it will accept requests from local machine only (can’t access Burp remotely)
For standalone clients or mobile applications using http/s then select support invisible proxying for non-proxy-aware clients
Why Firefox is recommended?
Doesn’t include any embedded Ant-XSS filters to interfere your testing
Use Profile feature
Only send browser HTTP/s requests
Configure proxy for the browsers
Remove all exceptions from the No Proxy for field
Disable extensions like disable flash ,NoScript …
8. Proxy Configuration
FoxyProxy Standard is a Mozilla Firefox add-on to get fine-grained control over
proxy traffic
Automates the processing of settings
To ensure only send selective traffic to Burp Suite
You can configure multiple proxies
Install it , Add New Proxy , configure URL patterns (*example.com/* )
Also add *burp/* (required)
Select the mode as Use proxies as their pre-defined patterns and priorities
9. Plug-n-Hack
Firefox add-on supported with Burp
https://blog.mozilla.org/security/2013/08/22/plug-n-hack/
Install .xpi and then go to Add-on manager
Open http://burp/pnh
This tool help you to configure Burp in simple way
10. Test configuration
Browser web site
Go to Proxy | Intercept tab (make sure intercept is on)
Check Target | Site map
A tree of resources
Burp can be configured as MITM to eavesdrop all requests
To avoid invalid certificate warning , add Burp root certificate or add exception from
browsers
11. HTTPs
SSL/TLS to prevent eavesdropping, tampering, and MITM attacks
Browsers and servers exchange X.509 certificates, which are signed by certificate
authorities
Visit http://burp (used to confirm burp is up) , download CA Certificate
Then import it to browser trusted certificates
Configure SSL Proxy
12. SSL Settings
In iOS or android
Send certificate as an email and then install the root certificate on devices
It may not be possible to intercept SSL traffic, Burp will show an SSL negotiation
error in the Alerts tab
For example when a mobile application utilizes certificate pinning
In this case we still want to continue working with other parts of the application so we
can use SSL pas-through list or check the box to make it automatically
13. Invisible proxy
A thick client is a software that usually runs outside of the browser framework
We need to trick it into sending all its traffic to the machine where the Burp proxy
can listen
For example , if the application need to connect to example.com then in host file
Also need to add new listener on port 80 or 443
Also if the site is using HTTPs then
14. Invisible proxy
Then we need to send the traffic from Burp to the original server
Options | Connections | Hostname Resolution
15. Invisible proxy
To intercept traffic from TV, iOS and android devices
Options >> Proxy
You can add multiple listeners (make sure it ‘s running)
Use different port to avoid confusing
16. Scope
Limited by domain , subdomain , folder name or filenames
Under Target tab >> Scope
You can edit it or use regular expression
Also you can load… the targets from file
URL patterns can either be inclusive or exclusive
Options >> Drop all out-of-scope requests (good to go with this option)
17. Testing 01
Start browsering to allow Burp to proxying your web site
At the top of Burp proxy our website tab:
Intercept: to inspect and modify the request
Options: proxy configuration , and advanced preferences
History: to see all intercepted traffic to analyze (focus on Params)
When you browse the web site , Burp will wait for your action to Forward the
request
Or drop it then the user will get a warning message from Burp
18. Testing 01
When you browse the web site , action button become active to import the
current request to any other tool of Burp
For example you can decode the request by clicking
on send to decoder
To stop forwarding , set intercept off (but still recording
without stop the request)
You can intercept responses matching specific patterns
Check Intercept server response from Options tab
For example only inspect response with 200 status code
19. Testing 02
Inspect the requests
Raw: simple text
Prams: show all entry points for potential vulnerabilities
Headers
Hex: good for binary content
History tab , show the original and modified requests
Double click to see the content details
Each request identify by unique number
You can color them , highlight them
Filter by if URL has pram , status code or by scope
In Prof version, you can search by text or regular expressions
20. Tampering web requests
To inject the user inputs …
Edit raw view during intercept , change for example ?key=test value
Then click forward button
Result , from HTTP history then double click on it and go to Params tab
Also you can add a new pram , header …
21. Match and replace
For example to intercept the website as mobile version from local PC
Options | match and replace
Create new rule , select request header to match
Type ^User-Agent.*$ (to match all agents)
Then in second field , type Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en)
The above format match only iPhone browser (In replace field)
Then let Burp intercept the request (it will modify it based on the match rule)
22. HTML modification
By default, Burp doesn't intercept responses
Intercept Server Responses
Ideally only intercept if the request is modified
A request is intercepted
The request is in scope
Burp Proxy | options (Response Modification), to remove JavaScript or modify HTML
You can use it to remove client side validation or tamper the request
You can unhide hidden form fields
Remove input length limits
Remove JavaScript validation
23. Using the target site map functionality
Enumerate resources
You can reduce the scope by right click (add item to scope)(add
root URL)
To filter by domains , Target | site map | Filter
Good to filter with only in-scope items option
You can edit the scope items , use regular expressions
You can exclude from scope like logout function
After defining scope , you can use context menu to spider , scan...
Also to reproduce HTTP requests , choose request in browser with either use the
current browser session or the original session (Good to verify risks)
Copy the URL and paste it to browser
24. Using the target site map functionality
Resources that have been already requested by the tool are marked in black,
whereas endpoints that are linked by other resources, but haven't been retrieved
by Burp, are marked in gray
25. Crawling web application with Spider
Crawling a web application with Spider (web crawling)
To retrieve visible and hidden resources (based on links in previous requests …)
Website with Ajax and Flash based content may not completely crawled
Default options is enough but you can have more options in Options tab
Change Maximum link depth represents the maximum number of redirections to follow
for a resource
Reduce Number of thread count if you have limited resources
To provide spider username and passwords for login application
26. Crawling web application with Spider
You can also define form fields to submit during crawls
You can define fields based on regular expression to define emails
Then run spider (Burp Spider uses the scope defined)
27. Crawling web application with Spider
All results from the discovery are automatically added to Target | site map
Also it is very important to properly map all application resources by manually
browsing the website
Burp show you the progress
Check the alerts tab during running spider
28. Lunching automatic scan
Lunching automatic scan
Included in prof edition only
Scan for common security flaws
Active/Passive scan (Passive only analyze the requests offline)
https://portswigger.net/burp/help/scanner_scanmodes.html#passive
Use this site for testing http://google-gruyere.appspot.com/
By default, Burp Scanner is configured to perform passive scanning (You can change it from Live
scanning section)
You can run it against scope or specific branch
If you choose active scan , wizard will start
To exclude resources like images , CSS , …
Next to exclude pages like delete users , logout
29. Lunching automatic scan
You can configure more options to enable or disable for example :
To tamper :
URL parameter values in GET
Body parameter values in POST
Cookies
Header
AMF string parameter for Adobe flex application
REST URLs
You can choose attacks to enable or disable
Also to limit the number of threads
30. Lunching automatic scan
You can resume , delete or pause for specific resource
Check the Issue activity and Scan queue tabs
Confidence: An estimation of the tool's confidence (Certain, Firm, and Tentative)
Sometime you need to validate it manually
You can change report information like Severity or Confidence
You can save the result as HTML or XML (select Issues from Issue activity and then
Right click to generate report)
You can open it in other tools like Metasploit
You can customize the report like what data to show ,
31. Customized attacks with intruder
Automatic customized attacks with intruder
To iterate using fuzzing (like login form)
First step to send the request to intruder from history tab
Then go to target tab to configure host and port (no need to change)
In positions tab , select payload for attack (By default it will highlighted them)
Click clear to add your own by highlight it and then click add
Auto to get the default parameters
Choose attack types as following:
32. Customized attacks with intruder
Sniper : Each of the selected parameter is fuzzed using a single payload
sequentially
Battering ram: the payload is sent to all the selected parameters
at the same time then same for the second payload …
Pitchfork: each parameter is fuzzed using a defined payload
Cluster bomb: to test the parameters using all the combinations of the payload
33. Customized attacks with intruder
Note , some attacks required more than one payload list
Then Configuring payloads (list of string to injected)
The Pro version of Burp comes with a lot of attack payloads ,also good practice to add FuzzDB , Web App URLs and OWASP DirBuster
Project
Types
Preset list: the user can load a list of attack vectors (wordlist) from external text files or can define them manually
Numbers: automatically generate numbers based on the specific configuration
Dates: automatically generate date from and to a specific day
Bruteforce: generate all possible strings permutations given a characters set and the min/max length of the resulting string
For example , to create attack list to detect SQL injection
Select preset list
Add ‘–
Add ‘
34. Customized attacks with intruder
By default , Intruder will URL-encode all characters specified in Payload encoding text
field
Payload processing example :To lower case rule, add prefix , Hash , Encode …
In options tab , you can configure No. of threads
Also grep option , to enable you search for strings or regular expressions to be
searched in the web responses (highlight these requests)
To detect common error strings or exceptions or invalid access word
To lunch the attack , intruder | start attack (you can save the confirmation and then
load it from the menu to add more customizations)
Observe the results in result table (pay attention to HTTP status code and length)
35. Dealing with Repeater
To repeat request and modify it
To make sure endpoint is secure or insecure
You can modify the request and send it multiple times
From history tab , select request and send to repeater
Modify the request , like change request method
Repeater Menu
You can modify the Content-Length automatically
The follow redirects option allows to select whether Burp Repeater should display the
actual web response or, instead follow all redirects (302 Redirect status code) and
display the landing page
36. Dealing with Repeater
By selecting the process cookies in redirections option, it is possible to ad operate
the request's session tokens during the application redirects
Burp Repeater allows to create, delete, or rename tabs
37. Randomness with Sequencer
Analyzing application data randomness with Sequencer
To analyze the predictability of application data, such as session cookies and anti-CSRF
tokens , user activation token …
Sequencer does not perform any injection attack
In history tab , select login request and sent to sequencer
In select request table , select the request
In Token location section , within live capture tab , we need to tell Burp how to analyze
data within the response
Cookie and form fields show parameters are present in the page and you can manage
it manually
38. Randomness with Sequencer
Go to Manual load and load your test tokens
Click on analyze now to see the results to show how many tokens passed
Summary tab to show an overview report
Randomness could be good or bad
Also you could see character-level analysis or
bit-level analysis reports at char or bit position
http://www.portswigger.net/burp/help/sequencer_tests.html
39. Decoding and encoding
Decoding and encoding data with Decoder
For encoding and decoding strings in multiple formats
Also Burp Decoder allows to create message digests for common hash functions,
including MD2, MD5, SHA, SHA256, and SHA512
Smart decode button, Burp will attempt to decode the content of a string by looking
for recognizable formats
40. Comparing site maps
Comparing site maps
Help in covering access control issues
For example, you can browse the application with a standard user account and then
reiterate all requests using an administrative user
Also many times with Blind SQL injection, there can be tiny differences in HTTP
responses, and the tool can help you identify exactly what is different
Bytes or words comparison
Allows to compare two site maps and highlight differences
41. Comparing site maps
Note: it doesn’t make injection or remote attacks
For example in Site map , select Account folder and click compare
site maps
So define site map 1 (source)
Then select branches to be included or items in scope only
Then define site map 2
42. Comparing site maps
Let us assume our first site map recorded as User1 session
In site map 2 , we need to invalidate our cookies and use the new session
Minimize the compare site maps wizard and go to Project options | sessions
Click on view cookie jar, This is the repository of all session tokens used by Burp
Tamper cookies value to simulate non-
authenticated user and then close the windows
Click on edit, on the right-hand side of
the session handling table
43. Comparing site maps
Burp will open a new window, named Session handling rule editor. Go to the
scope tab and select the target checkbox in the Tools scope section
Click on Done and get back to the
compare site maps
Leave all options as they are and
proceed further
Use the default settings
Burp will start requesting site map 1
resources with the modified session, in
order to build site map 2
44. Comparing site maps
Burp will automatically compute all differences and display the results to the user
Sync selection, Burp will
sync resources from the two sites,
enabling you to simultaneously
scroll down the two panels
and items with visual differences
45. Other Utilities
Engagement tools is a Pro-only feature of Burp Suite
Search : to find relevant information very quickly
In target site map , you can export comments
Dynamic update allows us to automatically update the search results
based on our term if more responses contain the term
Analyze target : to quickly figure out how many dynamic and static links you are
dealing with in a website
Also tell you how many parameters are required for each of the links
To calculate time and effort required to test the application
Picks information from the site map, and it does not do any scanning
of its own
46. Other Utilities
Engagement tools is a Pro-only feature of Burp Suite
Content Discovery : to discover content, including brute-forcing file and folder names
Task Scheduler : to automate the process like backup burp session , scanning (start ,
resume ,pause and spidering)
CSRF proof of concept Generator :takes any request and automatically writes the HTML
code for doing a PoC to check if the application check for CSRF risk
Generate HTML and JavaScript to auto submit the form
47. Save our work
It is a Pro-only feature of Burp Suite
For free edition , use OWASP ZAP to proxy the session
You can set password to secure the sensitive information
There is no way to save the state for Intruder. What you can do is save the attack
configurations with payloads
Options | Misc under Automatic Backup
To save the work automatically
Options | Misc | Logging
to log each and every HTTP request and response
for the different tools
49. References
Burp Suite Starter , PACKT book , 2013
Burp Suite Essentials , PACKT book , 2014
PenQ tool for for spidering, advanced web searching, fingerprinting, and much
more