This cheat sheet enables users of Burp Suite with quicker operations and more ease of use. Burp Suite is the de-facto penetration testing tool for assessing web applications. It enables penetration testers to rapidly test applications via signature features like repeater, intruder, sequencer, and extender. Intruder, Repeater, Window and Help. Below the menu, other Burp activity tabs. These allow the various types of burp activity to be run. The first tab we'll look at is Target, which has three of its own sub tabs called Site map, Scope, and Issue definitions. The Site tab shows the construction of.
Many automated web security tools are available in the market today, but even the best of these tools have limitations. Many web vulnerabilities are difficult – or even impossible – to detect without human interaction. Some of the best tools for web security analysis take the form of a browser (with a few simple add-ons) and an attack proxy. This article describes how attack proxies work and shows how to look for web vulnerabilities using the popular attack proxy Burp Suite.
Burp Suite Issue Definitions List
Attack proxies vary in functionality, price, and reliability, so for consistency, I'll use Burp Suite throughout these examples. Burp Suite includes a tool for intercepting traffic (the 'proxy' module itself), as well as modules for spidering sites, repeating and manipulating individual requests, sequencing random values, decoding traffic, and more. Each of these components provides unique insight into the application's functionality and security ramifications, but all require an intelligent person to decode the results.
Installation and Configuration
After you download the free edition of Burp Suite , simply double-click the
.jar file to run the file. Once the application is running, click Proxy Options, and check the Proxy Listeners Section (Figure 1) to identify the IP Address and port the proxy is listening on. The default port is 127.0.0.1:8080.
For the rest of the exercise, you'll need a browser (Firefox), two Firefox extensions (Cookies Manager+  and FoxyProxy Standard ), and Burp Suite for the testing. Once these tools are installed, you should see a new icon to the right of the URL bar, indicating the status of the Firefox proxy. Similarly, you can access Cookies Manager+ in the Tools bar, which lets you easily identify cookies, values, and associated data. With Burp running and browser extensions installed, right-click the FoxyProxy icon (in red), click the Options tab, then select Add New Proxy (Figure 2).
Using the data from the Burp proxy, insert the IP address and port for a new proxy configuration, type in a proxy name, and click Accept. Once back on the main browser page, right-click on the FoxyProxy icon to cycle through proxy configurations and enable the newly created proxy. In testing the new settings, type in a URL and verify that the proxy is intercepting the request, as shown in Figure 3.
Burp Suite Basics
Once you have Burp Suite installed and configured, take a moment to look around. The most common and basic function is the proxy, which allows you to intercept HTTP(S) requests from the browser to the site you are testing. As packets are intercepted, you can modify parameters, cookies, and other data, and you can filter packets within the proxy to include or exclude similar packets (Figure 4).
The Spider tab allows for the spidering of sites through link identification and scraping of pages in the
Robots.txt file. Spidering is a vital piece of any security assessment, because it can yield administrative access pages, test functions, or other pages that were not intended to be published. Similar to the Spidering tab is the Target tab, which allows whitelisting and blacklisting of pages within the target scope, as well as viewing of spidered pages in the site map (Figure 5).
Describing the scope properly makes it easier to identify rogue pages and helps you better isolate useful pages in other areas of Burp Suite. Nearly all modules support isolating analyzed sessions to those in the target scope.
The Intruder section lets you set any values within an HTTP request as insertion points for a given variable. Although this sounds like a cryptic definition, it's easily understood with a basic example. Using the default sample, the URL [/example?p1=aaal] is sent, with a single
By setting the parameter as an insertion point for security testing, you can replace the aaa value with a variety of payloads, including dates, numbers, passwords, filenames, or a custom list of user-defined values. Because it can fuzz parameters, brute force usernames and passwords, and be used for a number of other security tests, the Intruder section is the Swiss army knife of the Burp Suite toolset, providing a wide range of possibilities.
The Repeater tab provides an easy interface to craft custom requests, as well as identify consistency issues within the application. Often, I prefer this module to verify time-based SQL injection vulnerabilities, which testing tools often find as false positives.
Next, the Sequencer tab collects and analyzes tokens for randomness and predictability – a significant vulnerability if not securely random. This information is used by identifying in the Proxy history the page where a session token is issued and sending it to the Sequencer for live capture of tokens. Keyboard shortcuts for symbols. Once the session value is identified (similar to creating an Insertion Point in the Intruder), start the live capture and begin collecting session cookies. Once 100 of these have been collected, the randomness testing can begin, and results are displayed as more values are collected for a more thorough analysis. This explanation doesn't fully cover the process, but it will be further explained as I describe a real attack process.
With the basics of Burp Suite explained, I'll focus more on using these tools to identify flaws in your web infrastructure. To begin, I'll analyze cookie security misconfigurations, particularly relating to the Secure and HttpOnly flags on web applications. I'll use the aforementioned Burp Intruder to attack login forms and brute force valid accounts and then test the randomness of session cookies with the Sequencer. All of these steps will be performed using only a web browser and the free edition of Burp Suite.
Brute Force Account Testing Using Burp Intruder
Brute Force Account Testing Using Burp Intruder
As organizations mature, stronger security controls such as strict firewall rules, WAF, VPN, etc., are implemented to ensure they are safe from attackers. Attackers target web authentication methods like simple username / password combinations, which are commonly implemented in all applications.
As part of web application security testing, one of the things security testers do is to check if the application has implemented any form of weak / default passwords which can be easily guessed. The Open Web Application Security Project (OWASP), as part of Web Application Security Testing Guide (WASTG), has dedicated a chapter on Testing for Weak Account Lockout Mechanism.
Configuration Changes / Tools Used
Security testers commonly use Burp Suite, an integrated platform containing various tools such as Scanner, Intruder, Decoder, etc., which allows for a good and seamless testing experience, from initial mapping of the application attack surface to finding and exploiting various application vulnerabilities. Using Burp, one can have full control over manual techniques, including automation, which makes testing easy and convenient.
Using built-in tools such as Intruder present in Burp Proxy, attackers can perform password spraying attacks as Intruder tests multiple passwords in a short period of time.
Common Issues Encountered
Weak passwords are an industry wide problem and there are several news articles about data breaches which have happened due to default passwords or employees using easily guessable passwords. Customers from all industry verticals, specially Banking, Financial Services and Insurance (BFSI) and other allied industries, should pay more attention to this as there is a huge financial impact if there are no safeguards in place for their applications.
Password Spraying of credentials if there is no lockout implemented is part of the OWASP Top 10 2017 and comes under the A2: Broken Authentication category. Given the importance of this, there are several ways to test for account lockout mechanisms.
The below screenshot shows how to enable proxying in Mozilla Firefox. To get to the Connection Settings follow the below steps:
- Click on Firefox > Preferences (in Mac) / Tools > Options (in Windows) and scroll down to Network Settings
- The Connection Settings window will pop up upon clicking the Settings button.
The proxy options will vary from browser to browser.
Proxy in this context is a piece of software sitting on the tester’s machine which allows the requests going to the server to be intercepted by the tester and manipulated before it is forwarded to the server.
The below screenshot shows the port used by Burp and the IP of the localhost (the computer where Burp is installed) and used to capture the traffic. The same IP and port details need to be entered in to the browser’s proxy configuration.
Figure 2: Burp Configuration
Set Up for Testing
For the purpose of this demo the following tools will be used:
- Burp Suite – Installed on your testing computer along with the browser you will use to interface with the application.
- Zen Cart – Free e-commerce shopping application.
Once the application is installed and traffic is captured in Burp, the color in the Intercept tab will change to orange as shown below. Ensure that the Intercept button is turned on to intercept the requests.
To begin brute forcing, first enter a user name and password in the login page and capture the request in Burp Proxy.
Figure 4: Zen Cart Login
Once the request is captured the Intercept tab will show the login request in either a GET / POST format along with cookie values, header information along with the login credentials which is required by the server.
Burp Suite contains Intruder, one of the suite of tools integrated along with Proxy, which allows for automation of many common attacks. Intruder is one of the tabs present in Burp.
Figure 6: Intruder Tab in Burp
To send the request to Intruder, right click anywhere in the request window and from the menu options, select Send to Intruder. The tester needs to be in the Proxy tab viewing the request that needs to be sent to Intruder.
Once the request is sent to Intruder, the Intruder window is automatically shown with the selected request.
Figure 8: Intruder Active
Intruder auto selects the positions based on the parameters present in the request. When the request is sent to the Intruder, the parameters present in the GET / POST request and cookies are automatically populated with the § symbol, indicating all these will be targeted in the attack.
These can be left as is (if required) or customized by clicking the clear button and selecting the required parameter and clicking the “Add §” button present at the right hand side. This will place the § symbol in the start and end positions of the required parameter as shown in the screenshot below.
In this scenario, as we are performing a brute force attack, we want to target the password as we already know the username. Select Sniper as the Attack Type. This is the default attack type and can be changed from the drop-down based on the type of testing being conducted.
Intruder has different attack types such as Sniper, Cluster Bomb, Pitchfork and Battering Ram. These can be used based on different attack scenarios.
As we have decided to target the password, a predefined list of passwords can be used. The passwords can be generated using various tools or, if the tester already has list of passwords, they can be pasted in.
Figure 10: Passwords for brute forcing
Go to the payloads tab and Load the password file if a list is already prepopulated or add individual passwords manually by clicking on the Add tab.
Once all the passwords are added, click the Start Attack button. Intruder will iterate through the various password combinations. In this example, upon finding the correct password, the response will show up in Intruder with a different status code and length.
The meaning of the status codes are given below:
200 OK – This indicates the request has succeeded. The information returned with the response is dependent on the method used in the request.
302 Found – This indicates the requested resource is residing in a different URI. In this example as the Intruder uses the correct password, the request is redirected to a different URI after a successful authentication from the server.
The response varies for each attack scenario, and the tester needs to pay attention to the response behaviours to notice the difference when Intruder uses the correct password.
Figure 12: Length change after successful password attempt
How To Use Burp Suite
This blog post illustrates how the Intruder tool in Burp Suite can be used to automate testing for weak / easily guessable passwords.
The example shown will not work if the application has implemented a password lockout after a certain threshold of failed attempts were made. Further configurations could integrate Single Sign On into the application, which could allow authentications to follow corporate established password policies. Additionally, implementing a multi-factor authentication (MFA) mechanism in place as MFA is one of the best methods to prevent unauthorized access to applications. Showing a CAPTCHA after specific number of attempts are exhausted is another way to prevent brute forcing.
Burp Suite Community Download
Copyright © 2021 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to [email protected]
Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address..