Quick Intro to Burp Suite - Free


Ctrl + Shift + P Proxy tab
Ctrl + F forward the waiting request
Ctrl + T toggle proxy
Ctrl + D drop request


Burp Notes

	1. Intercept Behaviour

		+ Pause on request/response from $TARGET only

			- Under Intercept Client Requests/Responses, click "URL is in scope"


	2. Application Walkthrough

		+ Manually browse and click through the site as much as possible.

			- What can you do as unauthenticated/authenticated user?
			- Any request processed server-side/dbms?
			- Do I control any information that's shown?
			- Manually test input fields with simple ' or "$"


		+ Passive Scanning - analyzes contents of existing requests/responses and deduces vulns

			- Identify vulnerabilties simply by browsing the application as normal user. Can get reportable issues before actual scanning


		+ Sort items/targets by "Time Requested" to browse previously unseen links


	3. Under Target and then Site map

		+ Right click and add to scope, remove everything else

	4. Initial Pilfering


		1. Comapre Site Map - Authenticated vs unauthenticated site map
		2.
		3. Do you want to sort by MIME type, file type, status code, or specific string?
		4. Can right click and Highlight and/or highlight for later

		+ Under Site map

			 - View reponse of each file from "Responder" tab. Look for:
				- Developer comments
				- Email addresses
				- Username/passwords
				- Paths and file locations
			 - Any files you don't recognize?

		+ Sort items/targets by "Time Requested" to browse previously unseen links


	5. Keyword Searching - Pro version only

		+ Right click target, engagement tools, search:

			- "set-cookie"

	6. Spider and Discover target

		- Definitely set limits. Very intensive
		- Make sure to conduct manual browsing to fill up Site Map first
		- Take note of heavy components (AJAX, Flash, etc)
		- Form submission /// Automatic or manual prompts each time
			- Customize appropriately to let customers know we were there

	7. Repeater (ctrl+R) - send request and get instant feedback /// manipulate request one-by-one


		+ Right click target, send to Repeater, GO:

			- Play with any part of HTTP request headers - esp GET/POST/PUT
			- Check mobile backends for OPTIONS parameters
	8. Intruder (ctrl + I)- Iterator /// Automated fuzzing on HTTP parameters; simluated automated attack

		* Can do username enumeration, insecure direct object references,

		1. Select Target

			- Right click target, send to Intruder, GO, Positions:
				- Clear the initial shit
		2. Set Positions

			- Tests everything with an "="
				- OR highlight/right click the parameter you want to fuzz, "Add" then go to Payload tab and "Fuzzing - Full"

		3. Set Payload - Example - Go to HTTP History, find request (POST) that has parameters for fuzzing

							- Tests everything with an "="
				- OR highlight/right click the parameter you want to fuzz, "Add" then go to Payload tab and "Fuzzing - Full"


				- Extension Generated: We can use a specific type of Burp Extension to generate our payloads. As I said, this is infinitely customizable.

				- ECB Block Shuffler: This is used to shuffle blocks of cipher text in ECB encrypted data to bypass application logic if required. Since ECB ciphers encrypt blocks independently, previously known plain text wil give us predictable cipher text. There are attacks to manipulate this inapplication logic.

				- Character Frobber: This is useful to check whether a unique value is being considered for processing or if changing one character has no effect on it.

				- Null Payloads: Sometimes, we just want the application to generate and give us different values for every request that can be fed into the sequencer tool, which can be be done using this option.

			- More payloads from
				- FuzzDB
				- OWASP DirBuster
				- Web App URLs (https://github.com/pwnwiki/webappurls)

					- CEWL or CRUNCH from website :)

		4. Start Attack

			- Sniper: Each payload is placed in the position one at a time
			- Battering Ram: Each payload is placed in all the positions all at once
			- Pitchfork: Multiple payloads for each position are placed
			- Cluster Bomb: Multiple payloads for each position are placed, but all combinations of payloads and positions take place


		5. Analyze Reponses

			- Under Options in Intruder,

				- grep for strings successful responses (success, admin, logged in as, passwords, etc)


	9. Sequencer

		+ Used to try and identify sequences/low entropy randomness is data that's supposed to be randomn

			- Session IDs, anti-CSRF tokens, password reset tokens, activation tokens, etc

				+ Analyze tokens


	10. Validating

		+ Scanner/Results tab - ON EVERY VULNERABILITY IDENTIFIED BY THE SCANNER
			- Look at request/response
			- Test "path" either in browser, Response tab, wget, etc

		+ Can export:

			1. HTML -> PDF
				- Useful for full reports and better communication
			2. XML - Uncheck Base64 box
				- Useful for specific findings/targets


	11. Extensions


		+ Extender -> Add -> select *.jar

			1. Shellshock - https://github.com/AccuvantLABS/burp-shellshock


	Misc.


		1.  Set un matched fields in spider mod and sniff w tcpd and test net traffic


		2. Outbound SOCKS Proxy = force OUR testing traffic through TARGET proxy to ensure OUR testing traffic comes from an approved environment (rarely used)

				- Probably won't need a lot of the time

					1. SSH out to your testing server and setup a socks proxy on your localhost via the ‘–D’ option like this.

						ssh –D 9292 –l username servername

					2. Then in Burp, under Connections select SOCKS proxy, then localhost:9292.

						- Burp is now sending traffic through this SSH tunnel.
						- Go to whatismyip.com and make sure the IP address is coming from within testing environment