burpsuite

1. -java based web pentesting framework
2. -used to identify attack vectors and find security flaws
3.  
4. -it is an intercepting tool
5. -intercepts our http requests before they're sent o t server
6.  
7. client - burpsuite - ... - server
8.  
9. -features:
10. -interception proxy
11. -automated security scans
12. -manipulate http and https requests
13. -brute forcing credentials
14. -crawling/spidering a website
15.  
16. -download burp community edition
17. -download tamper data extension for firefox
18. -download CA certificate of burpsuite and add it to firefox
19.  
20. -configure firefox to use burp as it's proxy (IP and port)
21. -configure burp to accept requests from firefox (IP and port)
22.  
23. 1. intercepting http requests:
24. -proxy tab = used to intercept all http request going out
25. -intercept = to turn intercepting on/off
26. -raw = shows the entire http request being intercepted
27. -params = shows the parameters being sent by the request. ie: the names of the input parameters and their values
28. -headers = shows the headers of the http request being intercepted
29. -hex = shows the hex values of the contents of the http request being intercepted
30. -HTTP history = keeps a history of all the intercepted http requests and the methods they used (GET/POST)
31. //can doubleclick on individual requests to view them in detail
32. -options = to configure on which IP and port will burp listen on
33.  
34. //forward = forwards the intercepted http request
35. //drop = drops the intercepted http request
36. -turn intercept on
37. -forward the request
38. -target tab starts blinking
39.  
40. 2. creating sitemap (spidering/crawling the target website):
41. -target tab
42. -sitemap = for creating a site map of the target website
43. -contents = shows all http requests that were made to each individual item in the site map and the responses to those requests that were received
44. -issues = shows the issues (vulnerabilities) discovered in each individual item in the site map
45. //these can also be seen in scanner tab
46. -scope = for adjusting the scope of our attack
47. -sitemap shows the entire sitemap of the target website
48. -click on an individual item in the site map and select 'spider this host/spider this branch'
49. -spidering begins
50.  
51. -spider tab = shows that spidering is going on and
52. //while spidering if burpsuite encounters any forms, it shows us the form and asks us to either manually enter creds or to ignore that form (and not spider any further in that branch)
53.  
54. 3. scanning for vulnerabilities
55. -scanner tab = shows all the vulnerabilities found while spidering the web site
56.  
57. -scanner tab can function as a manual scanner:
58. -so we can click on some link in the web app
59. -this will result in some url
60. -and the scanner ta will display all vulns discovered in the web page corresponding to that particular url
61.  
62. -but this is tiresome
63. -so let the spider finish creating the entire site map of the web app
64. -then simply click on an individual item in the site map and select 'actively scan this branch'
65. -automatically scans for all vulnerabilities in that branch
66.  
67. -scan queue = shows all ongoing scans scans (when we choose to actively scan this branch)
68. -issue definitions = tells us the various types of issues and what they mean
69. -options = advanced options for tweaking the scanner
70.  
71. 4. using burpsuite as an attacking tool
72. -say we have a login form in a pg
73. -lets say we enter Username = user1 | Password = pass1
74. -Username and Password = input parameters
75. -user1 and pass1 = values of those input prameters
76. -press submit
77. -this causes a http POST request
78. -in intercept tab we can see the POST request, the input parameters and the values we entered
79.  
80. -now we need to send this request to intruder
81. -rightclick on request and choose 'send to intruder'
82. -intruder tab starts blinking
83.  
84. -intruder tab = can be used for tampering the http requests going out
85. -we can use this for cracking passwords using brute force attack
86. -target = target of the attack
87. -positions = shows us the positions in the post request that we can change/modify and add our own value (called payload)
88.  
89. -burp intruder automatically selects possible positions that we can modify
90. -clear these
91. -select a position of your choice
92. -press Add
93.  
94. -attack types:
95. -sniper = works with one particular payload at a time
96. //payload may be wordlist
97. -battering ram = tries one payload against all parameters in the request
98. -pitchfork = works with as many payloads as the number of parameters
99. -cluster bomb = combination of each word in the wordlist with all the words in the other wordlist(s)
100. -payloads = we can write payloads of our choice (ie: the modified values that we'll insert into the positions that we chose)
101. -payload set = how many payloads we're going to use
102. -payload type = the type of payload we're going to use
103. -payload options = tweaking our payload
104.  
105. -payload encoding = what characters in our payload will be url encoded (so that the web does not block them)
106. //IMPORTANT: remove the = sign from the list of characters in payload encoding
107. -say we want to do a bruteforce attack
108. -so the position we'll select will be the Password= field of the http POST request
109. -and our payload will be a wordlist
110. -intruder -> start attack
111. -displays the attack window
112.  
113. -attack window = shows the ongoing attack
114. -payload = shows all the payloads (words from the wordlist) that burpsuite is inserting into the position that we selected (Password=)
115. -status = shows the status of the html page that the payload is resulting in
116. -say most of the payloads result in 404 (not found)
117. -but a particulr payload results in 302 (redirection)
118. -this may indicate that the particular payload (word) has managed to successfully log in while the others simply resulted in a 'not found' pg
119. -so that would mean that the particular payload (word) is correct and is in fact a valid password
120. -length = shows the size of the html page that the payload is resulting in
121. -say most of the payloads result in pgs of the same size
122. -but a particulr payload results in a pg of greater size
123. -this may indicate that the particular payload (word) has managed to successfully log in while the others simply resulted in a 'not found' pg
124. -so that would mean that the particular payload (word) is correct and is in fact a valid password
125. -we can also see the entire http requests being send using each of the payloads and the responses that we're receiving
126.  
127. -the intruder tab was doing the following
128. -inserting a particular payload into the chosen position
129. -sending the request
130.  
131. -then inserting another payload into the same position
132. -sending another request
133. ... and so on ...
134. -now say we want to send the same request, multiple times and using multiple payloads at multiple positions
135.  
136. -so when we submit the form by entering Username = user1 | Password = pass1
137. -this causes a http POST request
138. -this request can be seen in the proxy tab -> intercept subtab
139. -rightclick on the request and slect 'send to repeater'
140. -repeater tab starts blinking
141.  
142. -repeater tab = for sending the same http request multiple times by changing that value of it's input parameters each time
143. -press Go
144. -request = the http request being sent
145. -response = the http response being returned
146. -raw = shows the entire http response being returned
147. -headers = shows only the headers of the http response being returned
148. -hex = shows the hex values of the contents of the http response being returned
149. -html = shows the html code of the web pg resulting from the http response being returned
150. -render = shows the browser version of the web pg resulting from the http response being returned
151.  
152. 5. usnig burpsuite for encoding/decoding:
153. -we can encode/decode strings into:
154. -base64
155. -url
156. -hex
157. -binary
158. -md5 hash
159. -sha 256 hash etc.
160.  
161. -say we have a http GET request in the proxt tab -> intercept subtab
162. -rightclick and select 'send to decoder'
163. -decoder tab starts blinking
164.  
165. -decoder tab = used for encoding/decoding
166. -decode as...
167. -encode as...
168. -hash...
169.  
170. -say the request has an input parameter=value eg: Password=<md5 hashed password>
171. -select the <md5 hashed password>
172. -select hash... -> md5 hash
173.  
174. -this displays a new request with everything same as before, except the <md5 hashed password> which has now been replaced with it's cleartext value
175.  
176. -this is especially useful in XSS attacks when we have to encode our javascript payload (ie: the <script>...</script>)
177.  
178. -smart decode:
179. -used when we have an encoded string but don't know what format it is encoded in
180. -smart decode automatically detects what format it has been encoded in and tries to decode it
181.  
182. -another way of encoding/decoding without the use of decoder tab:
183. -we have a http GET request in the proxt tab -> intercept subtab
184. -select the string you want to decode
185. -select 'convert selection' -> choose the format
186.  
187. ----------------------------------------------------------