SHARE
TWEET

Quick Intro to Burp Suite - Free

a guest Aug 18th, 2016 218 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. Ctrl + Shift + P Proxy tab
  3. Ctrl + F forward the waiting request
  4. Ctrl + T toggle proxy
  5. Ctrl + D drop request
  6.  
  7.  
  8. Burp Notes
  9.            
  10.     1. Intercept Behaviour
  11.    
  12.         + Pause on request/response from $TARGET only
  13.            
  14.             - Under Intercept Client Requests/Responses, click "URL is in scope"
  15.            
  16.            
  17.     2. Application Walkthrough
  18.    
  19.         + Manually browse and click through the site as much as possible.
  20.        
  21.             - What can you do as unauthenticated/authenticated user?
  22.             - Any request processed server-side/dbms?
  23.             - Do I control any information that's shown?
  24.             - Manually test input fields with simple ' or "$"
  25.            
  26.            
  27.         + Passive Scanning - analyzes contents of existing requests/responses and deduces vulns
  28.        
  29.             - Identify vulnerabilties simply by browsing the application as normal user. Can get reportable issues before actual scanning
  30.  
  31.  
  32.         + Sort items/targets by "Time Requested" to browse previously unseen links
  33.        
  34.            
  35.            
  36.     3. Under Target and then Site map
  37.    
  38.         + Right click and add to scope, remove everything else
  39.        
  40.     4. Initial Pilfering
  41.    
  42.    
  43.         1. Comapre Site Map - Authenticated vs unauthenticated site map
  44.         2.
  45.         3. Do you want to sort by MIME type, file type, status code, or specific string?
  46.         4. Can right click and Highlight and/or highlight for later
  47.    
  48.         + Under Site map
  49.            
  50.              - View reponse of each file from "Responder" tab. Look for:
  51.                 - Developer comments
  52.                 - Email addresses
  53.                 - Username/passwords
  54.                 - Paths and file locations
  55.              - Any files you don't recognize?
  56.              
  57.         + Sort items/targets by "Time Requested" to browse previously unseen links
  58.  
  59.              
  60.     5. Keyword Searching - Pro version only
  61.    
  62.         + Right click target, engagement tools, search:
  63.        
  64.             - "set-cookie"
  65.            
  66.     6. Spider and Discover target
  67.        
  68.         - Definitely set limits. Very intensive
  69.         - Make sure to conduct manual browsing to fill up Site Map first
  70.         - Take note of heavy components (AJAX, Flash, etc)
  71.         - Form submission /// Automatic or manual prompts each time
  72.             - Customize appropriately to let customers know we were there
  73.    
  74.     7. Repeater (ctrl+R) - send request and get instant feedback /// manipulate request one-by-one
  75.    
  76.    
  77.         + Right click target, send to Repeater, GO:
  78.        
  79.             - Play with any part of HTTP request headers - esp GET/POST/PUT
  80.             - Check mobile backends for OPTIONS parameters
  81.     8. Intruder (ctrl + I)- Iterator /// Automated fuzzing on HTTP parameters; simluated automated attack
  82.    
  83.         * Can do username enumeration, insecure direct object references,
  84.        
  85.         1. Select Target
  86.        
  87.             - Right click target, send to Intruder, GO, Positions:
  88.                 - Clear the initial shit
  89.         2. Set Positions       
  90.            
  91.             - Tests everything with an "="
  92.                 - OR highlight/right click the parameter you want to fuzz, "Add" then go to Payload tab and "Fuzzing - Full"
  93.                                
  94.         3. Set Payload - Example - Go to HTTP History, find request (POST) that has parameters for fuzzing
  95.        
  96.                             - Tests everything with an "="
  97.                 - OR highlight/right click the parameter you want to fuzz, "Add" then go to Payload tab and "Fuzzing - Full"
  98.                
  99.                
  100.                 - Extension Generated: We can use a specific type of Burp Extension to generate our payloads. As I said, this is infinitely customizable.
  101.                
  102.                 - ECB Block Shuffler: This is used to shuffle blocks of cipher text in ECB encrypted data to bypass application logic if required. Since ECB ciphers encrypt blocks independently, previously known plain text wil give us predictable cipher text. There are attacks to manipulate this inapplication logic.
  103.                
  104.                 - Character Frobber: This is useful to check whether a unique value is being considered for processing or if changing one character has no effect on it.
  105.                
  106.                 - Null Payloads: Sometimes, we just want the application to generate and give us different values for every request that can be fed into the sequencer tool, which can be be done using this option.
  107.  
  108.             - More payloads from   
  109.                 - FuzzDB
  110.                 - OWASP DirBuster
  111.                 - Web App URLs (https://github.com/pwnwiki/webappurls)
  112.            
  113.                     - CEWL or CRUNCH from website :)
  114.        
  115.         4. Start Attack
  116.        
  117.             - Sniper: Each payload is placed in the position one at a time
  118.             - Battering Ram: Each payload is placed in all the positions all at once
  119.             - Pitchfork: Multiple payloads for each position are placed
  120.             - Cluster Bomb: Multiple payloads for each position are placed, but all combinations of payloads and positions take place
  121.            
  122.            
  123.         5. Analyze Reponses
  124.        
  125.             - Under Options in Intruder,
  126.            
  127.                 - grep for strings successful responses (success, admin, logged in as, passwords, etc)
  128.            
  129.  
  130.                
  131.     9. Sequencer
  132.    
  133.         + Used to try and identify sequences/low entropy randomness is data that's supposed to be randomn
  134.        
  135.             - Session IDs, anti-CSRF tokens, password reset tokens, activation tokens, etc
  136.            
  137.                 + Analyze tokens
  138.        
  139.    
  140.    
  141.     10. Validating
  142.        
  143.         + Scanner/Results tab - ON EVERY VULNERABILITY IDENTIFIED BY THE SCANNER
  144.             - Look at request/response
  145.             - Test "path" either in browser, Response tab, wget, etc
  146.            
  147.         + Can export:
  148.        
  149.             1. HTML -> PDF
  150.                 - Useful for full reports and better communication
  151.             2. XML - Uncheck Base64 box
  152.                 - Useful for specific findings/targets
  153.                
  154.                
  155.     11. Extensions
  156.    
  157.    
  158.         + Extender -> Add -> select *.jar
  159.    
  160.             1. Shellshock - https://github.com/AccuvantLABS/burp-shellshock
  161.        
  162.        
  163.            
  164.     Misc.
  165.  
  166.    
  167.         1.  Set un matched fields in spider mod and sniff w tcpd and test net traffic
  168.  
  169.    
  170.    
  171.         2. Outbound SOCKS Proxy = force OUR testing traffic through TARGET proxy to ensure OUR testing traffic comes from an approved environment (rarely used)
  172.            
  173.                 - Probably won't need a lot of the time
  174.                
  175.                     1. SSH out to your testing server and setup a socks proxy on your localhost via the ‘–D’ option like this.
  176.                        
  177.                         ssh –D 9292 –l username servername
  178.                        
  179.                     2. Then in Burp, under Connections select SOCKS proxy, then localhost:9292.
  180.                    
  181.                         - Burp is now sending traffic through this SSH tunnel.
  182.                         - Go to whatismyip.com and make sure the IP address is coming from within testing environment
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top