This talk is going to be all about Burp. I will explain why is such a great tool and how it compares with similar ones.
Its going to have a quick walkthrough of its main features, but the juicy part is going to be about how to fully explore its main tools, such as the scanner, intruder and sequencer, to increase the number and type of vulnerabilities found.
In addition, I will provide an overview of the Burp Extender Interface and how to easily and quickly take advantage of extensions to increase its awesomeness. I will show how easy is for an pentester to translate an idea to a extension and (I hope) publicly release one plugin to further help pentesters.
The talks objective is to increase your efficiency while using Burp, either by taking advantage of its excellent tools or by adding that feature that really need.
Presented at BSides Lisbon at 04/10/13 (http://bsideslisbon.org)
Breaking the Kubernetes Kill Chain: Host Path Mount
BSides Lisbon 2013 - All your sites belong to Burp
1. All your sites are
belong to Burp
Tiago Mendo - @tmendo
tiagomendo at gmail.com - tiago.mendo at telecom.pt
2. this.person
• Pentester at SAPO
• Web division of Portugal
Telecom, +100 webapps
• Uses Burp as much as the
browser
• Speaker at Codebits
• Likes cars, travelling and
burgers
• @tmendo
3. Why this talk?
• Burp Suite
• A reference tool
• Everybody uses it
• Extension capabilities
• Share how I use it
• Share how developers can use it
• Learn how to use it even better
10. Burp Suite
• Burp is a set of tools, all tightly integrated
• Proxy
• Spider
• Scanner
• Intruder
• Repeater
• Sequencer
• API
• Save, search, compare, decode, filter
11. Burp Suite
• Burp is a set of tools, all tightly integrated
• Proxy
• Spider
• Scanner
• Intruder
• Repeater
• Sequencer
• API
• Save, search, compare, decode, filter
12. Burp Suite
• Burp is a set of tools, all tightly integrated
• Proxy
• Spider
• Scanner
• Intruder
• Repeater
• Sequencer
• API
• Save, search, compare, decode, filter
Free
15. Burp for developers
• Can developers take advantage of it?
• Yes
• debug
• functional testing
• security testing
16. Burp for developers
• But, normally, developers don’t have
access to:
• a web security team (in-house or
outsourced)
• time to test stuff
• money
17. Burp for developers
• Use the free version
• Integrate Burp with your
development process
• Do simple tests
18. Proxy
• Always use a proxy with your browser
• use a separate browser to hack
• have it sent all traffic trough Burp proxy
• Easily done with Firefox
• multiple profiles
• proxy is not system wide
• lots of plugins
22. Proxy
• What to look for when using the proxy?
• failing requests
• error and debug messages
• sensitive information
• missing headers
• If want to get active
• input: URL parameters, postdata, headers,
cookies
23. Proxy
• You can do simple, yet powerful, tests
in two ways
• intercepting requests
• repeating requests
25. Repeater
• Intercepting requests with the proxy
is good for single tests
• or when you have a single shot
• For deeper testing use the repeater
• allows arbitrary replay and
modification of requests
28. Repeater
• With the repeater you can just play
with the requests, whatever is your
objective
• debug
• functional
• security
• Lets focus on security :)
29. Repeater
• XSS - a simple payload to get 80/20
• "><img src=a onerror=alert(1)>
• Using the repeater avoids browser
defensive measures
• auto URL encoding
• XSS filters
31. Repeater
• SQLi - you don’t have to test for it
because you use prepared statements
32. Repeater
• SQLi - you don’t have to test for it
because you use prepared statements
• Just in case
• ‘
• and benchmark(10000000,
md5(md5(1))) --%20
34. Repeater
• OWASP Top 10 - A4 Insecure Direct Object
References
• “Attacker, who is an authorized system
user, simply changes a parameter value
that directly refers to a system object to
another object the user isn’t authorized
for.”
•
35. Repeater
• Very easy and fast to test
• repeat the request with a different
object id from other user
• photo_id, id, userid, etc.
• Automated tools dont find A4, you
need to do it manually!
37. Going pro
• The free version is enough for developers and
simple tests
• A security professional will need the professional
version
• automation
• speed
• coverage
• save
• search
38. Before starting
• Ensure you always load a clean Burp
with a prepared configuration
• tools clean of requests
• auto backup
• proxy setup
• plugins
• keyboard shortcuts
42. Before starting
• boolean based SQLi
• avoid destroying the DB if testing
something that uses UPDATE
• UPDATE users SET email=X
WHERE email=Y OR 1=1
45. Finding vulnerabilities
• Right...you can just point the scanner and
wait
• not time-effective
• scans .woff, .js, etc.
• scans similar pages (think of news sites)
• http://edition.cnn.com/video/?/video/
us/2012/06/10/world-burping-
contest.cnn
46. Finding vulnerabilities
• There are multiple approaches to find
vulnerabilities with Burp
• proxy, spider and then scan blindly
• proxy, spider, intruder and then
scan targeted
• <your own combination of tools>
47. Finding vulnerabilities
1. Hit every functionality manually
• gets recorded in the proxy
• you get to know the target
2. If possible, maximize the coverage
• spider the target
• actively scan the target
54. Finding vulnerabilities
• The intruder can be used to do
precision scanning
• you can select any part of the
request
• similar to the * marker in sqlmap
• useful for custom protocols
57. Finding vulnerabilities
• The intruder can automatize what you
do in the repeater
• brute-force
• defeat CSRF tokens
• ECB block shuffling
• fuzzing
• scan with your own payloads
64. Automation
• One way to automatize your life is
through Macros
• “A macro is a sequence of one or
more requests.”
65. Automation
• Consider a site with authentication
• eventually, your session will die
• enqueued requests will fail
• you will notice that a few minutes/hours later
• you will repeat login and repeat the requests
• you will be annoyed
66. Automation
• Consider a site with authentication
• eventually, your session will die
• enqueued requests will fail
• you will notice that a few minutes/hours later
• you will repeat login and repeat the requests
• you will be annoyed
• add constantly changing CSRF tokens for
extra annoyance
67. Automation
• On each request, I want Burp to
• check if session is still valid
• if not valid
• get current CSRF token
• login
• re-issue the request
73. Extending Burp
• Burp has an API called Burp Extender
• loads arbitrary code
• hooks into most functionalities
• UI customization
• supports Java, Python and Ruby
74. Extending Burp
• Creating an extension is easy
• download empty extension with
Netbeans project
• or download one of the example
extensions
75. Extending Burp
• addScanIssue
• doActiveScan
• excludeFromScope
• processHttpMessage
• newScanIssue
• and getters/setters for almost anything
84. Tips
• More at www.burpextensions.com
• Proxy Color - colorize requests
based on regexp
• JSBeautifier - beautifies JS
85. End
• @tmendo
• tiagomendo at gmail.com - tiago.mendo at telecom.pt
• https://www.facebook.com/ap2si
• Confraria de Segurança da Informação
• informal security presentations
• last Wednesday of each month
• free