SlideShare a Scribd company logo

Burp suite

H
hamdi_sevben

Burp suite, burp suite pro, burp extension, burp plugin, burp addons, attack scenarios, sqlipq, co2, logger++, flow, xssvalidator

Education
1 of 29
Download to read offline
Contents 1. Introduction to Burp Suite 2. Scanner 3. Extender 4. Scenarios with burp plugins 4.1. Retire.js 4.2. Flow 4.3. Logger++ 4.4. JSON Beautifier 4.5. SQLiPy Sqlmap Integration 4.6. CO2 4.7. XSS Validator 5. Summary 1. Introduction to Burp Suite Burp Suite is a set of graphics tools focused on the penetration testing of web applications. Burp Suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks. The tool is written in Java and was created by Dafydd Stuttard under the name of PortSwigger. Burp Suite is now actively developed by his company PortSwigger[2]. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called Bapps. It is the most popular tool among professional web app security researchers and bug bounty hunters[5]. Burp can be downloaded for all the major operating systems from the PortSwigger website at https://portswigger.net/burp. For Windows systems, both x64-bit and x32-bit installers are available. A standalone Java JAR file is also available in case you want to run Burp as a portable application. Burp Suite is available as a community edition which is free, professional edition that costs $399/year and an enterprise edition that costs $3999/Year. First of all, to use Burp penetration testing, it must be configured as a Man in the Middle (MITM) proxy. An MITM proxy sits in between a client and a server, and allows the user to tamper or drop messages passing through. In its simplest form, Burp Suite is an MITM proxy for HTTP(S) traffic. 1
By default, Burp will listen on port 8080 on the localhost IP of 127.0.0.1 . If required, this can easily be changed. At the same time the related web browser must be configured to listen to all HTTP traffic on Burp or on other proxies like OWASP Zap proxy. This can be done with manuel from web browser setting or using web browser add-ons like FoxyProxy. For convenience, generally FoxyProxy is preferred. After doing this baseline configurations, intercept tab on burp is changed into on in order to capture the web traffic on regarding page. This basic configurations must be done before starting the tests every time. Burp Proxy Community comes default with kali linux, but in this paper Burp Proxy Professional will be used for along example scenarios. Its ease of use makes it a more suitable choice over free alternatives like OWASP ZAP. Burp Suite has a wide array of options that allow testers to do pentesting efficiently. Once opening Burp Suite, the following tabs will be Dashboard,Target, Proxy, Intruder, Repeater, Sequencer, Decoder, Comparer, Extender, Project Options, User Options. Burp is not used for only capturing web traffic, there are so many bajillions of purposes or it can be used in zillions of domains, and it depends on the tester's capabilities and dreams. As security is a dynamic process, new features are added constantly and the new continue to develop day by day. 2
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun[4]. 2. Scanner The scanner is not available in the community edition. It scans the website automatically for many common vulnerabilities and lists them with information on confidence over each finding and their complexity of exploitation. To test this option, it is recommended to install DVWA on http://www.dvwa.co.uk/. To scan the vulnerability with burp in Damn Vulnerable Web App (DVWA) application, go to intercept, and change into “on” it. As clicking the right to anywhere on the intercept menu, click "scan" on the opened window. 3
Choose “Scan Type”. Click "new" on the right side, choose "audit check-passive" on pop-up menu. If required, login credentials may be entered as followings from “Application login”. Next click “OK”. Click "OK" for the last time. 4
Scanning has started,and to see it go to "Dashboard". To see more details, click “View details”. Also “audit items” can be seen. Go to “issue activity” in order to review vulnerabilities. 5
Additionally go to dashboard in order to monitor scanning . It can be configured as follows in order to assess vulnerability scan in depth. Scanning progress is as follows on 4th item. 6
Vulnerability assessment can be also demonstrated with burp pro, unfortunately burp community edition doesn't support this feature. To tell you the truth, community edition provides only baseline manual tools as follows on the figure. 3. Extender This capability of burp allows the tester to use different extensions written by independent people that serve as an add-on to the Burp features. BurpSuite supports external components to be integrated into the tools suite to enhance its capabilities. These external components are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender window. Some of them are supported on the community version, but some require the paid professional version. Even so the burp community offers many wonderful extensions. 4. Scenarios 4.1. Retire.js RetireJS passively looks for out of date JavaScript libraries while you browse a site. Since the world is now obsessed with using JavaScript for everything, this type of extension is worth its weight in gold[6]. Switch to the Burp Extender tab. Go to the BApp Store and find “Retire.js”. At the same time, the description on the right side states its function, and only pro edition supports this plugin. Click the Install button for this plugin, as follows: 7
Installing phase is as follows. After installation: A scan can be started as follows: On the Dashboard, jquery vulnerability is found. 8
The jquery version has known security issues as follows: 4.2. Flow The traffic is not visible within burp. This plugin logs everything that Burp Suite sends. This comes in really handy when ensuring Scanner is still authenticated or ensuring Macros are working properly[6]. It is installed as follows as previous installations: Go to “Flow” tab, and it provides filter options as follows: 9
After starting the scanning DVWA, traffic started to flow as follows: 4.3. Logger++ This extension can be used to log the requests and responses made by all Burp tools, and display them in a sortable table. It can also save the logged data in CSV format[7]. It is similar to “Flow”, but this is more. The ongoing scanning is like the below: 10
An example traffic is as follows, and as said before, this is more functionable. “Comparer”, this feature allows the user to compare responses for two or more requests to find differences in them. Response of first request is sent to “comparer” as follows: After that second response is sent to “comparer”. 11
Comparing differences are based on the word or byte comparison. The comparison can be used in a lot of conditions. For example, let's say the user wants to compare the difference on a successful and a failed login response. Comparer would show the areas where there are byte differences[2]. Firstly, according to word comparison as follows: Secondly, according to byte comparison as follows: 12
4.4. JSON Beautifier A simple tool, JSON Beautifier gives tester the option to either beautify or minify the target's JSON content. All of this takes place within Burp Suite. This is the most popular download in the BApp store, and it makes life as a pentester much easier[7]. As an example, go to a website which includes javascript like w3schools.com. Codes on raw is complicated. 13
Go to newly existed plugin tab after installation in order to see beautified code on “Flow”. Go to newly existed plugin tab after installation in order to see beautified code on “Logger++”. 14
4.5. SQLiPy Sqlmap Integration SQLMap is embedded within the extension; it will be automatically configured. SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API. SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan. Easiness of which this plugin provides are no need of remembering sqlmap commands on console, and it allows to run multiple scans at once. First of all, download the Jython file, and when clicking the button probably it will show “404-not found” as follows: Go to https://www.jython.org/download.html in order to download jython like the below: 15
After that map it to “Python Environment” in Burp Suite as follows: Path: Burp > Extender > Options. Finally, it can be installed as clicking the “install” button, and after setting up the plugin, there will be new tab with name “SQLiPy”. Navigate to it. Sometimes after closing and reopening of burp, this plugin may not be loaded properly. So in this 16
situations, it is required to reload from extender->extensions tabs. Before running SQLiPy, ensure SQLMap API is set running. If not, browse the SQLMap API which is normally present in SQLMap folder. “sqlmapapi.py” is used here. Also if required, it can be changed IP and Port, too. It is ready to click “Start API” button as follows: Sometimes this gui doesn't running properly, and sqlmapapi can be ran on command line as an alternative method to ensure. Use Mutillidae to demonstrate this scenario. Follow the steps on the figures: 17
After intercepting the related request and clicking right to anywhere on the intercept tab, click “SQLiPy Scan” on the opened window. Navigate to SQLMap Scanner tab, and it will fill “URL”, “Post Data”, “Referer” and “User-Agent” parts with the regarding data automatically as follows. “Level” and “Risk” can be changed through same menu. Requested related data can be extracted chosing “List Users”, “Current User”, “List Passwords”, “Current DB” and “List Dbs”. After starting attack, logs can be monitored on tab of “SQLMap Logs”. 18
On target tab, it detects as SQLMap Scan Finding. Extracted datas which are related to databases are as follows on SQLMap Scan Finding. 19
Go to “SQLMap Logs”, and copy sqlmap command as follows: Paste this command to terminal on the kali linux and run: When the process finishes, data will be retrieved as follows on the console. 20
When two methods are compared, sqlmap on the console is more slower, and it wants the tester to reply for questions like yes, no or others manually. It is not practical and handy. As for SQLiPy no need of remembering sqlmap commands on console, and it allows to run multiple scans at once. It is fast. One more scanning with using SQLiPy may be to try dvwa blind sqli as follows: Settings on SQLMap scanner subtab of under SQLiPy and logs on SQLMap Logs subtab are as follows: Scan results are on the following figures: 21
4.6. CO2 The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords[9]. Its popularity is high and there is no need to start sqlmapapi as SQLiPy requires. But it is not as much as faster SQLiPy since it executes sqlmap commands on the console. Click on Extender tag then click on BApp store subtab which contains burp extensions to extend burp’s capabilities. Select CO2 and click on install button available on the right side of the frame. Send to SQLMapper on intercept tab: When the fetched data will be sent to SQL mapper it will automatically itself generates sqlmap command using referrer and cookie. The options box at the end of burp suite frame can be seen here. Now click on enumeration tag and select the checkboxes for currentdb, users, and passwords to retrieve data from database. 22
Now copy the sqlmap command from the text field and run this command manually on terminal using sqlmap. Scanning has started: Scanning has finished: 23
4.7. XSS Validator One problem with automated and semi-automated solutions for XSS is distinguishing signal from noise. To do that, a useful Burp plugin, XSS Validator, runs a PhantomJS-powered web server to receive the results of Burp queries and looks for a string injected into the BMFSU call embedded within the applied XSS snippets. It provides a clean way of culling the results of your XSS submissions to absolute confirmed vulnerabilities[3]. The easiest way to download the XSS Validator Burp extension is through the Bapp store. Just navigate to the store from the Extension tab within Burp Suite and select the extension from the marketplace (needless to say, it's free). You can also install the extension manually by following the instructions in the XSS Validator GitHub documentation. Open DVWA and enter anything to “What’s your name?”. After that submit it. Send to intruder: 24
Clear $ all of them on positions tab: Just add $ to only name input: Navigate to Payloads tab, and set “Payload Type” to “Extension generated”. As seen “Selected generater” is “[NOT SELECTED]”. Click to “Select generator”, and select “XSS Validator Payloads”. 25
As seen “Selected generater” happens “XSS Validator Payloads” as follows: Go to Options, and clear Grep-Match table, and we need to make one more setting change before we can start our attack. When you go to xssValidator tab, you'll see a random string generated in the Grep Phrase field, and you might also spot the bullet point explaining that successful attacks will be denoted by the presence of the Grep Phrase: Copy Grep Phrase and paste to “Grep-Match” field. Once that phrase has been added, we're ready to start our attack. Click the start attack button in the top- right of the Options (and every other) view. After clicking the button, you should see an attack window pop up and start to self-populate with the results of the XSS snippet submissions: 26
And voila! We can see the presence of our grep phrase, meaning that our submissions have been a success, for several of the tag/attribute combinations generated by the XSS Validator submissions. Copy encoded code to Hackbar, and decode it as follows: Decoded code is on the following figure: 27
And run this command on “What’s your name?” field. Voila it runs. 5. Summary Burp is very scalable; there are a lot of of plugins, a user can even write her/his own code to create a Burp extension and embed it to take more advantage of Burp. In order to avail the full advantage of the extensions, the user has to provide a path to the Jython and JRuby JAR files[2]. Now the rest is up to your dreams, and your skills. Everything is possible with this tool to demonstrate many more advanced attacks including XML External Entity (XXE) attacks, working on JSON Web Token (JWT), Server-Side Request Forgery (SSRF) attacks, Testing Cross-Origin Resource Sharing (CORS) and performing Java deserialization attacks. Especially it is often used on bug bounty programs. 28
References Books [1] Sunny Wear, Burp Suite Cookbook:Practical recipes to help you master web penetration testing with Burp Suite, 2018. [2] Carlos A. Lozano, Dhruv Shah and Riyaz Ahemed Walikar, Hands-On Application Penetration Testing with Burp Suite: Use Burp Suite and its features to inspect, detect, and exploit security vulnerabilities in your web applications, 2019. [3] Joseph Marshall, Hands-On Bug Hunting for Penetration Testers: A practical guide to help ethical hackers discover web application security flaws, 2018. Links [4] https://tools.kali.org/web-applications/burpsuite. [5] https://www.geeksforgeeks.org/what-is-burp-suite/. [6] https://trustfoundry.net/the-top-8-burp-suite-extensions-that-i-use-to-hack-web-sites/. [7] https://portswigger.net/testers/penetration-testing-tools. [8] https://portswigger.net/bappstore. [9] https://www.hackingarticles.in/sql-injection-exploitation-sqlmap-burp-suite-burp-co2-plugin/ 29

Recommended

Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101
n|u - The Open Security Community
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
Ashraf Bashir
 

Recommended

Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Burpsuite 101
Burpsuite 101Burpsuite 101
Burpsuite 101
n|u - The Open Security Community
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
Ashraf Bashir
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
Utkarsh Bhargava
 
Burp suite
Burp suiteBurp suite
Burp suite
penetration Tester
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Ssrf
SsrfSsrf
Ssrf
Ilan Mindel
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
The complete getting started guide to birt reporting 1 (1)
The complete getting started guide to birt reporting 1 (1)The complete getting started guide to birt reporting 1 (1)
The complete getting started guide to birt reporting 1 (1)
arkslideshareacc
 

More Related Content

What's hot

Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

What's hot (20)

Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suite
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Ssrf
SsrfSsrf
Ssrf
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 

Similar to Burp suite

The complete getting started guide to birt reporting 1 (1)
The complete getting started guide to birt reporting 1 (1)The complete getting started guide to birt reporting 1 (1)
The complete getting started guide to birt reporting 1 (1)
arkslideshareacc
 

Similar to Burp suite (20)

Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
The complete getting started guide to birt reporting 1 (1)
The complete getting started guide to birt reporting 1 (1)The complete getting started guide to birt reporting 1 (1)
The complete getting started guide to birt reporting 1 (1)
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
 
End to end testing Single Page Apps & APIs with Cucumber.js and Puppeteer (Em...
End to end testing Single Page Apps & APIs with Cucumber.js and Puppeteer (Em...End to end testing Single Page Apps & APIs with Cucumber.js and Puppeteer (Em...
End to end testing Single Page Apps & APIs with Cucumber.js and Puppeteer (Em...
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Testing soap UI
Testing soap UITesting soap UI
Testing soap UI
 
PWA basics for developers
PWA basics for developersPWA basics for developers
PWA basics for developers
 
LOG4J VULNERABILITY SAP BUSINESS ONE IMPACT AND WORK AROUNDS
LOG4J VULNERABILITY SAP BUSINESS ONE IMPACT AND WORK AROUNDSLOG4J VULNERABILITY SAP BUSINESS ONE IMPACT AND WORK AROUNDS
LOG4J VULNERABILITY SAP BUSINESS ONE IMPACT AND WORK AROUNDS
 
E2E testing Single Page Apps and APIs with Cucumber.js and Puppeteer
E2E testing Single Page Apps and APIs with Cucumber.js and PuppeteerE2E testing Single Page Apps and APIs with Cucumber.js and Puppeteer
E2E testing Single Page Apps and APIs with Cucumber.js and Puppeteer
 
Django simplified : by weever mbakaya
Django simplified : by weever mbakayaDjango simplified : by weever mbakaya
Django simplified : by weever mbakaya
 
1 app 2 developers 3 servers
1 app 2 developers 3 servers1 app 2 developers 3 servers
1 app 2 developers 3 servers
 
Progressive Web Application by Citytech
Progressive Web Application by CitytechProgressive Web Application by Citytech
Progressive Web Application by Citytech
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)
 
Advanced deployment scenarios
Advanced deployment scenariosAdvanced deployment scenarios
Advanced deployment scenarios
 
Using galen framework for automated cross browser layout testing
Using galen framework for automated cross browser layout testingUsing galen framework for automated cross browser layout testing
Using galen framework for automated cross browser layout testing
 
Expert Guidance on debugging React Native Apps: Recommended Practices and Han...
Expert Guidance on debugging React Native Apps: Recommended Practices and Han...Expert Guidance on debugging React Native Apps: Recommended Practices and Han...
Expert Guidance on debugging React Native Apps: Recommended Practices and Han...
 
Webapi
WebapiWebapi
Webapi
 
E farming
E farmingE farming
E farming
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
 

More from hamdi_sevben

More from hamdi_sevben (6)

log4j.pdf
log4j.pdflog4j.pdf
log4j.pdf
 
Adaptif Penetration(Sızma) Testleri - Sunum
Adaptif Penetration(Sızma) Testleri - SunumAdaptif Penetration(Sızma) Testleri - Sunum
Adaptif Penetration(Sızma) Testleri - Sunum
 
Adaptif Penetration(Sızma) Testleri
Adaptif Penetration(Sızma) TestleriAdaptif Penetration(Sızma) Testleri
Adaptif Penetration(Sızma) Testleri
 
Pentest rapor örnek
Pentest rapor örnekPentest rapor örnek
Pentest rapor örnek
 
Pentest rapor
Pentest raporPentest rapor
Pentest rapor
 
Intihal
IntihalIntihal
Intihal
 

Recently uploaded

Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 

Burp suite

  • 1. Contents 1. Introduction to Burp Suite 2. Scanner 3. Extender 4. Scenarios with burp plugins 4.1. Retire.js 4.2. Flow 4.3. Logger++ 4.4. JSON Beautifier 4.5. SQLiPy Sqlmap Integration 4.6. CO2 4.7. XSS Validator 5. Summary 1. Introduction to Burp Suite Burp Suite is a set of graphics tools focused on the penetration testing of web applications. Burp Suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks. The tool is written in Java and was created by Dafydd Stuttard under the name of PortSwigger. Burp Suite is now actively developed by his company PortSwigger[2]. BurpSuite aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called Bapps. It is the most popular tool among professional web app security researchers and bug bounty hunters[5]. Burp can be downloaded for all the major operating systems from the PortSwigger website at https://portswigger.net/burp. For Windows systems, both x64-bit and x32-bit installers are available. A standalone Java JAR file is also available in case you want to run Burp as a portable application. Burp Suite is available as a community edition which is free, professional edition that costs $399/year and an enterprise edition that costs $3999/Year. First of all, to use Burp penetration testing, it must be configured as a Man in the Middle (MITM) proxy. An MITM proxy sits in between a client and a server, and allows the user to tamper or drop messages passing through. In its simplest form, Burp Suite is an MITM proxy for HTTP(S) traffic. 1
  • 2. By default, Burp will listen on port 8080 on the localhost IP of 127.0.0.1 . If required, this can easily be changed. At the same time the related web browser must be configured to listen to all HTTP traffic on Burp or on other proxies like OWASP Zap proxy. This can be done with manuel from web browser setting or using web browser add-ons like FoxyProxy. For convenience, generally FoxyProxy is preferred. After doing this baseline configurations, intercept tab on burp is changed into on in order to capture the web traffic on regarding page. This basic configurations must be done before starting the tests every time. Burp Proxy Community comes default with kali linux, but in this paper Burp Proxy Professional will be used for along example scenarios. Its ease of use makes it a more suitable choice over free alternatives like OWASP ZAP. Burp Suite has a wide array of options that allow testers to do pentesting efficiently. Once opening Burp Suite, the following tabs will be Dashboard,Target, Proxy, Intruder, Repeater, Sequencer, Decoder, Comparer, Extender, Project Options, User Options. Burp is not used for only capturing web traffic, there are so many bajillions of purposes or it can be used in zillions of domains, and it depends on the tester's capabilities and dreams. As security is a dynamic process, new features are added constantly and the new continue to develop day by day. 2
  • 3. Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun[4]. 2. Scanner The scanner is not available in the community edition. It scans the website automatically for many common vulnerabilities and lists them with information on confidence over each finding and their complexity of exploitation. To test this option, it is recommended to install DVWA on http://www.dvwa.co.uk/. To scan the vulnerability with burp in Damn Vulnerable Web App (DVWA) application, go to intercept, and change into “on” it. As clicking the right to anywhere on the intercept menu, click "scan" on the opened window. 3
  • 4. Choose “Scan Type”. Click "new" on the right side, choose "audit check-passive" on pop-up menu. If required, login credentials may be entered as followings from “Application login”. Next click “OK”. Click "OK" for the last time. 4
  • 5. Scanning has started,and to see it go to "Dashboard". To see more details, click “View details”. Also “audit items” can be seen. Go to “issue activity” in order to review vulnerabilities. 5
  • 6. Additionally go to dashboard in order to monitor scanning . It can be configured as follows in order to assess vulnerability scan in depth. Scanning progress is as follows on 4th item. 6
  • 7. Vulnerability assessment can be also demonstrated with burp pro, unfortunately burp community edition doesn't support this feature. To tell you the truth, community edition provides only baseline manual tools as follows on the figure. 3. Extender This capability of burp allows the tester to use different extensions written by independent people that serve as an add-on to the Burp features. BurpSuite supports external components to be integrated into the tools suite to enhance its capabilities. These external components are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender window. Some of them are supported on the community version, but some require the paid professional version. Even so the burp community offers many wonderful extensions. 4. Scenarios 4.1. Retire.js RetireJS passively looks for out of date JavaScript libraries while you browse a site. Since the world is now obsessed with using JavaScript for everything, this type of extension is worth its weight in gold[6]. Switch to the Burp Extender tab. Go to the BApp Store and find “Retire.js”. At the same time, the description on the right side states its function, and only pro edition supports this plugin. Click the Install button for this plugin, as follows: 7
  • 8. Installing phase is as follows. After installation: A scan can be started as follows: On the Dashboard, jquery vulnerability is found. 8
  • 9. The jquery version has known security issues as follows: 4.2. Flow The traffic is not visible within burp. This plugin logs everything that Burp Suite sends. This comes in really handy when ensuring Scanner is still authenticated or ensuring Macros are working properly[6]. It is installed as follows as previous installations: Go to “Flow” tab, and it provides filter options as follows: 9
  • 10. After starting the scanning DVWA, traffic started to flow as follows: 4.3. Logger++ This extension can be used to log the requests and responses made by all Burp tools, and display them in a sortable table. It can also save the logged data in CSV format[7]. It is similar to “Flow”, but this is more. The ongoing scanning is like the below: 10
  • 11. An example traffic is as follows, and as said before, this is more functionable. “Comparer”, this feature allows the user to compare responses for two or more requests to find differences in them. Response of first request is sent to “comparer” as follows: After that second response is sent to “comparer”. 11
  • 12. Comparing differences are based on the word or byte comparison. The comparison can be used in a lot of conditions. For example, let's say the user wants to compare the difference on a successful and a failed login response. Comparer would show the areas where there are byte differences[2]. Firstly, according to word comparison as follows: Secondly, according to byte comparison as follows: 12
  • 13. 4.4. JSON Beautifier A simple tool, JSON Beautifier gives tester the option to either beautify or minify the target's JSON content. All of this takes place within Burp Suite. This is the most popular download in the BApp store, and it makes life as a pentester much easier[7]. As an example, go to a website which includes javascript like w3schools.com. Codes on raw is complicated. 13
  • 14. Go to newly existed plugin tab after installation in order to see beautified code on “Flow”. Go to newly existed plugin tab after installation in order to see beautified code on “Logger++”. 14
  • 15. 4.5. SQLiPy Sqlmap Integration SQLMap is embedded within the extension; it will be automatically configured. SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API. SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan. Easiness of which this plugin provides are no need of remembering sqlmap commands on console, and it allows to run multiple scans at once. First of all, download the Jython file, and when clicking the button probably it will show “404-not found” as follows: Go to https://www.jython.org/download.html in order to download jython like the below: 15
  • 16. After that map it to “Python Environment” in Burp Suite as follows: Path: Burp > Extender > Options. Finally, it can be installed as clicking the “install” button, and after setting up the plugin, there will be new tab with name “SQLiPy”. Navigate to it. Sometimes after closing and reopening of burp, this plugin may not be loaded properly. So in this 16
  • 17. situations, it is required to reload from extender->extensions tabs. Before running SQLiPy, ensure SQLMap API is set running. If not, browse the SQLMap API which is normally present in SQLMap folder. “sqlmapapi.py” is used here. Also if required, it can be changed IP and Port, too. It is ready to click “Start API” button as follows: Sometimes this gui doesn't running properly, and sqlmapapi can be ran on command line as an alternative method to ensure. Use Mutillidae to demonstrate this scenario. Follow the steps on the figures: 17
  • 18. After intercepting the related request and clicking right to anywhere on the intercept tab, click “SQLiPy Scan” on the opened window. Navigate to SQLMap Scanner tab, and it will fill “URL”, “Post Data”, “Referer” and “User-Agent” parts with the regarding data automatically as follows. “Level” and “Risk” can be changed through same menu. Requested related data can be extracted chosing “List Users”, “Current User”, “List Passwords”, “Current DB” and “List Dbs”. After starting attack, logs can be monitored on tab of “SQLMap Logs”. 18
  • 19. On target tab, it detects as SQLMap Scan Finding. Extracted datas which are related to databases are as follows on SQLMap Scan Finding. 19
  • 20. Go to “SQLMap Logs”, and copy sqlmap command as follows: Paste this command to terminal on the kali linux and run: When the process finishes, data will be retrieved as follows on the console. 20
  • 21. When two methods are compared, sqlmap on the console is more slower, and it wants the tester to reply for questions like yes, no or others manually. It is not practical and handy. As for SQLiPy no need of remembering sqlmap commands on console, and it allows to run multiple scans at once. It is fast. One more scanning with using SQLiPy may be to try dvwa blind sqli as follows: Settings on SQLMap scanner subtab of under SQLiPy and logs on SQLMap Logs subtab are as follows: Scan results are on the following figures: 21
  • 22. 4.6. CO2 The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords[9]. Its popularity is high and there is no need to start sqlmapapi as SQLiPy requires. But it is not as much as faster SQLiPy since it executes sqlmap commands on the console. Click on Extender tag then click on BApp store subtab which contains burp extensions to extend burp’s capabilities. Select CO2 and click on install button available on the right side of the frame. Send to SQLMapper on intercept tab: When the fetched data will be sent to SQL mapper it will automatically itself generates sqlmap command using referrer and cookie. The options box at the end of burp suite frame can be seen here. Now click on enumeration tag and select the checkboxes for currentdb, users, and passwords to retrieve data from database. 22
  • 23. Now copy the sqlmap command from the text field and run this command manually on terminal using sqlmap. Scanning has started: Scanning has finished: 23
  • 24. 4.7. XSS Validator One problem with automated and semi-automated solutions for XSS is distinguishing signal from noise. To do that, a useful Burp plugin, XSS Validator, runs a PhantomJS-powered web server to receive the results of Burp queries and looks for a string injected into the BMFSU call embedded within the applied XSS snippets. It provides a clean way of culling the results of your XSS submissions to absolute confirmed vulnerabilities[3]. The easiest way to download the XSS Validator Burp extension is through the Bapp store. Just navigate to the store from the Extension tab within Burp Suite and select the extension from the marketplace (needless to say, it's free). You can also install the extension manually by following the instructions in the XSS Validator GitHub documentation. Open DVWA and enter anything to “What’s your name?”. After that submit it. Send to intruder: 24
  • 25. Clear $ all of them on positions tab: Just add $ to only name input: Navigate to Payloads tab, and set “Payload Type” to “Extension generated”. As seen “Selected generater” is “[NOT SELECTED]”. Click to “Select generator”, and select “XSS Validator Payloads”. 25
  • 26. As seen “Selected generater” happens “XSS Validator Payloads” as follows: Go to Options, and clear Grep-Match table, and we need to make one more setting change before we can start our attack. When you go to xssValidator tab, you'll see a random string generated in the Grep Phrase field, and you might also spot the bullet point explaining that successful attacks will be denoted by the presence of the Grep Phrase: Copy Grep Phrase and paste to “Grep-Match” field. Once that phrase has been added, we're ready to start our attack. Click the start attack button in the top- right of the Options (and every other) view. After clicking the button, you should see an attack window pop up and start to self-populate with the results of the XSS snippet submissions: 26
  • 27. And voila! We can see the presence of our grep phrase, meaning that our submissions have been a success, for several of the tag/attribute combinations generated by the XSS Validator submissions. Copy encoded code to Hackbar, and decode it as follows: Decoded code is on the following figure: 27
  • 28. And run this command on “What’s your name?” field. Voila it runs. 5. Summary Burp is very scalable; there are a lot of of plugins, a user can even write her/his own code to create a Burp extension and embed it to take more advantage of Burp. In order to avail the full advantage of the extensions, the user has to provide a path to the Jython and JRuby JAR files[2]. Now the rest is up to your dreams, and your skills. Everything is possible with this tool to demonstrate many more advanced attacks including XML External Entity (XXE) attacks, working on JSON Web Token (JWT), Server-Side Request Forgery (SSRF) attacks, Testing Cross-Origin Resource Sharing (CORS) and performing Java deserialization attacks. Especially it is often used on bug bounty programs. 28
  • 29. References Books [1] Sunny Wear, Burp Suite Cookbook:Practical recipes to help you master web penetration testing with Burp Suite, 2018. [2] Carlos A. Lozano, Dhruv Shah and Riyaz Ahemed Walikar, Hands-On Application Penetration Testing with Burp Suite: Use Burp Suite and its features to inspect, detect, and exploit security vulnerabilities in your web applications, 2019. [3] Joseph Marshall, Hands-On Bug Hunting for Penetration Testers: A practical guide to help ethical hackers discover web application security flaws, 2018. Links [4] https://tools.kali.org/web-applications/burpsuite. [5] https://www.geeksforgeeks.org/what-is-burp-suite/. [6] https://trustfoundry.net/the-top-8-burp-suite-extensions-that-i-use-to-hack-web-sites/. [7] https://portswigger.net/testers/penetration-testing-tools. [8] https://portswigger.net/bappstore. [9] https://www.hackingarticles.in/sql-injection-exploitation-sqlmap-burp-suite-burp-co2-plugin/ 29