11 web security testing using burp and firebugminisites.qaiglobalservices.com/stc2012/paper_...

Web security testing using Burp and Firebug

STC 2012

Author: Rajani Kumar

1 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,

exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Author: Rajani Kumar

Robert Bosch Engineering and Business Solutions Ltd.

Web security testing using Burp

Tools in Burp suite

Burp Suite is an integrated platform for attacking web applications. It

provides a set of tools which work together to support the end to end

security testing process.

� Proxy : Lets us inspect and modify traffic between browser and the

target application.



target application.

� Spider: Crawl the content and functionality.

� Scanner: Automate the detection of numerous types of vulnerability.


Tools in Burp suite (ctd..)

� Intruder: Performs powerful customized attacks to find and exploit

unusual vulnerabilities.

� Repeater: Manipulates and resend individual requests.



� Sequencer: Test the randomness of session tokens.

� Comparer: Burp Comparer is a simple tool for performing a

comparison (a visual “diff”) between any two items of data.


Set up the Browser

� The Burp Suite proxy will use port

8080 by default.

� Picture shows the set up of Fire Fox

browser wherein the request –



browser wherein the request –

response process is routed through

port 8080 on a local host.


Proxy

� Burp Proxy is an intercepting proxy

server for security testing of web

applications. It operates as a man-in-

the-middle between your browser and

the target application.



� From proxy, requests can be sent to

other burp tools for further analysis by

using Action button.


Intruder



Burp Intruder is a tool for automating customized attacks against web

applications.


Intruder – Attack types

� Sniper: This uses a single set of payloads. It targets each position in turn,

and inserts each payload into that position in turn. The total number of

requests generated in the attack is the product of the number of positions and

the number of payloads in the payload set.

� Battering Ram: This uses a single set of payloads. It iterates through the



payloads, and inserts the same payload into all of the defined positions at

once. The total number of requests generated in the attack is the number of

payloads in the payload set.


Intruder - Attack types (ctd..)

� Pitchfork: This uses multiple payload sets. There is a different payload set

for each defined position (up to a maximum of 8). The attack iterates through

all payload sets simultaneously, and inserts one payload into each defined

position. The total number of requests generated by the attack is the number

of payloads in the smallest payload set.

Cluster Bomb: This uses multiple payload sets. There is a different payload



� Cluster Bomb: This uses multiple payload sets. There is a different payload

set for each defined position (up to a maximum of 8). The attack iterates

through each payload set in turn, so that all permutations of payload

combinations are tested. The total number of requests generated by the

attack is the product of the number of payloads in all defined payload sets –

this may be extremely large.


Intruder – Select payload

Payload sets:

1. Preset list

2. Runtime file

3. Custom iterator

4. Character substitution

5. Case substitution

6. Recursive grep



6. Recursive grep

7. Illegal Unicode

8. Character

9. Blocks

10. Numbers

11. Dates

12. Brute forcer

13. Null payloads


Intruder – Execution and Results

� After Execution is over a separate

window will be opened which will show

each test, the payload used, the status

code, length and in our case the tests

which match our XPATH pattern

match word.



match word.


Repeater

� It is a tool for manually modifying and

reissuing individual HTTP requests,

and analyzing their responses.

� It is best used in conjunction with the

other Burp Suite tools.



� For example, we can send a request

from the Burp Proxy browsing history,

or from the results of a Burp Intruder

attack, and manually adjust the

request to fine-tune an attack or probe

for vulnerabilities.


Repeater (ctd..)

� In the Repeater tool we can modify the

request however we want and click on

the “go” button. The response will be

shown in the bottom pane.

The error message we received in the



� The error message we received in the

response shown above was:

Incorrect username: Invalid XPath

expression:

//users/user[username=''']/password

Expected: ]


Repeater (ctd..)

� When we use the Repeater to submit a

request where the username value is ‘ or ’1′

=’1 we get a different error. The error tells

us the password (blank in the request) we

submitted was incorrect. The XPATH query

will now look something like this:

//users/user[username=' ' or '1' ='1



//users/user[username=' ' or '1' ='1

']/password

� Since we know the user name now, we can

brute force the password using intruder.


Comparer

� It is a simple tool for performing a

comparison between any two items of data.

In the context of attacking a web application,

this requirement will typically arise when we

want to quickly identify the differences

between two application responses or



between two application responses or

between two application requests.


Comparer (ctd..)

� We can select two responses and click on

one of the two compare types.

Words: This comparison tokenizes each

item based on whitespace delimiters, and

identifies the token-level edits required to



transform the first item into the second.

Bytes: This comparison identifies the byte-

level edits required to transform the first item

into the second.


Potential issues uncovered in security testing:

� In application level there is a restriction to a field not to take more than 32

characters, but using burp proxy when we edit and send a value of more than

32 characters, stack is overflowed and all inbuilt Java functions are displayed

on the browser which is a very good input for a malicious user.



� Restricted user has some disabled links since user has no rights to see those

pages. But after sending a request to server by just changing the node link in

the Proxy, user got the access to Unauthorized page

Web security testing using Firebug

Firebug is a web development tool that facilitates the debugging,

editing, and monitoring of any website's CSS, HTML, DOM, XHR,

and JavaScript. Firebug integrates with Firefox and allows users to

inspect the different web elements and help users to break the

security barriers by editing the HTML codes inside the web page.



security barriers by editing the HTML codes inside the web page.


� Picture shows an application where

logged in user is not having enough

permissions to view other owners

data and hence owner field is

disabled for this logged in user.

User is already installed Firebug at



� User is already installed Firebug at

client side and hence after right

clicking on any field “Inspect element”

appears.


� Once user selects Inspect element

option, Firebug opens up in a window

integrated with Firefox browser and

displays html code related to disabled

owner field and high light with blue

background.

By deleting the “Read-only” attribute



� By deleting the “Read-only” attribute

from owner’s HTML code user can

make this field editable and can

search for the data related to other

owners which is not at all acceptable

from security aspects.


Benefits:

� Identify and manage vulnerabilities in Web application.

� Ensure web applications requirements are met when they are

subjected to malicious input data.



subjected to malicious input data.


Queries ..?



11 web security testing using burp and firebugminisites.qaiglobalservices.com/stc2012/paper_...

Documents