11 web security testing using burp and firebugminisites.qaiglobalservices.com/stc2012/paper_...
TRANSCRIPT
Web security testing using Burp and Firebug
STC 2012
Author: Rajani Kumar
1 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Author: Rajani Kumar
Robert Bosch Engineering and Business Solutions Ltd.
Web security testing using Burp
Tools in Burp suite
Burp Suite is an integrated platform for attacking web applications. It
provides a set of tools which work together to support the end to end
security testing process.
� Proxy : Lets us inspect and modify traffic between browser and the
target application.
2 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
target application.
� Spider: Crawl the content and functionality.
� Scanner: Automate the detection of numerous types of vulnerability.
Web security testing using Burp
Tools in Burp suite (ctd..)
� Intruder: Performs powerful customized attacks to find and exploit
unusual vulnerabilities.
� Repeater: Manipulates and resend individual requests.
3 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� Sequencer: Test the randomness of session tokens.
� Comparer: Burp Comparer is a simple tool for performing a
comparison (a visual “diff”) between any two items of data.
Web security testing using Burp
Set up the Browser
� The Burp Suite proxy will use port
8080 by default.
� Picture shows the set up of Fire Fox
browser wherein the request –
4 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
browser wherein the request –
response process is routed through
port 8080 on a local host.
Web security testing using Burp
Proxy
� Burp Proxy is an intercepting proxy
server for security testing of web
applications. It operates as a man-in-
the-middle between your browser and
the target application.
5 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� From proxy, requests can be sent to
other burp tools for further analysis by
using Action button.
Web security testing using Burp
Intruder
6 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Burp Intruder is a tool for automating customized attacks against web
applications.
Web security testing using Burp
Intruder – Attack types
� Sniper: This uses a single set of payloads. It targets each position in turn,
and inserts each payload into that position in turn. The total number of
requests generated in the attack is the product of the number of positions and
the number of payloads in the payload set.
� Battering Ram: This uses a single set of payloads. It iterates through the
7 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
payloads, and inserts the same payload into all of the defined positions at
once. The total number of requests generated in the attack is the number of
payloads in the payload set.
Web security testing using Burp
Intruder - Attack types (ctd..)
� Pitchfork: This uses multiple payload sets. There is a different payload set
for each defined position (up to a maximum of 8). The attack iterates through
all payload sets simultaneously, and inserts one payload into each defined
position. The total number of requests generated by the attack is the number
of payloads in the smallest payload set.
Cluster Bomb: This uses multiple payload sets. There is a different payload
8 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� Cluster Bomb: This uses multiple payload sets. There is a different payload
set for each defined position (up to a maximum of 8). The attack iterates
through each payload set in turn, so that all permutations of payload
combinations are tested. The total number of requests generated by the
attack is the product of the number of payloads in all defined payload sets –
this may be extremely large.
Web security testing using Burp
Intruder – Select payload
Payload sets:
1. Preset list
2. Runtime file
3. Custom iterator
4. Character substitution
5. Case substitution
6. Recursive grep
9 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
6. Recursive grep
7. Illegal Unicode
8. Character
9. Blocks
10. Numbers
11. Dates
12. Brute forcer
13. Null payloads
Web security testing using Burp
Intruder – Execution and Results
� After Execution is over a separate
window will be opened which will show
each test, the payload used, the status
code, length and in our case the tests
which match our XPATH pattern
match word.
10 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
match word.
Web security testing using Burp
Repeater
� It is a tool for manually modifying and
reissuing individual HTTP requests,
and analyzing their responses.
� It is best used in conjunction with the
other Burp Suite tools.
11 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� For example, we can send a request
from the Burp Proxy browsing history,
or from the results of a Burp Intruder
attack, and manually adjust the
request to fine-tune an attack or probe
for vulnerabilities.
Web security testing using Burp
Repeater (ctd..)
� In the Repeater tool we can modify the
request however we want and click on
the “go” button. The response will be
shown in the bottom pane.
The error message we received in the
12 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� The error message we received in the
response shown above was:
Incorrect username: Invalid XPath
expression:
//users/user[username=''']/password
Expected: ]
Web security testing using Burp
Repeater (ctd..)
� When we use the Repeater to submit a
request where the username value is ‘ or ’1′
=’1 we get a different error. The error tells
us the password (blank in the request) we
submitted was incorrect. The XPATH query
will now look something like this:
//users/user[username=' ' or '1' ='1
13 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
//users/user[username=' ' or '1' ='1
']/password
� Since we know the user name now, we can
brute force the password using intruder.
Web security testing using Burp
Comparer
� It is a simple tool for performing a
comparison between any two items of data.
In the context of attacking a web application,
this requirement will typically arise when we
want to quickly identify the differences
between two application responses or
14 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
between two application responses or
between two application requests.
Web security testing using Burp
Comparer (ctd..)
� We can select two responses and click on
one of the two compare types.
Words: This comparison tokenizes each
item based on whitespace delimiters, and
identifies the token-level edits required to
15 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
transform the first item into the second.
Bytes: This comparison identifies the byte-
level edits required to transform the first item
into the second.
Web security testing using Burp
Potential issues uncovered in security testing:
� In application level there is a restriction to a field not to take more than 32
characters, but using burp proxy when we edit and send a value of more than
32 characters, stack is overflowed and all inbuilt Java functions are displayed
on the browser which is a very good input for a malicious user.
16 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� Restricted user has some disabled links since user has no rights to see those
pages. But after sending a request to server by just changing the node link in
the Proxy, user got the access to Unauthorized page
Web security testing using Firebug
Firebug is a web development tool that facilitates the debugging,
editing, and monitoring of any website's CSS, HTML, DOM, XHR,
and JavaScript. Firebug integrates with Firefox and allows users to
inspect the different web elements and help users to break the
security barriers by editing the HTML codes inside the web page.
17 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
security barriers by editing the HTML codes inside the web page.
Web security testing using Firebug
� Picture shows an application where
logged in user is not having enough
permissions to view other owners
data and hence owner field is
disabled for this logged in user.
User is already installed Firebug at
18 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� User is already installed Firebug at
client side and hence after right
clicking on any field “Inspect element”
appears.
Web security testing using Firebug
� Once user selects Inspect element
option, Firebug opens up in a window
integrated with Firefox browser and
displays html code related to disabled
owner field and high light with blue
background.
By deleting the “Read-only” attribute
19 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
� By deleting the “Read-only” attribute
from owner’s HTML code user can
make this field editable and can
search for the data related to other
owners which is not at all acceptable
from security aspects.
Web security testing using Burp and Firebug
Benefits:
� Identify and manage vulnerabilities in Web application.
� Ensure web applications requirements are met when they are
subjected to malicious input data.
20 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
subjected to malicious input data.
Web security testing using Burp and Firebug
Queries ..?
21 ETT | 12/10/2012 | © Robert Bosch Engineering and Business Solutions Limited 2012. All rights reserved, also regarding any disposal,
exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.