All your sites are belong to Burp
Tiago Mendo - @tmendotiagomendo at gmail.com - tiago.mendo at telecom.pt
this.person
• Pentester at SAPO
• Web division of Portugal Telecom, +100 webapps
• Uses Burp as much as the browser
• Speaker at Codebits
• Likes cars, travelling and burgers
• @tmendo
Why this talk?
• Burp Suite
• A reference tool
• Everybody uses it
• Extension capabilities
• Share how I use it
• Share how developers can use it
• Learn how to use it even better
Outline
• Burp for developers
• Proxy
• Repeater
• Before starting
• Finding vulnerabilities
• Automation
• Extending Burp
• Tips
Disclaimer
• I am not affiliated with PortSwigger.
• The contents of this talk are solely of my responsibility, and not of my employer.
Burp?
• That relief noise...
Burp?
• “Burp Suite is an integrated platform for performing security testing of web applications.”
Burp?
• Actually, the icon is a burping face in profile
Burp?
• Actually, the icon is a burping face in profile
mouthnose
Burp Suite• Burp is a set of tools, all tightly integrated
• Proxy
• Spider
• Scanner
• Intruder
• Repeater
• Sequencer
• API
• Save, search, compare, decode, filter
Burp Suite• Burp is a set of tools, all tightly integrated
• Proxy
• Spider
• Scanner
• Intruder
• Repeater
• Sequencer
• API
• Save, search, compare, decode, filter
Burp Suite• Burp is a set of tools, all tightly integrated
• Proxy
• Spider
• Scanner
• Intruder
• Repeater
• Sequencer
• API
• Save, search, compare, decode, filter
Free
Burp Suite
Burp for developers
• Can developers take advantage of it?
Burp for developers
• Can developers take advantage of it?
• Yes
• debug
• functional testing
• security testing
Burp for developers
• But, normally, developers don’t have access to:
• a web security team (in-house or outsourced)
• time to test stuff
• money
Burp for developers
• Use the free version
• Integrate Burp with your development process
• Do simple tests
Proxy
• Always use a proxy with your browser
• use a separate browser to hack
• have it sent all traffic trough Burp proxy
• Easily done with Firefox
• multiple profiles
• proxy is not system wide
• lots of plugins
Proxy
• Send “all” traffic to Burp
Proxy
• Filtering further
Proxy
• Auto-scroll
• just sort by # desc
Proxy
• What to look for when using the proxy?
• failing requests
• error and debug messages
• sensitive information
• missing headers
• If want to get active
• input: URL parameters, postdata, headers, cookies
Proxy
• You can do simple, yet powerful, tests in two ways
• intercepting requests
• repeating requests
Proxy
Repeater
• Intercepting requests with the proxy is good for single tests
• or when you have a single shot
• For deeper testing use the repeater
• allows arbitrary replay and modification of requests
Repeater
• From proxy to repeater
Repeater
Repeater
• With the repeater you can just play with the requests, whatever is your objective
• debug
• functional
• security
• Lets focus on security :)
Repeater
• XSS - a simple payload to get 80/20
• "><img src=a onerror=alert(1)>
• Using the repeater avoids browser defensive measures
• auto URL encoding
• XSS filters
Repeater
Repeater
• SQLi - you don’t have to test for it because you use prepared statements
Repeater
• SQLi - you don’t have to test for it because you use prepared statements
• Just in case
• ‘
• and benchmark(10000000, md5(md5(1))) --%20
Repeater
Repeater
• OWASP Top 10 - A4 Insecure Direct Object References
• “Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for.”
•
Repeater
• Very easy and fast to test
• repeat the request with a different object id from other user
• photo_id, id, userid, etc.
• Automated tools dont find A4, you need to do it manually!
Repeater
Going pro
• The free version is enough for developers and simple tests
• A security professional will need the professional version
• automation
• speed
• coverage
• save
• search
Before starting
• Ensure you always load a clean Burp with a prepared configuration
• tools clean of requests
• auto backup
• proxy setup
• plugins
• keyboard shortcuts
Before starting
• URL blacklist
• avoid session termination
Before starting
• URL blacklist
• avoid destruction
Before starting
• parameter blacklist
• also block CSRF tokens and test them manually
Before starting
• boolean based SQLi
• avoid destroying the DB if testing something that uses UPDATE
• UPDATE users SET email=X WHERE email=Y OR 1=1
Finding vulnerabilities
• So...what is the most effective way to find vulnerabilities with Burp?
• The scanner?
Finding vulnerabilities
Finding vulnerabilities
• Right...you can just point the scanner and wait
• not time-effective
• scans .woff, .js, etc.
• scans similar pages (think of news sites)
• http://edition.cnn.com/video/?/video/us/2012/06/10/world-burping-contest.cnn
Finding vulnerabilities
• There are multiple approaches to find vulnerabilities with Burp
• proxy, spider and then scan blindly
• proxy, spider, intruder and then scan targeted
• <your own combination of tools>
Finding vulnerabilities
1. Hit every functionality manually
• gets recorded in the proxy
• you get to know the target
2. If possible, maximize the coverage
• spider the target
• actively scan the target
Finding vulnerabilities
• Spidering and scanning blindly might destroy the target (and your job)
• boolean-based SQLi
• deletion of content
Finding vulnerabilities
• Spidering and scanning blindly can take time
Finding vulnerabilities
3. Manual investigation
• where all the fun begins
• where you justify your income
• test for the vulns Burp won’t test
• confirm Burp guesses
Finding vulnerabilities
• Find a juicy request and sent it to the repeater
Finding vulnerabilities
• Modify if and send it!
Finding vulnerabilities
• Find a juicy request and sent it to the intruder
Finding vulnerabilities
• The intruder can be used to do precision scanning
• you can select any part of the request
• similar to the * marker in sqlmap
• useful for custom protocols
Finding vulnerabilities
Finding vulnerabilities
Finding vulnerabilities
• The intruder can automatize what you do in the repeater
• brute-force
• defeat CSRF tokens
• ECB block shuffling
• fuzzing
• scan with your own payloads
Finding vulnerabilities
• Multiple types of attacks
• Sniper
• Battering ram
• Pitchfork
• Cluster bomb
Finding vulnerabilities
Finding vulnerabilities
• grep content, look at HTTP codes or lengths
Finding vulnerabilities
• grep content, look at HTTP codes or lengths
Finding vulnerabilities
• grep content, look at HTTP codes or lengths
Finding vulnerabilities
• Proxy + spider + scanner
• ensures coverage in breadth
• Proxy + repeater + intruder/scanner
• ensures coverage in depth
Automation
• One way to automatize your life is through Macros
• “A macro is a sequence of one or more requests.”
Automation
• Consider a site with authentication
• eventually, your session will die
• enqueued requests will fail
• you will notice that a few minutes/hours later
• you will repeat login and repeat the requests
• you will be annoyed
Automation
• Consider a site with authentication
• eventually, your session will die
• enqueued requests will fail
• you will notice that a few minutes/hours later
• you will repeat login and repeat the requests
• you will be annoyed
• add constantly changing CSRF tokens for extra annoyance
Automation
• On each request, I want Burp to
• check if session is still valid
• if not valid
• get current CSRF token
• login
• re-issue the request
Automation
Automation
Automation
Automation
Automation
Extending Burp
• Burp has an API called Burp Extender
• loads arbitrary code
• hooks into most functionalities
• UI customization
• supports Java, Python and Ruby
Extending Burp
• Creating an extension is easy
• download empty extension with Netbeans project
• or download one of the example extensions
Extending Burp
• addScanIssue
• doActiveScan
• excludeFromScope
• processHttpMessage
• newScanIssue
• and getters/setters for almost anything
Extending Burp
• OwnDB - our ownage DB
Extending Burp
Extending Burp
Tips
• Copy as curl command
Tips
• Copy as curl command• curl -i -s -k -X 'GET' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0' -H 'Referer: https://accounts.google.com/ServiceLoginAuth' \ -b 'GoogleAccountsLocale_session=pt_PT; CheckConnectionTempCookie279=549576; VISITOR_INFO1_LIVE=7bdUV8vsAGg; PREF=f1=50000000&fv=11.8.800; YSC=OH5XpXtqdf0' \ 'https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=254239808×tamp=1380796357054'
Tips
• Burp to sqlmap
• Burp is good at finding SQLi
• sqlmap is better exploiting them
• There is a plugin for that
• Gason
Tips
Tips
• Alternative
• right-click request -> Copy to file
• sqlmap -r <savedfile>
Tips
• More at www.burpextensions.com
• Proxy Color - colorize requests based on regexp
• JSBeautifier - beautifies JS
End
• @tmendo
• tiagomendo at gmail.com - tiago.mendo at telecom.pt
• https://www.facebook.com/ap2si
• Confraria de Segurança da Informação
• informal security presentations
• last Wednesday of each month
• free