Burp Suite

Published by Nick on

“Burp Suite is a framework of web application pentesting tools, it is widely regarded as the de facto tool to use when performing web app testing.” Source: https://tryhackme.com/room/rpburpsuite

I am using the “Burp Suite” room from TryHackme to build this resource. Burp Suite is pre-installed on Kali Linux, if you’ll be installing Burp (as it’s commonly referred to) from scratch, you’ll need to first visit this link: https://portswigger.net/burp/communitydownload

We will use the Firefox web browser with Burp along with the Foxy Proxy extension. This extension will allow us to proxy traffic through Burp. In Foxy Proxy, we will add a new proxy and apply the settings below:

Title: BurpProxy

IP: 127.0.0.1

Port: 8080

After saving, we turn on the Burp proxy with the extension and navigate to: 127.0.0.1:8080. The Burp page has a certificate at the top right that can be installed:

We install the certificate, then import it into the Firefox browser. Check the options for “Trust this CA to identify web sites” and “Trust this CA to identify email users”.

Below you can see the features of Burp Suite, I pasted these from TryHackMe:

  • Proxy – What allows us to funnel traffic through Burp Suite for further analysis
  • Target – How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.
  • Intruder – Incredibly powerful tool for everything from field fuzzing to credential stuffing and more
  • Repeater – Allows us to ‘repeat’ requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned Intruder
  • Sequencer – Analyzes the ‘randomness’ present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies
  • Decoder – As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.
  • Comparer – Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.
  • Extender – Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!
  • Scanner – Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.

    Source: https://tryhackme.com/room/rpburpsuite

Proxy servers allow us to relay our traffic through an alternative route to the internet. Using this tool, we can view and modify traffic at a granular level allowing us to intercept traffic, request history, and more.

When traffic flows through the Burp proxy by default, it will allow user interaction to be sent.

We can modify our requests in-line similar to what you might see in a man-in-the-middle attack.

We can also drop requests we don’t want to be sent, this can be useful to see the request attempt after clicking a button or performing an action on a site.

We can also send these requests to other Burp tools such as Repeater and Intruder for modification and manipulation to find vulnerabilities.

Burp Lab

With the proxy enabled, when going to this web app, the page just loads. This is because we need to make a decision on what to do with the traffic. We can click Forward in Burp to complete the task or we can take action on the traffic. 

When we click action, we can see the options as well as shortcuts for those options. 

After turning Intercept off, the browser navigates to the OWASP Juice Shop page. We could have also clicked forward until the page loaded.

Next we go to the Target tab and click Add to scope

Next we attempt to log in with a fake account to see what error we get.

If it was just “Invalid email” we could have used that to find a valid username.

This request was not sent to repeater via intercept, but we can go into Proxy – History to get the request and send it to other Burp tools like Repeater and Intruder.

Next we go to Repeater and change the username and password to a single quote

We get a SQL error that tells us the type of database and also that it is has a SQL Injection vul

Categories: CybersecurityPentesting

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Cybersecurity

Administrator- Hackthebox lab

This lab came with Active Directory creds to simulate an assumed breach assessment. I started by checking the credentials with Netexec to confirm they worked. Next I ran Bloodhound-ce-python to collect Active Directory data for Read more

Cybersecurity

Support- Hackthebox lab

I started with an nmap scan for all TCP ports and the top UDP ports. This one looks like an Active Directory Domain Controller. Added target hostnames to /etc/hosts Looking through the SMB shares, I Read more

Cybersecurity

ServMon- Hackthebox lab

This box took a ton of troubleshooting and resets for the privilege escalation. The web server kept crashing but after many attempts, I finally got it finished. I start things off with a port scan Read more