BURPE SUITE, INTRUDER & REPETER

10152076

하스비시 지하드 알라외

Cyber Forensic

Youngsan UniversityI. Burp Suite

Burp Suite is an integration of various tools put together for performing security testing of Web applications. Burp Suite helps the penetration tester in the entire testing process from the mapping phase through to identifying vulnerabilities and exploiting them. This Burp Suite guide series will help you understand the framework and make use of the features in various scenarios.

Figure 1. Burp Suite and supporting toolkit

The various features of Burp Suite are shown in Figure 1. These include proxy, spider, intruder, repeater, sequencer, decoder and comparer. As we move ahead in this Burp Suite guide, we shall learn how to make use of them seamlessly.

Burp proxy: Using Burp proxy, one can intercept the traffic between the browser and target application. This option works in similar fashion to the man-in-the-middle attack vector. To demonstrate this feature, consider the following example of a Wikipedia login form (dummyuser:dummypassword) as shown in Figure 2. First, switch the intercept mode “on” in the suite. The Forward option allows you to send the packets from the source IP to the destination IP. The Drop option allows you to drop the packet if you feel it does not need analysis.

Figure 2. Wikipedia login form

Figure 3. Intercepting login credentials with Burp proxy

Figure 3 shows the login credentials of en.wikipedia.org being captured. Note that Wikipedia uses HTTP instead of HTTPS, hence the login credentials are captured in clear text. For HTTPS we would need to use strippers such as sslstrip, as explained in previous articles.

Burp proxy captures the cookie details and HTTP headers of the page. Figure 4 and Figure 5 show the required setup to use this feature.

Figure 4. Options to set up prior to interception

The Burp proxy listener is enabled on Port 8080 of the local host. There are various options for intercept setup, including request methods, matching file extensions and URL scope for the client requests. Other options such as request type, content type and URL scope in the server responses are available, and can be selected based on the attack scenario.

The next step in this Burp Suite guide is to set up the browser wherein the request-response process is routed through port 8080 on a local host.

Figure 5. Browser setup

Going forward in this Burp Suite guide, a range of different steps can be performed from this point on. The capture can be dropped, or sent to spider or sequencer or comparer. There is an option to change the request methods from GET to POST, and so on. The tool also allows for modification of headers and doing other “interesting” things with the HTTP packets in transit, which can be quite dangerous in certain scenarios.

Burp sitemap and site scope

This part of our Burp Suite guide describes how to choose the scope of the security testing. Figure 6 shows the sitemap and site scope, displaying the various sections of a particular domain. A large number of sub-domains are visible within www.google.com. Also note that visited pages are displayed in a darkened color.

Figure 6. Sitemap, site scope and keyword search

 

The screenshot in Figure 6 shows the search executed by the user using the keyword finder. In this case the search term “security” is highlighted.

Figure 7 shows the sitemap of Google. Any subdomain of interest can be chosen for further tests, based on the pen-testing scenario. While Google has been used for this Burp Suite guide, the target Web application could be any other as required for analysis.

Burp spider: The spider tool is used to get a complete list of URLs and parameters for each site. The tool looks into each page that was manually visited and goes through every link it finds within the testing scope. When using Burp spider, ensure that the proxy and interceptors are switched off. More the links manually visited the better, as it gives the spider a larger coverage area.

For our Burp Suite guide, we will set up the spider using the Options menu. Of importance are authentication and the thread count. The authentication field can be set with the username and password combination so that when the spider comes across a login page it can automatically go through the authentication process. Figure 8 shows the Options tab of the Burp spider.

 Figure 7. Google sitemap

Thread count is the number of concurrent threads that are being used. For a local testing, this count can be high. A higher thread count implies faster processing, but also a larger load.

Figure 8. Burp spider Options tab

Once spidering is complete, the next step in this Burp Suite guide is to use the scanner for testing. Tests can be either active or passive. Active tests send data and analyze the possibilities. Passive tests examine all traffic and determine the vulnerabilities present in the application. Test results should always be validated, as no automated tool is perfect. Burp Suite can be used to detect SQL and XSS vulnerabilities.

II.Burp intruderIntruder is used to automate customized attacks against Web

applications. It has four panels –   target, positions, payloads and options – as seen in Figure 1.

Figure 1. Burp intruder (click to enlarge)

Target: This panel is used to specify the target host (the URL) and the port to use for the connection. There is an option for using SSL encryption, if required. Figure 2 shows the target panel.

Figure 2. Target panel in Burp intruder

Positions: This panel is very important in automating attack strings on the target. The types of attack vectors are sniper attack, battering ram attack, pitchfork attack and cluster bomb.

Figure 3. Positions panel, with different attack vectors (click to enlarge)

In this Burp Suite tutorial, Figure 3 shows that the payload positions are automatically highlighted with the § character. This is achieved by clicking on the auto button to the right. You can add markers and customize the scenario as required.

The sniper attack functions as a single payload set. Here, only one value is replaced for all the payload positions in sequence. This attack is generally used to test for common SQL injection and XSS attacks on the webpage.

A battering ram attack is another type of single payload attack. This is used when a single value is needed in the payload position and works fine when the password quality rules and policies set are weak. Considerable enumeration needs to be carried out before using this form of attack; it works in scenarios where, for instance, the username and password both have the same values.

The pitchfork attack or cluster bomb attack can be used when multiple payload sets are required. In a cluster bomb attack there are two lists, with each word in the first list running against a corresponding word in the second list. It is used when the target has a login form that has to be breached.

In this section of our Burp Suite tutorial, we shall attempt a SQLi attack on the demo page of etopshop at the following URL:http://www.etopshop.com/demo/pcstore/admin.asp.

SQL injection testing using Burp intruder

After capturing the page as described in Part 1 of this Burp Suite tutorialseries, choose the payload markers as username fields and password fields. Since the attack requires two parameters, we would need a multiple payload attack. We shall choose the pitchfork attack vector from the dropdown menu and the preset list for adding SQL attack strings to be tried out at the target. Figure 4 shows the options being set for the attack.

Figure 4. SQL injection testing using Burp intruder

There are several options under this payload set. These include character based, number based, random characters based, brute force, dates, and so on. For this Burp Suite tutorial we have used the preset list. Once we set up options and payload here, we are ready to test the target. To do so, go tointruder in the menu bar and click on start attack.

Figure 5. SQL attack in progress with Burp intruder

Figure 5 shows the process of SQL injection. The results tab shows the payloads being sent to the target. The request tab shows the HTML source and how the payloads are placed at the chosen markers. The response tab shows that the injection succeeded; analyzing the HTML source shows a “welcome” message. In order to see the webpage, simply click on render.

Figure 6. Successful SQL injection of the target

Figure 6 of this Burp Suite tutorial shows the successful penetration of the Web application, using the SQL injection vulnerability. Similarly, XSS attack vulnerabilities can also be checked using the preset list to load XSS strings and probe the target.

III.Burp repeater

Let us now move to Burp repeater in this Burp Suite tutorial. Burp repeater is a tool used to manually modify the HTTP requests and test the responses given by the page. This can even lead to probing for vulnerabilities on the webpage. Basically, this is used to play back requests to the server.

Understanding XSS with Burp repeater

For this Burp Suite tutorial, we shall use a vulnerable Web application athttp://www.steve.org.uk/Security/XSS/Tutorial/simple.html for understanding and analyzing XSS (cross-site scripting) vulnerability in a webpage.

Figure 7. Burp repeater panel

In Figure 7, the attack spot that takes the input on the webpage has been highlighted. We need to find out if the if the input is sanitized for code injections or not. First, we shall attempt a simple HTML injection on the webpage as shown in Figure 8. This tells us that HTML tags are not sanitized in the input. As before, use render to preview the webpage within the tool in its own panel.

Figure 8. HTML injection

Next, we will try probing for XSS vulnerabilities. For this we need to pass a script tag. The attack string could be a simple JavaScript such as:

<iframe src="javascript:alert('Xss')";</iframe>

Figure 9. Iframe injection using repeater

In figure 9 of this Burp Suite tutorial, we see that the iframe code is injected into the source of the webpage. Check the browser to confirm if there is an XSS bug present in the application. We see that there is a reflected XSS vulnerability on the target, as shown in Figure 10.

Figure 10. Confirming XSS vulnerability in the target

In this installment of our Burp Suite tutorial, we have covered the intruder and repeater tools in detail. We have also explained how to analyze the target for Web-related security bugs such as SQL injection and cross-site scripting. In the third and final installment, we shall cover the remaining tools of Burp Suite.

IV. Burp sequencer

The Burp sequencer tool is used to check for the extent of randomness in the session tokens generated by the Web application. Brute force attacks enumerate every possible combination for gaining authentication from the Web application. Thus it is important to have a high degree of randomness in the session token IDs. For this Burp Suite training tutorial, let us start with sending a request that contains a session token.

Figure 1. Token request using sequencer (click to enlarge)

Figure 1 shows a token request to the website google.com. The right side of the screenshot has the token start and token end expressions. You can either specify an expression such as “Google” or even set the offset from where the token has to start. This also applies to the token end panel, where you can set the delimiter, or specify a fixed length for the capture to start. After fixing these parameters, click START CAPTURE.

Figure 2. Start capture action panel

The start capture action panel is depicted in Figure 2. It sends requests to the target and gives detailed analysis of the randomness in the cookie tokens. You can pause or stop the analysis at any point. For this Burp Suite training tutorial, stop the scan midway and check out the results. The screenshot in Figure 3 explains the results better.

Figure 3. Token randomness analysis results

The scan components are as follows:

a. Overall result

b. Effective entropy

c. Reliability

d. Sample size

Burp automatically analyzes these aspects and generates this report in the sequencer tool. Burp also provides character-level analysis, which reports on the degree of confidence in the randomness of the sample, through a graphical display. Similarly, bit-level analysis can be performed at the bit

level. There is an option to pad characters and also to decode in base64 if needed.

For this Burp Suite training tutorial, let us look at the following options provided by Burp sequencer. None of these is compulsory for analysis and they can be chosen or dropped as desired.

    1. Character count analysis 

This test analyzes the distribution of characters used within each token.

    2. Character transition analysis

This test analyzes the transition of characters between successive tokens. Depending on the randomness of the characters, the transitional analytics vary.

FIPS monobit test

This test does an analysis of the positions of 0s and 1s at each bit position. If the generation is random, then the distribution is likely to be approximately equal.

    a. FIPS poker test

This divides the bit sequence into consecutive and unique groups of four. The distribution is evaluated by a chi-square calculation method.

    b. FIPS runs test

As the name suggests, the bit sequence is divided into runs of consecutive bits with the same value.

    c. FIPS long runs test

Similar to FIPS runs test, this test analyzes the longest bit sequence with consecutive bits of the same value.

    d. Spectral tests

This is an advanced method with complex statistical analytics. It treats a bit sequence as a point in multidimensional space and performs the analytics.

    e. Correlation test

The tests described thus far analyze each bit in an isolated manner. The correlation test puts together these isolated results and presents the analytics by considering bits as a whole.

    f. Compression test

This test works on the principle of the standard ZLIB compression technique. The bit sequences are compressed and the degree of compression is calculated. A higher degree of compression translates to a lower degree of randomness.

Burp decoder

The Burp decoder tool is used to send a request to the decoder. Within the decoder, there are multiple options to encode the request in various formats such as base64, URL, and so on. There are also options to convert it to hashes such as MD5 or SHA-1.

Figure 4. Burp decoder screenshot (click to enlarge)

Figure 4 depicts a Burp decoder request. For our Burp Suite training tutorial, consider an encoded request such as the one shown in Figure 5. The upper portion shows a request encoded in the base64 format while the lower one depicts the request decoded into plain text. While the entire request has been encoded here, you could also selectively choose a portion of the request to decode/encode.  

Figure 5. Encoded request (click to enlarge)

This tool is useful when there is client-side encryption of username and password into commonly used hashes or encoders. The username or password field can be selectively decoded and the content then viewed in plaintext.

Burp comparer

Burp comparer is used for comparisons between two sets of data. For instance, the two sets could display responses to two different requests. The comparison can be performed either on a word scale (word by word) or bit by bit. Burp automates this process for the user and compares the two requests or responses accordingly. For this Burp Suite training tutorial, the comparison shown in Figure 6 is of two different requests to a website.

 

Figure 6. Comparison of requests to a website (click to enlarge)

This ends the Burp Suite training tutorial series. The extent to which Burp Suite can be used is limited only by the imagination of the user.

THANK YOU