Burp Suite: The Basics

This room is an introduction to using Burp Suite for Web Application pen-testing

Task 2: Getting Started What is Burp Suite?:

Which edition of Burp Suite will we be using in this module?

Answer: Burp Suite Community

Which edition of Burp Suite runs on a server and provides constant scanning for target web apps?

Answer: Burp Suite Enterprise

Burp Suite is frequently used when attacking web applications and ______ applications.

Answer: mobile

Note:

What is Burp-Suite?

=>Burp Suite is a framework written in Java that aims to provide a one-stop shop for web application penetration testing. In many ways, this goal is achieved as Burp is very much the industry standard tool for hands-on web app security assessments. Burp Suite is also very commonly used when assessing mobile applications, as the same features which make it so attractive for web app testing translate almost perfectly into testing the APIs (Application Programming Interfaces) powering most mobile apps.

Burp Suite Professional is an unrestricted version of Burp Suite Community. It comes with features such as:

Burp Suite Enterprise is slightly different. Unlike community and professional editions, Burp Enterprise is used for continuous scanning. It provides an automated scanner that can periodically scan web apps for vulnerabilities in much the same way as software like Nessus performs automated infrastructure scanning. Unlike the other editions of Burp Suite which allow you to perform manual attacks from your own computer, Enterprise sits on a server and constantly scans target web apps for vulnerabilities.

Task 3: Getting Started Features of Burp Community:

Which Burp Suite feature allows us to intercept requests between ourselves and the target?

Answer: proxy

Which Burp tool would we use if we wanted to brute force a login form?

Answer: intruder

Task 7: Getting Started Options:

Change the Burp Suite theme to the dark mode

Answer: Completed

In which Project Options sub-tab can you find a reference to a “Cookie jar”?

Answer: Sessions

In which User options sub-tab can you change the Burp Suite update behavior?

Answer: Misc

What is the name of the section within the User options “Misc” sub-tab which allows you to change the Burp Suite keybindings?

Answer: Hotkeys

If we have uploaded Client-Side TLS certificates in the User options tab, can we override these on a per-project basis (Aye/Nay)?

Answer: Aye

Task 8: Proxy Introduction to the Burp Proxy :

Which button would we choose to send an intercepted request to the target in Burp Proxy?

Answer: Forward

[Research] What is the default key bind for this?

Note: Assume you are using Windows or Linux (i.e. swap Cmd for Ctrl).

Answer: Ctrl+F

Note:

Ctrl + F is the default hotkey to Forward an intercepted message

Task 9: Proxy Connecting through the Proxy (FoxyProxy):

Read through the options in the right-click menu.

There is one particularly useful option that allows you to intercept and modify the response to your request.

What is this option?

Note: The option is in a dropdown sub-menu.

Answer: Response to this request

Task 11: Proxy The Burp Suite Browser:

Using the in-built browser, make a request to http://MACHINE_IP/ and capture it in the proxy.

Answer: Done

Note:

Click on the “Open Browser” button of the “Proxy” option in the burp suite and try to open the burp browser. The burp browser will not open and you will see this pop-up.

To solve the problem Go to “Project Option” -> “Misc” -> “Allow the embedded browser to run without a sandbox”. Select the checkbox.

Now return to the “Proxy” option and click “Open Browser”. See the browser opened.

Click the “Intercept is off” button in the “Proxy” option and on it. It will change into “Intercept is on”.

Visit anything using the burp browser and see that the traffic is caught in the burp suite.

Task 12: Proxy Scoping and Targeting:

Add http://MACHINE_IP/ to your scope and change the Proxy settings to only intercept traffic to in-scope targets.

See the difference between the amount of traffic getting caught by the proxy before and after limiting the scope.

Answer: Done

Note:

Finally, we come to one of the most important parts of using the Burp Proxy: Scoping.

It can get extremely tedious having Burp capture all of our traffic. When it logs everything (including traffic to sites we aren’t targeting), it muddies up logs we may later wish to send to clients. In short, allowing Burp to capture everything can quickly become a massive pain.

Setting a scope for the project allows us to define what gets proxied and logged. We can restrict Burp Suite to only target the web application(s) that we want to test. The easiest way to do this is by switching over to the “Target” tab, right-clicking our target from our list on the left, then choosing “Add To Scope”. Burp will then ask us whether we want to stop logging anything which isn’t in scope — most of the time we want to choose “yes” here.

We can now check our scope by switching to the “Scope” sub-tab (as shown in the GIF above).

The Scope sub-tab allows us to control what we are targeting by either Including or Excluding domains / IPs. This is a very powerful section, so it’s well worth taking the time to get accustomed to using it.

We just chose to disable logging for out-of-scope traffic, but the proxy will still be intercepting everything. To turn this off, we need to go into the Proxy Options sub-tab and select “And URL Is in target scope" from the Intercept Client Requests section:

With this option selected, the proxy will completely ignore anything that isn’t in the scope, vastly cleaning up the traffic coming through Burp.

They caught traffic after applying the scope.

Now let us catch the traffic

Task 13: Proxy Site Map and Issue Definitions:

Take a look around the site on http://10.10.22.146/ -- we will be using this a lot throughout the module. Visit every page linked to from the homepage, then check your sitemap -- one endpoint should stand out as being very unusual!

Visit this in your browser (or use the “Response” section of the site map entry for that endpoint)

What is the flag you receive?

Answer: THM{NmNlZTliNGE1MWU1ZTQzMzgzNmFiNWVk}

Look through the Issue Definitions list.

What is the typical severity of a Vulnerable JavaScript dependency?

Answer: Low

Note:

Start brute-forcing the directories using dirsearch.

Command : dirsearch -u http://<Victim_IP>/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

Now visit each directory manually using the burp browser and check its response in the “Site Map” of the “Target” option.

When I visited the /ticket path of the URL. I have got the below URL.

In the response, I got the flag.

Task 14: Practical Example Attack:

Note:

When I tried to write <script> in the email box the special character is not printing automatically here. So, I have intercepted the traffic and then insert the payload: <script>alert(“Succ3ssful XSS”)</script>