Burp Suite
From charlesreid1
Contents
Installing
Mac
Use the Mac installer provided by portswigger: https://portswigger.net/burp/communitydownload
Debian Linux
Dependencies
The jarwrapper library is required to install burpsuite:
sudo apt-get install jarwrapper
Installing burpsuite with KaliTools
Use KaliTools to install burpsuite on a non-Kali machine:
cd kali-tools python3 kali.py burpsuite cd dist/burpsuite dpkg-buildpackage -us -uc -b cd ../ sudo dpkg -i burpsuite_1.7.30-0kali1_all.deb sudo apt-get upgrade burpsuite
Incompatible JRE
Ran into a problem with the Burp Suite community edition:
"Your JRE appears to be version 11.0.14 from Debian. Burp has not been fully tested on this platform and you may experience problems."
I used aptitude to install the openjdk-11-jre package, and that's the package causing the above error. It seemed like it should have been working fine. I tried upgrading jarwrapper, and that did the trick:
sudo apt-get -y upgrade jarwrapper
List of Features
Link to UI overview: https://www.youtube.com/watch?v=nECt-0zW0O4
Tabs:
- Dashboard: view and configure automated tasks, scans; view results from scan
- Target: view and explore all data captured from scans or Burp Proxy browser sessions
- Target Scope: specify details about targets, allows driving highly configured scans
- Proxy: intercept, view, and modify traffic via the browser
- History: view all the requests made as part of the session
- Options: define all of the settings of the proxy server
- Intruder: automating custom attacks by sending a request into Intruder, and configuring details of the payload
- Repeater: used to take a request, modify it, and send it, over and over
- Sequencer: analyzes the randomness of various random data/tokens; collects large amount of data and runs statistical tests
- Decoder: decode or encode data from various formats (URL encoding, base64 encoding, etc.)
- Comparer: word- or byte-level comparison of two pieces of data
- Extender: customizes Burp's behavior using extensions you wrote yourself using Burp's API, or extensions from the BApp Store
Menu:
- Search: searches all of Burp's tools and items for particular expressions
- Configuration Library: maintain separate configurations for different tools
- Burp Infiltrator: dynamic analysis tool, can run a Burp-instrumented binary and disover potentially unsafe APIs on the server side
- Burp Clickbandit: generating clickjacking attacks; copy script into browser, walk through sequence of actions you want victim to take, Clickbandit generates a PoC clickjacking attack
- Burp Collaborator client: work manually with Burp Collaborator payloads
Usage
Proxy
The Burp Proxy is a proxy server built into Burp that has its own private certificate authority. It also has a built-in Chromium browser that passes all of its traffic through the proxy so that it can be inspected.
Intercepting Traffic
One basic use of Burp is intercepting traffic.
To do this, go to Proxy > Intercept. You can open the Chromium browser included with Burp, which will use the Burp proxy.
When you open the browser, it will not intercept traffic by default, you have to click "Intercept Off" to switch it to "Intercept On".
Once you do that, you'll see each request come up as it is happening in the browser, and you can Forward the request or Drop it.
You will see all requests that are made as part of loading a page, so if there are multiple API calls being made, you'll see each one as a separate request.
Modifying Traffic
The content of requests can also be modified before the request is forwarded.
The first Burpsuite tutorial [1] on intercepting traffic demonstrates how this can be used to exploit a vulnerable e-commerce shopping site.
Intercept Rules
The Burp Proxy supports rules to filter which traffic is intercepted, so that if there are a very large number of requests, only the relevant requests are intercepted.
Go to Proxy > Options
The Options page has a section for client requests and a section for server responses. By default, only client requests are intercepted. You can enable server response intercepts here if you wish.
In those sections you can add rules to a list, to define what traffic gets intercepted. Each rule can be individually toggled on or off. Each rule has a logical operator that applies to it (and/or), a field to check for a match, and what conditions must be met for that field to be a match.
Rules are processed in order, top to bottom. No scope.
Useful Client Intercept Rules
A few useful intercept rules to have available to be enabled:
- Match requests where the file extension does not match gif/jpg/png/css/js/html/etc
- Match requests that contain parameters
- Match any HTTP request that is not GET or POST
- Only match URLs that are in the target scope
Modifying Target Scope
If there is a particular URL that you want to ignore all requests for, like example.com/assets
, then you can ignore those requests two different ways:
- The first way is to create a rule that only matches requests where the URL does not contain
/assets
- The second way is to go to the Target tab, find the site example.com, right click on the site, and include it in the Target Scope. Then collapse the tree, and find the location to exclude,
/assets
. Right click on that folder and exclude it from the Target Scope. Now add an intercept rule that limits intercepted requests to ONLY URLs that are in the target scope.
Intercepted Request Actions
When a request is intercepted, there is an "Action" menu at the top that has a lot of useful functions.
Two submenus in the Action menu, "Don't intercept requests" and "Do intercept requests," will automatically create Intercept Rules based on various fields of the intercepted request - for example, the host, the IP, the file extension, or the directory in the URL.
This makes it easy to narrow in on the requests of interest: start by intercepting all requests, then use the Actions menu to filter out requests that aren't interesting.
Repeater
Burp Repeater is a tool for examining, editing, and resending HTTP requests.
Sending Requests to Repeater
The easiest way to send a request to Repeater is to use the right-click context menu.
Use the Burp Proxy browser and browse to a page of interest. Then go to Proxy > HTTP history, and find the request you want to repeat. Right click and choose "Send to Repeater".
How to Use Repeater
Repeater allows you to rapidly edit a request, and re-send it with one click of a button. The request and response are displayed side by side, and each request is in a separate tab.
Repeater won't automatically generate edits, or create a bunch of requests for you. It is intended to make the manual workflow of modifying requests and examining the responses easier.
Specific Types of Attack
SQL Injection
Can use Repeater to easily capture a vulnerable request, and use it to craft SQL injection queries. Repeater makes it easy to convert plain text SQL queries into URL-encoded queries.
Cross-Site Scripting
Cross-site scripting involves manipulating the page that the browser is loading, in order to allow an attacker to inject Javascript that is run by the victim's browser. This provides the attacker to compromise the user's interaction with that web application.
Links and Resources
PortSwigger Training
SQL injection training: Burp Suite/SQL Injection
Official Tutorials
Tutorial 1: intercepting HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic
- Burp Proxy lets you intercept HTTP requests and responses sent between your browser and the target server
- Enables studying behavior of websites when different requests are sent
- Open Burpsuite and go to Proxy > Intercept
- Click Open Browser, which opens a built-in, embedded browser
- Can browse without intercept turned on, normal experience
- Turning on intercept will show each request, give the option to forward or drop
- Proxy also records a history of each request
- Burp Proxy also lets you modify HTTP requests
- (Tutorial requires setting up an account on portswigger and using an example vulnerable website)
- Basically you can just edit the request when you see it, before you click Forward or Drop
Tutorial 2: Using Repeater to send repeated requests: https://portswigger.net/burp/documentation/desktop/getting-started/reissuing-http-requests
- Open the Burp Proxy browser and browse to the vulnerable website
- (Turn off Interception)
- Go to a product page, and look at the HTTP request history
- Find a request for a /product API endpoint
- Right click the request and select "Send to Repeater"
- Go to the Repeater tab
- Can click Send with the existing request, and view the response
- Can modify the request, hit Send, and view new response
- Each response is saved
- Tampering with parameters - setting parameter to string instead of integer leads to 500 error, and stack trace is shown
- Stack trace shows version number of software package
Flags