Notes on web application pentesting tool.
Basic Summary of Tools in Burp (Thanks to TryHackMe)
- Proxy — What allows us to funnel traffic through Burp Suite for further analysis
- Target — How we set the scope of our project. We can also use this to effectively create a site map of the application we are testing.
- Intruder — Incredibly powerful tool for everything from field fuzzing to credential stuffing and more
- Repeater — Allows us to ‘repeat’ requests that have previously been made with or without modification. Often used in a precursor step to fuzzing with the aforementioned Intruder
- Sequencer — Analyzes the ‘randomness’ present in parts of the web app which are intended to be unpredictable. This is commonly used for testing session cookies
- Decoder — As the name suggests, Decoder is a tool that allows us to perform various transforms on pieces of data. These transforms vary from decoding/encoding to various bases or URL encoding.
- Comparer — Comparer as you might have guessed is a tool we can use to compare different responses or other pieces of data such as site maps or proxy histories (awesome for access control issue testing). This is very similar to the Linux tool diff.
- Extender — Similar to adding mods to a game like Minecraft, Extender allows us to add components such as tool integrations, additional scan definitions, and more!
- Scanner — Automated web vulnerability scanner that can highlight areas of the application for further manual investigation or possible exploitation with another section of Burp. This feature, while not in the community edition of Burp Suite, is still a key facet of performing a web application test.
Utilizing the BurpSuite Room in THM we use the repeater on the website “OWASP Juice Shop”. We intercept a bad request for login and send to repeater for further exploitation.
Here we can edit the contents of email and password to send our own payloads. Changing the contents of the email and password to single quotes gives us an error handling which allows to see the server uses SQLi
Using repeater to send a zero star review to the website
Intruder can be used for many things ranging from fuzzing to brute-forcing
Per Burp Suite Documentation:
- Enumerating identifiers such as usernames, cycling through predictable session/password recovery tokens, and attempting simple password guessing
- Harvesting useful data from user profiles or other pages of interest via grepping our responses
- Fuzzing for vulnerabilities such as SQL injection, cross-site scripting (XSS), and file path traversal
Intruder has 4 main attack types
1. Sniper — The most popular attack type, this cycles through our selected positions, putting the next available payload (item from our wordlist) in each position in turn. This uses only one set of payloads (one wordlist).
2. Battering Ram — Similar to Sniper, Battering Ram uses only one set of payloads. Unlike Sniper, Battering Ram puts every payload into every selected position.
3. Pitchfork — The Pitchfork attack type allows us to use multiple payload sets (one per position selected) and iterate through both payload sets simultaneously.
4. Cluster Bomb — The Cluster Bomb attack type allows us to use multiple payload sets (one per position selected) and iterate through all combinations of the payload lists we provide.
Utilizing the intruder/spider option to bruteforce the email with sqlli wordlist
We use § to add where we would like the wordlist to insert our wordlist. We load our payload in the options sections and make sure to uncheck URL encode the characters. Starting the attack, we can check to see if any of our attempts were successful
Decoder can be used to transform our request into the correct encoding. Below we take a line from a request and decode it as URL in order to understand the text. %20 equates to “space”.