Pentesting WebApp & WebServices using Burp Suite

www.linkedin.com/in/arun1105

@Arunthomas115

@prvnkumark

https://in.linkedin.com/in/prvnkumark

Import the .ova

What is there in the .ova???

It just a kali linux(2016.1) x64 image with following tools;

Postman & FoxyProxy Browser Addon
Github - Seclist files
BurpSuite Free Edition with few free Extenders.
Docker Container with runs vulnerable applications like;

Vuln Apps :

DVWA, DVWServices, DVWSockets, WebGoat, JuiceShop, Railsgoat, django.NV, Biggy Bank, Mutilidae II

Tools :

MailCatcher, Brakeman - Ruby on Rails Scanner, RIPS - PHP Code Scanner

HTTP Protocol Basics

HTTP Request & Response & Methods.

HTTPS / SSL Handshake.

Same Origin Policy.

Cookies.

Sessions.

Web Proxies.

HTTP Request

HTTP Response

HTTP Status Codes

Exhaustive List here : https://httpstatuses.com/

Let's Try it Out!!!

HTTP Request & Response

Firefox > Settings > Developer > Network

HTTPS/SSL Handshake

Same Origin Policy

SOP - prevents a script or a document from getting or setting properties of another document that comes from a different origin.

CSS stylesheets, images and scripts are loaded by the browser without consulting the policy.

SOP is consulted only when cross-site HTTP requests are initiated from within client side scripts ( IE: JavaScript), or when an Ajax request is run.

Same Origin Policy

The origin is based on the following Conditions;

Same Origin Policy

Let's see an example with the following address;

http://demo.example.site/index.php

Cookies

HTTP is stateless protocol.

Cookies are just textual information installed by a website into the "cookie jar" of the web browser.

Cookie jar is a storage space where a web browser stores the cookies.

Cookie Format

Intercepting Proxy

An intercepting proxy is a tool that lets you analyze and modify any request and any response exchanged between an HTTP client and a server.

By intercepting HTTP messages a pentester can study a web application behavior and manually test for vulnerabilities.

Intercepting Proxy

Most used proxies are Burpsuite & ZAP.

Proxy servers have different purposes: bandwidth optimization, content filtering and more

Please do not confuse intercepting proxies with common proxy server like squid.

The next two images will make that clearer.

Intercepting Proxy

Here the proxy is an application which intercepts the user’s browser traffic.

Proxy Server

Here proxy server filters all traffic coming from internal network.

BurpSuite Free Vs Professional Edition

BurpSuite Essential Components

Burp Proxy

- Intercepts HTTP/S connections.
Burp Spider
- Crawls a Web Application.
Burp Intruder
- Attack tool that contains a large number of attack methods.
Burp Repeater
- Repeats interactions/attacks.
Burp Sequencer
- Analyzes session tokens.
Burp Decoder
- Decodes various types of encoding for textual information.
Burp Comparer
- Compares two pages together, implementing a form of “diff”

BurpSuite Essentials

Basics of burp suite and Proxy configuration, local and remote proxy.
Import Burp SSL cert in chrome
Site map, Scope, filters, highlight , Compare site map
Socks proxy – SSH.
Spider, Repeater, Sequencer, Decoder, Comparer, Project Options, User Options, Alerts.

Project Options

BurpSuite Tips & Tricks

User Options -> Misc -> Hotkeys – Edit use keyboard combination
Classic – ctr+x|c|v for “cut|copy|paste” ctr+t
Decoding – ctr+[shift]+u|h|b for url|html|base64
Navigation – Ctr+shift+T|P|S|I|R –
Custom – Ctr+G for “issue repeater request”
History auto scroll
Change request method

BurpSuite Intruder

Drawback of burp free version intruder ,compensate with dirbuster and other brute force tools
Payload from seclist
Payload processing
Grep match
Base64 authentication brute-force
Anti CSRF tokens

BurpSuite Extensions

Free and Pro Extensions
Automatic and Manual Installations – setting lib in folder
Default Data parsing by burp - Parameters, XML, AMF, Viewstate
Data Parsing with Extensions - Json Decoder, javascript
Authz, CO2, logger++, wsdler
https://github.com/Meatballs1/burp-extensions

BurpSuite Webservices Demo

API testing plugins like PostMan for Chrome or RESTClient for Firefox allow you to communicate with the RESTful backend of a web application directly.
Using these plugins you can create requests for all available HTTP verbs (GET, POST, PUT, DELETE etc.) with all kinds of content-types, request headers etc.

Pentesting WebApp & WebServices using Burp Suite

Import the .ova

What is there in the .ova???

HTTP Protocol Basics

HTTP Request

HTTP Response

HTTP Status Codes

Let's Try it Out!!!

HTTP Request & Response

HTTPS/SSL Handshake

Same Origin Policy

Same Origin Policy

Same Origin Policy

Cookies

Cookies

Cookie Format

Cookie Format

Intercepting Proxy

Intercepting Proxy

Intercepting Proxy

Proxy Server

BurpSuite Free Vs Professional Edition

BurpSuite Essential Components

BurpSuite Essentials

Project Options

BurpSuite Tips & Tricks

BurpSuite Intruder

BurpSuite Extensions

BurpSuite Webservices Demo

BurpSuite - Webservices Addon

Burp suite Essentials Book – Akash Mahajan

Agarri - http://www.agarri.fr/en/

References

WebApp Pentesting - Private Session

WebApp Pentesting - Private Session

Arunthomas

Pentesting WebApp & WebServices using Burp Suite

Import the .ova

What is there in the .ova???

HTTP Protocol Basics

HTTP Request

HTTP Response

HTTP Status Codes

Let's Try it Out!!!

HTTP Request & Response

HTTPS/SSL Handshake

Same Origin Policy

Same Origin Policy

Same Origin Policy

Cookies

Cookies

Cookie Format

Cookie Format

Intercepting Proxy

Intercepting Proxy

Intercepting Proxy

Proxy Server

BurpSuite Free Vs Professional Edition

BurpSuite Essential Components

BurpSuite Essentials

Project Options

BurpSuite Tips & Tricks

BurpSuite Intruder

BurpSuite Extensions

BurpSuite Webservices Demo

BurpSuite - Webservices Addon

Burp suite Essentials Book – Akash Mahajan

Agarri - http://www.agarri.fr/en/

References

WebApp Pentesting - Private Session

More from Arunthomas