Pentesting WebApp & WebServices using Burp Suite

www.linkedin.com/in/arun1105

 @Arunthomas115

@prvnkumark

https://in.linkedin.com/in/prvnkumark

Import the .ova

What is there in the .ova???

It just a kali linux(2016.1) x64 image with following tools;

  • Postman & FoxyProxy Browser Addon
  • Github - Seclist files
  • BurpSuite Free Edition with few free Extenders.
  • Docker Container with runs vulnerable applications like;

 

Vuln Apps : 

DVWA, DVWServices, DVWSockets, WebGoat, JuiceShop, Railsgoat, django.NV, Biggy Bank, Mutilidae II

 

Tools : 

MailCatcher, Brakeman - Ruby on Rails Scanner, RIPS - PHP Code Scanner

 

HTTP Protocol Basics

  • HTTP Request & Response & Methods.

  • HTTPS / SSL Handshake.
  • Same Origin Policy.
  • Cookies.
  • Sessions.
  • Web Proxies.

HTTP Request

HTTP Response

HTTP Status Codes

  • Exhaustive List here : https://httpstatuses.com/

Let's Try it Out!!!

HTTP Request & Response

  • Firefox > Settings > Developer > Network

HTTPS/SSL Handshake

Same Origin Policy

  • SOP - prevents a script or a document from getting or setting properties of another document that comes from a different origin.

  • CSS stylesheets, images and scripts are loaded by the browser without consulting the policy.

  • SOP is consulted only when cross-site HTTP requests are initiated from within client side scripts ( IE: JavaScript), or when an Ajax request is run.

Same Origin Policy

  • The origin is based on the following Conditions;

Same Origin Policy

  • Let's see an example with the following address;
  • http://demo.example.site/index.php

Cookies

Cookies

  • HTTP is stateless protocol.
  • Cookies are just textual information installed by a website into the "cookie jar" of the web browser.
  • Cookie jar is a storage space where a web browser stores the cookies.

Cookie Format

Cookie Format

Intercepting Proxy

An intercepting proxy is a tool that lets you analyze and modify any request and any response exchanged between an HTTP client and a server.

By intercepting HTTP messages a pentester can study a web application behavior and manually test for vulnerabilities.

Intercepting Proxy

  • Most used proxies are Burpsuite & ZAP.

  • Proxy servers have different purposes: bandwidth optimization, content filtering and more
  • Please do not confuse intercepting proxies with common proxy server like squid.
  • The next two images will make that clearer.

Intercepting Proxy

  • Here the proxy is an application which intercepts the user’s browser traffic.

Proxy Server

  • Here proxy server filters all traffic coming from internal network.

BurpSuite Free Vs Professional Edition

BurpSuite Essential Components

Burp Proxy

- Intercepts  HTTP/S connections.
Burp Spider
- Crawls a Web Application.
Burp Intruder
- Attack tool that contains a large number of attack methods.
Burp Repeater
- Repeats interactions/attacks.
Burp Sequencer
- Analyzes session tokens.
Burp Decoder
- Decodes various types of encoding for textual information.
Burp Comparer
- Compares two pages together, implementing a form of “diff”

BurpSuite Essentials 

  • Basics of burp suite and Proxy configuration, local and remote proxy.
  • Import Burp SSL cert in chrome
  • Site map, Scope, filters, highlight , Compare site map
  • Socks proxy – SSH.
  • Spider, Repeater, Sequencer, Decoder, Comparer, Project Options, User Options, Alerts.

Project Options

BurpSuite Tips & Tricks

  • User Options -> Misc -> Hotkeys – Edit use keyboard combination
  • Classic – ctr+x|c|v for “cut|copy|paste” ctr+t
  • Decoding – ctr+[shift]+u|h|b for url|html|base64
  • Navigation – Ctr+shift+T|P|S|I|R –
  • Custom – Ctr+G for “issue repeater request”
  • History auto scroll
  • Change request method

BurpSuite Intruder

  • Drawback of burp free version intruder ,compensate with dirbuster and other brute force tools
  • Payload from seclist
  • Payload processing
  • Grep match
  • Base64 authentication brute-force
  • Anti CSRF tokens

BurpSuite Extensions

  • Free and Pro Extensions
  • Automatic and Manual Installations – setting lib in folder
  • Default Data parsing by burp - Parameters, XML, AMF, Viewstate
  • Data Parsing with Extensions - Json Decoder, javascript
  • Authz, CO2, logger++, wsdler
  • https://github.com/Meatballs1/burp-extensions

BurpSuite Webservices Demo

  • API testing plugins like PostMan for Chrome or RESTClient for Firefox allow you to communicate with the RESTful backend of a web application directly.
  • Using these plugins you can create requests for all available HTTP verbs (GET, POST, PUT, DELETE etc.) with all kinds of content-types, request headers etc.

BurpSuite  - Webservices Addon

  • Burp suite Essentials Book – Akash Mahajan

  • Agarri - http://www.agarri.fr/en/

References

Made with Slides.com