Burpsuite tricks
Know your tools, gain in productivity
https://slides.com/xanhacks/burpsuite/
Nov. 2021
whoami - xanhacks
2
Summary
- What is Burpsuite ?
-
Tabs :
- Proxy
- Target
- Intruder (demo)
- Repeater
- Project / User options
- Extension : DOM Invader (demo)
- Secret question
3
1) What is Burpsuite
- Tool for web pentesting
- Acts as a proxy between your browser and the web server
- Edit and replay HTTP requests on the fly
- (Pro version) Vulnerability scanner
- ...
1. Listening on
127.0.0.1:8080
2. Configure the proxy to 127.0.0.1:8080
3. Add Burpsuite HTTPS certificate, http://burp
4
2.1) Tab : Proxy (ctrl+shift+p)
Intercept and edit (optional) requests or websockets
5
2.1) Tab : Proxy (Options)
Intercepts only URLs in scope
(request / response)
6
2.1) Tab : Proxy (Options)
Stop intercepting Websockets
7
2.1) Tab : Proxy (Options)
Edit, add or remove : headers, body or params
(requests / responses)
8
2.2) Tab : Target (ctrl+shift+t)
Site map and scope
9
2.2) Tab : Target (ctrl+shift+t)
Add / remove URLs from scope
10
2.2) Tab : Target (ctrl+shift+t)
Show only scope items
11
2.2) Tab : Target (ctrl+shift+t)
Search string in website
12
Pro version
2.3) Tab : Intruder (ctrl+shift+i)
Automate requests using lists or iterators
(bruteforce, fuzzing)
13
Pro version
= faster
(turbo intruder)
2) Tab : Intruder (ctrl+shift+i)
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked
Demo :
- Iterates through lists
- Match text in responses
- Payload processing (suffix and prefix)
- Payload encoding (URL encoding)
14
2) Tab : Intruder (ctrl+shift+i)
Attack types
- Sniper : Replaces only one position at a time. After its done with the first position, it continues with the second position.
-
Battering ram : Same payload value in all positions. It loops through the payload set and replaces all positions with the payload value.
-
Pitch fork : Uses one payload set for each position. It places the first payload in the first position, the second payload in the second position, and so on.
-
Cluster bomb : The cluster bomb attack tries all different combinations of payloads. (example : bruteforce with a list of users and passwords.).
15
2.4) Tab : Repeater (ctrl+shift+r)
Edit, replay and observe (manual testing)
16
2.4) Tab : Repeater (ctrl+shift+r)
Rename your tabs (same for Intruder)
17
2) Tab : Repeater (ctrl+shift+r)
Auto scroll on change
18
2) Tab : Repeater (ctrl+shift+r)
Generate CSRF PoC
19
Pro version
2) Tab : Repeater (ctrl+shift+r)
20
Javascript auto-submit
Pro version
2.5) Tab : Project (options)
Javascript redirection
21
2) Tab : User (options)
Turn on dark mode
22
2) Tab : User (options)
Disable interception on startup
23
Exploiting an XSS (Cross-Site-Scripting) vulnerability using the DOM Invader browser extension.
https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink
3) DOM Invader (demo)
24
4) Secret question
25
26
End
Any questions ?
