Burpsuite tricks

Know your tools, gain in productivity

https://slides.com/xanhacks/burpsuite/

Nov. 2021

whoami - xanhacks

2

heroctf.fr

hack2g2.fr

@arn_hack

Summary

  1. What is Burpsuite ?
  2. Tabs :
    1. Proxy
    2. Target
    3. Intruder (demo)
    4. Repeater
    5. Project / User options
  3. Extension : DOM Invader (demo)
  4. Secret question

3

1) What is Burpsuite

  • Tool for web pentesting
  • Acts as a proxy between your browser and the web server
  • Edit and replay HTTP requests on the fly
  • (Pro version) Vulnerability scanner
  • ...

1. Listening on

127.0.0.1:8080

2. Configure the proxy to 127.0.0.1:8080

3. Add Burpsuite HTTPS certificate, http://burp

4

2.1) Tab : Proxy (ctrl+shift+p)

Intercept and edit (optional) requests or websockets

5

2.1) Tab : Proxy (Options)

Intercepts only URLs in scope

(request / response)

6

2.1) Tab : Proxy (Options)

Stop intercepting Websockets

7

2.1) Tab : Proxy (Options)

Edit, add or remove : headers, body or params

(requests / responses)

8

2.2) Tab : Target (ctrl+shift+t)

Site map and scope

9

2.2) Tab : Target (ctrl+shift+t)

Add / remove URLs from scope

10

2.2) Tab : Target (ctrl+shift+t)

Show only scope items

11

2.2) Tab : Target (ctrl+shift+t)

Search string in website

12

Pro version

2.3) Tab : Intruder (ctrl+shift+i)

Automate requests using lists or iterators
(bruteforce, fuzzing)

13

Pro version

= faster

(turbo intruder)

2) Tab : Intruder (ctrl+shift+i)

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked

Demo :

  • Iterates through lists
  • Match text in responses
  • Payload processing (suffix and prefix)
  • Payload encoding (URL encoding)

14

2) Tab : Intruder (ctrl+shift+i)

Attack types

  1. Sniper : Replaces only one position at a time. After its done with the first position, it continues with the second position.

  2. Battering ram : Same payload value in all positions. It loops through the payload set and replaces all positions with the payload value.

  3. Pitch fork : Uses one payload set for each position. It places the first payload in the first position, the second payload in the second position, and so on.

  4. Cluster bomb : The cluster bomb attack tries all different combinations of payloads. (example : bruteforce with a list of users and passwords.).

15

2.4) Tab : Repeater (ctrl+shift+r)

Edit, replay and observe (manual testing)

16

2.4) Tab : Repeater (ctrl+shift+r)

Rename your tabs (same for Intruder)

17

2) Tab : Repeater (ctrl+shift+r)

Auto scroll on change

18

2) Tab : Repeater (ctrl+shift+r)

Generate CSRF PoC

19

Pro version

2) Tab : Repeater (ctrl+shift+r)

20

Javascript auto-submit

Pro version

2.5) Tab : Project (options)

Javascript redirection

21

2) Tab : User (options)

Turn on dark mode

22

2) Tab : User (options)

Disable interception on startup

23

Exploiting an XSS (Cross-Site-Scripting) vulnerability using the DOM Invader browser extension.

https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink

3) DOM Invader (demo)

24

4) Secret question

25

26

End

Any questions ?

Made with Slides.com