How To Burp David Brown Senior Security Engineer Security Innovation
In case you want to follow along https://portswigger.net/burp/download.html
What is Burp? An HTTP Proxy and other things Built by lazy Security Engineers for other lazy Security Engineers Extremely Configurable Know how to program? Also Extensible Not Metasploit
What is it not? An automated security tool Not the bad kind anyway Open Source Pro features are nice and you probably want them $350.00/user/year Always Intuitive Sniper, Battering Ram, Pitchfork, Cluster Bomb Risk Free Don t underestimate it
Suite Overview Target/Scoping mechanism HTTP(S) Proxy Spidering Engine Active & Passive Scanners Configurable Automation Engine Manual Request Constructor Entropy Analysis Engine Decoding/Encoding Utility HTTP Request/Response Diff Tool Plugin Architecture w/ Open API s
Demo Time!
Target Site Map If Burp saw it, it will be listed here Probably Just keep looking, I m sure it s in there somewhere Scope (USE IT) Fun fact: I didn t know about this tab for a year Highly configurable Host, Domain, Port, Regex, etc
Proxy Intercept Very occasionally, it s nice to be able to intercept things in transit HTTP History The glue holding the Suite together Fun Fact: 375 The number of requests a recent target made Before I clicked anything
Proxy Options CA Certificates Burp issues it s own CA certificates Usually just works but can get complicated e.g. Certificate Pinning, HSTS, Pre-Load Lists, etc Match/Replace An especially powerful but overlooked feature Allows arbitrary replacement of values in requests or responses based on arbitrary criteria e.g. min.js ->.js
Demo Time!
Spider Configurable web crawler Fun Fact: The Spider queue auto-populates with requests! Fun Fact: Certain requests can be destructive! e.g. The "Delete Everything" button that ended up in the Admin Console for some reason
Scanner Live Scanning By default Burp passively scans all requests Active Scanning is not where Burp shines Passive Scanning Active Scanning Live Scanner Low Hanging Fruit! No. Stop. Just don t. Manual Scanner Sure, why not! Malicious Packets!
Intruder Hands down, most powerful tool in the suite Replace most anything in a request or response with most anything else Useful in all sorts of attacks Account Enumeration Identification of SQLi or XSS Fuzzing request handling FuzzDB/SecLists ++
Demo Time!
Repeater Good exploration tool Ctrl-R works on almost any request in the Suite Most of the interesting discoveries I make in Burp come out of the Repeater
Sequencer Kind of a one trick pony If you were wondering how much entropy something has Now you have an objective way to find out Useful for when auditing FIPS requirements Confidence level increases with number of requests (max: 20000)
Decoder Does what it says on the can Encode or Decode an arbitrary string as many times as you desire Least mature tool of the suite Honestly I m not sure why it s still so bad Is admittedly convenient when the need to multiply decode something arises
Comparer I ve almost never used this tool Maybe I m not the target audience? Simple diff tool for comparing requests or responses
Extender Plugin architecture for Burp Fortunately (or unfortunately) extensions can be written in most languages Java, Python, Jython and Ruby are popular The relatively new BApp Store allows in-suite installation for the more mature extensions Many are open source and available online
Handy Extensions Some particularly useful extensions Logger++ Useful when recording exactly what was done in an production environment during testing Extremely useful if said testing in production results in an unpleasant outcome JSON Decoder Parsing through unbeautified json blobs tends to get old after a while Browser Repeater Sometimes the burp rendering engine isn't enough (e.g. reflected xss that relies on a specific browser...ie9 and ASP.Net 3.5) Headers Analyzer There have been few, if any, web applications I've assessed that didn't have at least one misconfigured response header WSDL er Uses SoapUI Core but wraps it in a very useful plugin that auto-builds the request structure for a given host/service definition. Very useful for fuzzing.
Demo Time!
Burp Suite Options Proxy settings If a target requires a proxy to reach, you can define it as an upstream proxy Hostname Resolution Acts as a hosts file within burp for redirecting all requests for a given host SSL Allows granular definition for all SSL/TLS versions and cipher suites Client / Host SSL Certificates If a client and host require mutual cert-based authentication, that can be defined here Session Handling / Cookie Jar Just like a browser, Burp maintains its own cookie store
Burp State Pro version? Persist the full state of the suite Super useful when a client inevitably asks questions like Did you or did you not send a request to our service asking webroot to delete itself? Free version? Logger++ Built in Remember Tool Configuration
Additional Resources Burp Suite Download Page: https://portswigger.net/burp/download.html Full Documentation: https://portswigger.net/burp/help/contents.html Web Application Hacker's Handbook: http://www.amazon.com/gp/product/1118026470?ie=utf8&tag= portswinet- 20&linkCode=as2&camp=1789&creative=9325&creativeASIN=111 8026470 Wordlists Compiled lists of payloads, passwords, usernames, etc.: https://github.com/danielmiessler/seclists
Questions? Complaints? David Brown Senior Security Engineer Security Innovation dbrown@securityinnovation.com