Burp Basics

Exercise
• Understanding Basics of Burp Suite.

Prerequisites

  1. Web Goat and Burp Suite already running.
  2. Burp Proxy has already been configured with your browser.

Goals

  1. Learn how to create projects and save data of project.

Steps

  1. Run Burp Suite and select New project on disk.
  2. Enter filename and project name. This creates a project file and saves it.
  3. Now, browse the application using browser as normal and you can directly close Burp Suite.
  4. When you reopen Burp Suite you can directly select the project file and it will show the whole project with same proxy settings, same history, etc.

Exercise
Understanding how to use Proxy, Repeater, Target, Spider, Scanner and Intruder.


Prerequisites
1. WebGoat and Burp Suite already running.
2. Burp Proxy has already been configured with your browser.


Goals
1. Learn how to use Proxy and Repeater to intercept, alter or repeat requests/responses.
2. Learn how to use Target to setup project scope.
3. Learn how to use Spider to discover hidden content.
4. Learn how to use Scanner to passively or actively scan the application.
5. Learn how to use Intruder to automate attacks.


Steps


1. PROXY and REPEATER


1. Intercepting Requests
1. Turn on the intercept in Burp Proxy → Intercept.
2. Visit `http://localhost:8080/WebGoat/` and check if Burp is flashing and
awaiting for your input. This is because the request got intercepted by
Burp Proxy.
3. Look at the request in Burp. You can see the raw details of the request.
This is a GET request to the server in this case WebGoat.
4. Click `Forward` to send the request to the server.

2. Editing Requests
1. Turn on the intercept in Burp Proxy → Intercept.
2. Visit any page on WebGoat and check if Burp is flashing and awaiting for your
input. This is because the request got intercepted by Burp Proxy.
3. Look at the request in Burp. You can see the raw details of the request.
4. Now, make changes to the request. For e.g. modify a cookie.


5. Click `Forward` to send the modified request to the server.
Note: You can also see requests/responses history via Burp Proxy → HTTP history


3. Using Repeater


1. Go to Burp Proxy → HTTP history.
2. Right click on any request and click `Send to Repeater`.


3. Now, you can edit the raw details of the request and send it over and over
again via `Repeater` tab.

Default Method is Post
I have Changed the method to ‘GET’


4. You can do this with any live requests as well.


2. TARGET


1. Setting Scope


1. Go to Burp Target → Scope.
2. Add a new target scope as `localhost`.


3. This sets burp suite to use in-scope URLs. So, you filter out data only for your
in-scope URLs.


2. Using SiteMap


1. Go to Burp Target → SiteMap.
2. Browse the WebGoat as normal and see various requests/responses.
3. As you do this, it will build up sitemap which can be viewed via Burp Target →
SiteMap.
4. You can also you filtering feature to filter out requests only related to your inscope target.


3. SPIDER


1. Using Spider to Discover Hidden Content
1. Go to Burp Spider → Control.
2. Set `Spider Scope` to `Use defined scope [defined in Target tab] `. This uses
scope from target tab.
3. Now, click `Spider is paused`. This will start up your spider and you will see
text as `Spider is running`.
4. From any other tabs like Target, you can always send any request for spidering
by right clicking and selecting `Spider this host/branch`.


Note: You should manually review the spider settings before running it on any
website. It may have adverse effects.


4. SCANNER


1. Passive Scanning


1. In Burp, go to Scanner → Live Scanning.
2. Set `Live Active Scanning` to `Don’t Scan`.
3. Set `Live Passive Scanning` to `Use suite scope [defined in Target tab]`.
4. Now, browse the WebGoat, and Burp Scanner will find vulnerabilities for you.
5. Results can be viewed via Target → SiteMap.


2. Active Scanning


1. In Burp, go to Target → SiteMap.
2. Right-click on WebGoat and select `Actively scan this host`.
3. Make sure the “Remove out-of-scope items” is checked and then select next
and then `Ok` to start scanning.
4. Results can be viewed via Scanner → Scan queue.


Note: You should manually review the scanner settings before running it on any
website. It may have adverse effects.


5. INTRUDER


1. Using Intruder to Brute Force Credentials


1. Browse the WebGoat to login page →
http://localhost:8080/WebGoat/login.mvc
2. Now, intercept the login request after you enter username and password. E.g.
POST http://localhost:8080/WebGoat/j_spring_security_check
3. In Burp Proxy → Intercept, right-click and select `Send to Intruder`.


4. Now, go to Intruder.
5. Set `Payload Positions` to value of `password`. Clear everything else by hitting
`Clear` button. Here, we are going to brute force the password.
6. Set Attack type to Sniper.


7. Go to `Payloads` tab.
8. Set `Payload Sets` to use `Payload type: Simple list`.
9. Select `Passwords` list from dropdown menu of `Payload Options`
10. Hit `Start attack` button. This will start your brute force attack.


11. Depending on request/response you will be able to identify if the password
was correct/not.


Note: You can do variety of different types of attacks using Intruder

LEAVE A REPLY

Please enter your comment!
Please enter your name here