Running Burp Spider - The Basics of Web Hacking Tools and Techniques to Attack the Web(2013)

To use Burp Spider passively against our DVWA environment, follow these steps. 1. Start Burp Suite from the steps earlier in this chapter if it’s not running already. 2. Configure Firefox to use a proxy from the steps earlier in this chapter if it’s not

already.

3. Browse using Firefox to the DVWA login page at http://127.0.0.1/login.php.

A le rt

Burp I ntercept proxy is conﬁgured to intercept all requests by default. This is why the D VWA login page won’t load initially. To toggle this oﬀ, click on the

proxy tab in Burp, then the intercept sub-tab, and click the “intercept is on” bu on to toggle it oﬀ. We will come back to the intercept tab during the hacking steps, but for now, you can turn it oﬀ. Tabs within Burp will change

to red (as an alert), so you know what tab in the suite needs your attention!

4. Login to DVWA with admin and password.

Burp is now cataloging every request that you make as well as the responses from the D VWA web application. This running history is best illustrated in the site map tree that Burp automatically builds under the target tab and site map sub-tab as shown in Figure 3.5.

FIGURE 3.5 Site map in Burp Suite.

N ow is also a good time to set the scope of your hacking eﬀorts in Burp. S cope simply refers to what URL (or I P address) you want to consider as a target and be used in automated spidering. I n our example, we would want to include everything on the

localhost web server, so we’d set 127.0.0.1 as our scope by selecting add item to scope in the right-click menu in the site map as shown in Figure 3.6. Make sure to right-click on the root of the tree (127.0.0.1), so the entire site will be set in the scope.

FIGURE 3.6 Adding item to Burp Suite scope.

You can add several web application I P addresses or URLs to the scope of your testing. To view your current scope, use the scope sub-tab under the target tab. I f you a empt to use any Burp tool outside the speciﬁed scope, you will be prompted to accept that you are working outside of the scope. Most of the time you can simply add that item to scope and continue on with your activity. But in some cases, this prompt will save you from inadvertently interacting with a target that is actually outside of your intended scope.

D irectories are displayed with the folder icon and can be expanded and collapsed to see the pages that Burp has found within the directory. The gear icon is used for pages

that have additional functionality built into them. Most of the time, these pages are using parameters to perform an action such as logging in, se ing up the database, or retrieving data. Think of these pages as dynamic as opposed to static. This is important because it’s our ﬁrst signal of the pages in this web application that act upon user input. The white page icon is used for web pages that do not accept input and do not have dynamic functionality; these are just static web pages.

The site map entries that are bold are the resources that you have manually requested and have been cataloged by the proxy. You can see in Figure 3.5 that at the time of the screenshot, I had manually browsed to the dvwa directory, index.php, instructions.php,

login.php, and setup.php. A ll of the grayed out entries have been discovered by the Burp Spider with its reconnaissance and not by a user making the request in a browser.

By default, Burp S pider will passively scan the HTML of all requests and responses for links to other directories and ﬁles. The manual (passive) S pider will not request these resources but will include them in the site map. A s you browse to more D VWA pages, the site map will continue to populate both inside the 127.0.0.1 directory and external web applications that are referenced by D VWA . Good examples of this behavior are the

dvwa.svn.sourceforge.net and dvwa.co.uk URL directories that are now part of your site map. A lthough you haven’t browsed to these sites in your browser, they are both referenced in D VWA pages that your browser did request. Related web applications and references are a great piece of recon that will be used later in the user exploitation phase.

With passive spidering enabled, you can now visit every single page on D VWA for it to be included in the site map. With fewer than 20 total pages that would not take long, you will be left with a complete site map of the web application. You can then pinpoint the exact pages and parameters to a ack! However, with larger target applications, you could be clicking links for many hours with no guarantee that you will actually hit every link possible. For instances such as this, or when you aren’t concerned with being stealthy, you can use the automated spider in Burp.

You can also selectively spider any branch of the target web application, or the entire web application if you’d like, by selecting spider this branch from the right-click menu on the site map. You can watch the progress of the spider under the spider tab and

control sub-menu. Before we simply walk away from the automated spider, there are a few se ings that need to be reviewed under the spider tab and the options sub-tab as shown in Figure 3.7.

■ All of the checkboxes under settings are enabled by default including the check robots.txt setting.

■ You can uncheck the passive spidering if you’d like, but I encourage you to leave it on. Even if you’re not in the hacking mood, it’s still quite interesting to review the site map that gets built after a day’s worth of browsing!

■ All of the default values of the spider options can be reset by using the Reset Defaults

FIGURE 3.7 Burp Spider settings and traffic monitoring options.

There are also two important spidering options for submi ing forms. By default, the automated spider will submit all forms that it finds. I t does not care what the form is for, where it is located, or the ramifications of submi ing the form several hundred (or thousand) times. I can’t stress this point enough: if the automated spider finds a form, it will submit it without regard for human life! (O K, that was a tad too dramatic, but you get the point). I f the spider finds the change password form that does not require the existing password in order to process the auto-filled new password, you will have an embarrassing call to make to your client to reset your test account. A nother potential sticking point is the Contact U s form that so many website use. I t’s common for the spider to easily submit thousands of emails to the target email server via this form and cause all sorts of heartburn for the receiving company trying to keep their email server running correctly after such an onslaught. Consider using the prompt for guidance

option for form submission if you want more granular control of what Burp S pider actually submits to the web application.

A lso, note the default values that Burp uses for all the form ﬁelds as shown in Figure 3.8. These are the exact values that will be sent to the web application when the spider encounters a form that can be submitted.

FIGURE 3.8 Burp Spider forms options.

A lthough Peter Wiener from Weinerville, WI is very catchy and fun, it probably isn’t the most appropriate to use when conducting a professional penetration test. The “Legend of Peter Wiener” has a cult-like following in the information security community, and there are running blog posts about the funny places that Peter Wiener has turned up during penetration tests. The creator of Burp S uite, D afydd S tu ard, is a great fellow from England where the term wiener doesn’t have the same connotations that it has in the United States. Or so he says.

Let me tell you a quick story about my personal run-in with Peter Wiener. I completed a large amount of manual spidering on especially sensitive pages of an online banking application that I was testing as to not trigger any unexpected functionality. O nce that tedious task was done, I thought it would be appropriate to use automated scanning to make quick work of what I thought was only static HTML pages. Later that week as I was ﬁnishing the project and starting the report, I got a call from the bank's chief security oﬃcer (CS O ) wondering who Peter Wiener was and why he had submi ed over 400 questions to the bank via the Contact U s page. The CS O was a bit taken aback by the name Peter Wiener and he wanted to know what he should tell the bank's board of directors if they asked about it. Gulp! I t was at that exact moment that I went into the se ings of Burp S pider and changed Peter Wiener from Weinerville, WI to Peter Winner from Winnerville, WI . That one le er change has made all of my explanations much easier! O ne last note on Peter: these default values will return when you download a new version of Burp, so make sure you change them every time!

There is one other pointer about using automated web hacking tools that I think is worth mentioning. I t is very tempting to conﬁgure and execute the tools and then walk away (or go to bed). Please don’t do this. While most of the time it is perfectly safe, there are more and more reports of unsupervised automated tools running amuck! Web

developers and web server administrators will set up black holes on the servers and applications that will put the automated hacking tool into an inﬁnite loop of requests and cataloging. A s some point, the hacker’s hard drive will become full of the temporary ﬁles from the automated tools running for hours. N othing will ruin your morning like trying to put your machine back together after having the hard drive effectively bricked.

In document The Basics of Web Hacking Tools and Techniques to Attack the Web(2013) pdf (Page 65-70)