• No results found

How To Burp David Brown

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Burp David Brown"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

David

Brown

Senior Security Engineer Security Innovation

(2)

In case you want to follow along

(3)

What is Burp?

An HTTP Proxy and other things

Built by lazy Security Engineers for other lazy

Security Engineers

Extremely Configurable

Know how to program?

– Also Extensible

(4)

What is it not?

An “automated security tool”

– Not the bad kind anyway

Open Source

– Pro features are nice and you probably want them

• $350.00/user/year

Always Intuitive

– Sniper, Battering Ram, Pitchfork, Cluster Bomb

Risk Free

(5)

Suite Overview

• Target/Scoping mechanism • HTTP(S) Proxy

• Spidering Engine

• Active & Passive Scanners

Configurable Automation Engine • Manual Request Constructor

• Entropy Analysis Engine • Decoding/Encoding Utility

• HTTP Request/Response Diff Tool • Plugin Architecture w/ Open API’s

(6)
(7)

Target

Site Map

– If Burp saw it, it will be listed here

• Probably

• Just keep looking, I’m sure it’s in there somewhere

Scope (USE IT)

– Fun fact: I didn’t know about this tab for a year

– Highly configurable

(8)

Proxy

Intercept

– Very occasionally, it’s nice to be able to intercept

things in transit

HTTP History

– The glue holding the Suite together

– Fun Fact: 375 … The number of requests a recent

target made

(9)

Proxy Options

CA Certificates

– Burp issues it’s own CA certificates

– Usually just works but can get complicated

• e.g. Certificate Pinning, HSTS, Pre-Load Lists, etc

Match/Replace

– An especially powerful but overlooked feature

– Allows arbitrary replacement of values in requests

or responses based on arbitrary criteria

(10)
(11)

Spider

Configurable web crawler

Fun Fact: The Spider queue auto-populates

with requests!

Fun Fact: Certain requests can be destructive!

– e.g. The "Delete Everything" button that ended up in the Admin Console for some reason

(12)

Scanner

Live Scanning

– By default Burp passively scans all requests

– Active Scanning is not where Burp shines

Passive Scanning Active Scanning

Live Scanner Low Hanging Fruit! No. Stop. Just don’t.

(13)

Intruder

Hands down, most powerful tool in the suite

– Replace most anything in a request or response

with most anything else

Useful in all sorts of attacks

– Account Enumeration

– Identification of SQLi or XSS

– Fuzzing request handling

(14)
(15)

Repeater

Good exploration tool

– Ctrl-R works on almost any request in the Suite

Most of the interesting discoveries I make in

Burp come out of the Repeater

(16)

Sequencer

Kind of a one trick pony

If you were wondering how much entropy

something has…

– Now you have an objective way to find out

Useful for when auditing FIPS requirements

Confidence level increases with number of

requests (max: 20000)

(17)

Decoder

Does what it says on the can

– Encode or Decode an arbitrary string as many

times as you desire

Least mature tool of the suite

– Honestly I’m not sure why it’s still so bad

Is admittedly convenient when the need to

multiply decode something arises

(18)

Comparer

I’ve almost never used this tool

Maybe I’m not the target audience?

Simple diff tool for comparing requests or

responses

(19)

Extender

Plugin architecture for Burp

Fortunately (or unfortunately) extensions can

be written in most languages

– Java, Python, Jython and Ruby are popular

The relatively new BApp Store allows in-Suite

installation for the more mature extensions

(20)

Handy Extensions

• Some particularly useful extensions

– Logger++

• Useful when recording exactly what was done in an production environment during testing

• Extremely useful if said testing in production results in an unpleasant outcome

– JSON Decoder

• Parsing through unbeautified json blobs tends to get old after a while

– Browser Repeater

• Sometimes the burp rendering engine isn't enough (e.g. reflected xss that relies on a specific browser...IE9 and ASP.Net 3.5)

– Headers Analyzer

• There have been few, if any, web applications I've assessed that didn't have at least one misconfigured response header

– WSDL’er

• Uses SoapUI Core but wraps it in a very useful plugin that auto-builds the request structure for a given host/service definition. Very useful for fuzzing.

(21)
(22)

Burp Suite Options

• Proxy settings

– If a target requires a proxy to reach, you can define it as an upstream proxy

• Hostname Resolution

– Acts as a hosts file within burp for redirecting all requests for a given host

• SSL

– Allows granular definition for all SSL/TLS versions and cipher suites

• Client / Host SSL Certificates

– If a client and host require mutual cert-based authentication, that can be defined here

• Session Handling / Cookie Jar

(23)

Burp State

Pro version?

– Persist the full state of the suite

– Super useful when a client inevitably asks

questions like

• Did you or did you not send a request to our service asking webroot to delete itself?

Free version?

– Logger++

(24)

Additional Resources

• Burp Suite – Download Page: • https://portswigger.net/burp/download.html – Full Documentation: • https://portswigger.net/burp/help/contents.html

– Web Application Hacker's Handbook:

• http://www.amazon.com/gp/product/1118026470?ie=UTF8&tag=

portswinet-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=111 8026470

• Wordlists

– Compiled lists of payloads, passwords, usernames, etc.:

(25)

David Brown

Senior Security Engineer Security Innovation

[email protected]

References

Download now ( PDF - 25 Page - 1.18 MB )

Related documents

A REVIEW OF ACTIVITY BASED FUNDING / ACTIVITY BASED MANAGEMENT IN WESTERN AUSTRALIA 2009/ /11 A REPORT BY MICHAEL SCOTT JUNE 2011

 Equally, an efficient price can be used to maximise the volume of care (at a high level of quality) through price efficiency. Ultimately the health system in Western Australia has

“But Who, We?”: Derrida on Non-Human Others

writes (and I will return to this quote below in chapter 6): “For no one will seriously deny the animal the possibility of inhabiting the world (even if Heidegger claims that the

E very year that passes sees a greater

In affec tive ed uca tion pro grams par - ents are not pre sented as role mod els for var i ous rea sons: 1) chil dren are to make their own value judg ments with out pres sure

ACET Set A Math 111015.pdf

CONCEPT: Quartiles, Decile, Percentiles COMPETENCY TESTED: solves problems involving measures of position.. BT: Applying

Effectiveness of Cultured Human Keratinocyte Onlays on Epithelial Healing and Clinical Outcome After Photorefractive Keratectomy

PURPOSE: To evaluate epithelial healing time, post- operative pain, corneal haze, and visual and refractive outcomes following the application of cultured sheets of human

Liquidity Risk and Corporate Demand for Hedging and Insurance

Our model predicts that the probability that a firm has created a risk management unit is an increasing function of the gain from hedging, measured by the reduction in the costs

The target group sports-orientated young people : Event marketing using the example of Sparkassen Mountainbike Festival

Es sollte jedoch an dieser Stelle erwähnt werden, dass eine Erfolgskontrolle nicht erst nach der Veranstaltung stattfinden muss, sondern über die gesamte Planungsphase hinweg –

A Very Long Disengagement

Surveys of undergraduates like "Your First College Year," conducted by the Higher Education Research Institute at the University of California at Los Angeles and the