BurpSuite Compendium Preview
BurpSuite Compendium Preview
&
Editor-in-Chief
Betatesters:
Joanna Kretowicz
[email protected]
Lee McKenzie
Editors:
CEO:
K S Abhiraj
Joanna Kretowicz
[email protected] greg mckoy
Marketing Director:
Ayo Tayo balogun
Joanna Kretowicz
[email protected]
Jonus Gerrits
DTP
Marta Sienicka
Michal Jáchim
[email protected]
Mitch Impey
Cover Design
Hiep Nguyen Duc Wayne Kearns
Suite. We gathered all articles we had about this tool, added new ones and pre-
pared this compendium. Tutorials, step by step guides, and more can be found
in this edition. Hamed Farid will show you how to Extend Burp with Python. Jun-
ior Carreiro wrote an article to show you how you can use Burp to perform fuzz-
If you get tired of Burp, I recommend reading two amazing articles: “Demystify-
ing the Dark Web” by Sayani Banerjee and “Browser Exploits: PasteJacking And
XSSJacking” by Samrat Das. We hope that you will find many interesting articles
inside the magazine and that you will have time to read them all.
Again special thanks to the Beta testers and Proofreaders who helped with this
Hakin9 Team
What is Burp Suite?
7
by Pprasoon Nigam
5
Burp for fuzzing
144
by Junior Carreiro
6
Brute forcing passwords using WPScan and
Tomasz Krupa
Security Hobbyist and Researcher, working over 9
8
Brute Forcing Passwords Using WPScan And Burp Suite, Kali Linux 2.0
“Move swift as the Wind and closely-formed as the Wood. Attack like the Fire and be still as the Mountain.”
In this article we will be testing web security of the popular WordPress engine by simulating a brute force attack using
my two favourite Linux Kali tools: WPScan and Burp Suite.
The Tools:
1) WPScan is a WordPress vulnerability scanner, written entirely in Ruby, capable of detecting security vulner-
abilities in websites hosted using WordPress and is pre-installed in Kali Linux.
• Username enumeration
• Version enumeration
• Vulnerability enumeration
• Theme enumeration
• Directory listing
2) Burp Suite is a Java based Web Penetration Testing framework and it’s a tool used by information security
professionals to identify vulnerabilities and verify attack vectors for web-based applications.
In its simplest form, Burp Suite can be classified as an “Interception Proxy”. Internet traffic is being routed through
the proxy which then acts as a sort of Man in the Middle by capturing and analysing each request and response.
Individual HTTP requests can be paused, manipulated and replayed back to the web server for targeted analysis of spe-
cific injection points, which then can be translated into automated fuzzing attacks to discover potentially unintended
application behaviours, crashes and error messages.
The Victim:
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL, supporting more
than 60 million websites worldwide (according to Wikipedia).
9
Brute Forcing Passwords Using WPScan And Burp Suite, Kali Linux 2.0
As of February 2017, WordPress was used by more than 27.5% of the top 10 million websites and it’s reportedly the
most popular website management for blogging systems in the Web.
From the architecture perspective, WordPress engine is a front controller, routing all requests for non-static URIs to a
single PHP file that parses the URI and identifies the target page.
The community of users built around the product and user-friendly design resulted in a huge library of plugins and
themes (both free and paid), which can truly transform a static website into a dynamic and vibrant CMS.
Scenario:
Target:
1) Gather as much information as possible about the application and the infrastructure it resides on.
2) When testing the application, look for any entry points where user input is accepted and dynamic content is
generated. Then, probe these areas for weaknesses in input validation, session manipulation, and authenti-
cation and information leakage.
Any information leak should be recorded and used to re-assess the overall understanding of the application and how it
works.
Note: Above command might return “Stop User enumerating plugin” (as below)- which is expected on the
latest versions of WordPress.
wpscan --update
10
! ! ! !
by Samrat Das
ABOUT THE AUTHOR
Samrat Das
Samrat Das is a senior security researcher currently working for Se-
12
Browser Exploits: PasteJacking And XSSJacking
Hi Readers, in the field of penetration testing, we all know attacks such as Clickjacking, Cross Site Scripting. These are
attacks from most commonly included OWASP Top 10 test cases.
However, what about learning some client side exploits which can help us chain unexpected and not so commonly ac-
cepted attacks to perform account takeover, hijacking sessions, manipulating user clipboard remotely? Sounds excit-
ing? Well, that’s what XSSJacking and Paste Jacking is all out, read on to know more:
Today we will look into some advanced attack vectors which have been lately around sometime but not all are aware of
the attack.
Pastejacking. The art of changing what you copy from web pages.
What is pastejacking?
• Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and
change its content to something harmful without your knowledge.
• This feature can allow malicious websites to take over your computers’ clipboard.
• When you copy something and paste it to your clipboard, the website can run one or more commands using
your browser.
• If you paste something directly to the Terminals!? Result: Lethal Commands Executed
Attack scenario:
Here we have a sample page which shows a text: “who am i?” as bait for copying. Once this text is selected, it will auto-
matically get replaced in the clipboard with echo " I @// H4k3r" .
13
Browser Exploits: PasteJacking And XSSJacking
<html>
<body>
<h3>
</br>
<body bgcolor="#E6E6FA">
<center>
<script>
function copyTextToClipboard(text) {
textArea.value = text;
document.body.appendChild(textArea);
textArea.select();
try {
14