Web Application Security

Testing Using Burp Suite

Rupesh Garg & Chandra Sekhar Gajula

1 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Agenda

Introduction

Approach

Challenges Faced

Benefits

Conclusion

2 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 What does Security Breach Means?

An act from outside an organization that bypasses or

contravenes security policies, practices, or procedures. A
similar internal act is called security violation.

3 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 3 biggest security breaches of Recent times.

1) Heartland Payment Systems- In Mar 2008 – 138 million credit cards exposed
through SQL injection to install spyware on Heartland's data systems.
2) TJX Companies Inc. – In Dec 2006- 94 million credit cards exposed
3) Epsilon- In Mar 2011- Exposed names and e-mails of millions of customers
stored in more than 108 retail stores plus several huge financial firms like
CitiGroup Inc. and the non-profit educational organization, College Board.

4 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Introduction

This document will detail how you can use the Burp Suite to test web
applications for common vulnerabilities like Cross Site Scripting, SQL Injection.
It gives brief details about each component and its uses.

Web Application Security Testing is an in-depth assessment of the application
web pages to identify inherent and potential vulnerabilities. It determines the
confidentiality, integrity and availability of the application.

Web security testing is using a variety of tools, both manual and automatic, to
simulate and stimulate the activities of our web application. We will get
malicious inputs like cross-site scripting attacks and use both manual and
scripted methods to submit them to our web application. We will use malicious
SQL inputs in the same way, and submit them also.

It is our goal to produce repeatable, consistent tests that fit into our overall
testing scheme, but that address the security side of web applications. When
someone asks whether our application has been tested for security, we will be
able to confidently say yes and point to specific test results to back up our
claim.

5 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Web Application Security Testing

“ Web Application Security Testing tells about how you can test for SQL
injection or cross-site scripting, but it won’t provide a comprehensive set of
malicious inputs that you can use”
Below Figure shows many points within a system that might require
protection

6 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 OWASP Top 10 Web Application Security Risks (2010)

The OWASP Top Ten provides a powerful awareness document for web
application security.

The OWASP Top Ten represents a broad consensus about what the most
critical web application security flaws are.

A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

7 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 About Burp Suite:

Burp professional Suite is an integrated platform for Security Testing of web
applications. It includes the entire set of Burp tools with numerous interfaces,
designed to assist and accelerate the process of security testing.

Key features unique to Burp Suite include:

 Detailed analysis and rendering of requests and responses.
 One-click transfer of interesting requests between tools.
 Utilities for decoding and comparing application data.
 Support for custom client and server SSL certificates.
 Burp Scanner to automate findings of vulnerabilities
 Centrally configured settings for downstream proxies, web and proxy
authentication, and logging.
 Tools can run in a single tabbed window, or be detached in individual
windows.

8 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Approach

9 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 How to configure BURP and BROWSER?
 Burp Proxy allows defining multiple listeners. Each listener opens a
port on the computer and waits for connections from the browser. By
default, Burp opens a single listener on port 8080 of the loop back
interface. For each listener, the following properties need to be
configured as applicable.

Local listener port - This is the port on the local computer which will be
opened to listen for incoming connections. Browser settings should be
configured to use the host 127.0.0.1 and the Port 8080 as its proxy
server.

Use of proxy server - This controls whether Burp Suite communicates

directly with remote web servers, or via a downstream HTTP proxy
(located at the server and port number specified). Many LAN
configurations require users to access web servers via a central proxy.
Burp Suite can be used in this type of set-up by configuring the address
and port number of the proxy server here; GSK Internet proxy in this
case.

10 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 How to configure BURP and BROWSER? Contd..

By doing below browser configuration, you are making your browser to
interact with BURP not with the server.

BURP needs to be configured now so that it can accept the request from
browser and from there on it can become a browser for the server
BURP Configuration

Click on options tab and just consider the three sections, rest all sections be
as it is with there default settings
 Do www authentication (used for intranet application)
 Upstream proxy server (used for internet application)
 Use client SSL certificate (PKCS12)
11 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
 Intranet Application Settings:
 Method 1: Check the do www authentication check box and add the
server details where application is hosted, type of authentication (basic,
NTLM or digest. This can be directly asked to development team or hit
and trial can be done as there are only three options available),
username, password and domain

 Method 2: Check the do www authentication check box and check the
prompt for credentials on authentication failure checkbox too, by doing
so no need to enter the above details, these details can be entered while
you start running the application viaburp

Internet Application Settings: In upstream proxy server

section, enter the details like destination host (not mandatory), proxy
host (e.g. Wipro Proxyxxx.xx.xxx.x, Client Proxy is xxxxx.xxx.com or
xxxxx.xxxx.com), proxy port (e.g. 800 for Client and Wipro),
Authentication (hit and trial incase of no information on this as there
are only three options available), Username, Password, Domain and
hostname (not mandatory). Once these details are filled click on add
button. All details shall be moved to the above table of upstream
proxy server.
12 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
 Key Components of Burp Suite

Burp Suite has 2 editions:
 BURP Suite Free Edition: Burp Proxy, Burp Spider, Burp Repeater,
Burp Sequencer, Burp Decoder, Burp Comparer, Burp Intruder (Time-
throttled demo version)

 BURP Suite Professional:It has all components includingBurp Scanner

and Burp Intruder (Full edition, lightening fast ability to save and restore
attacks, built-in attack payloads)

Burp Proxy:
When Burp has been configured to become a browsers proxy, it will capture
and replay any and all web requests. By default, Burp will intercept the web
request and wait for approval/modification before passing it on to the internet.
This type of control can allow a person to dynamically change variables to
see what happens.

13 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Proxy- Intercept Tab

This tab is used to display and modify individual browser requests and
serverresponses.

If “intercept is on” is switched off then no request will be intercepted by
burp proxy. So the tester can on the interceptor only for those requests where
any vulnerability can be sensed, instead of intercepting each and every
request.

14 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Proxy- OptionsTab

This tab contains various configuration options which control the behavior
of Burp Proxy, as described below

Burp Proxy allows you to define multiple listeners. Each listener opens a
port on your computer and waits for connections from your browser. By
default, Burp opens a single listener on port 8080 of the loopback interface,
but you can modify this listener and add as many others as you require

15 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Proxy- HistoryTab

This tab displays details of all requests made, and shows the target server and portnumber, the
HTTP method, the URL, whether the request contains parameters or was manually modified, the
HTTP status code of the response, the response size in bytes,the MIME type of the response, the
file type of the requested resource, the title of the HTML page, whether SSL was used, the remote
IP address, any cookies set by theserver, and the time of the request.

Burp Proxy Uses:

 Intercept and modify all HTTP/S traffic passing in both directions.
 Send interesting items to other Burp Suite tools with a single click
 View all traffic in the detailed proxy history, with advanced filters and search functions.

16 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Spider

Burp Spider is a tool for mapping web applications. It uses various
intelligenttechniques to generate a comprehensive inventory of an
application's content andfunctionality.

Burp Spider maps a target application by following hyperlinks found

within HTML and JavaScript, submitting forms, and using other clues
such as directory listings, sourcecode comments and the robots.txt
file. Results are displayed in the target site map inboth tree and table
format, providing a clear and highly detailed vew of the target
application.

Burp Spider enables you to obtain a detailed understanding of how a

web applicationworks, avoiding the time-consuming and unreliable
task of manually following links,submitting forms and scouring HTML
source code. Potentially vulnerable applicationfunctions can be
quickly identified, allowingyou to check for specific vulnerabilitiessuch
as “SQL injection and directory traversal”.
17 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL
 Using Burp Spider

To use Burp Spider against an application requires two simple steps:
 With your browser configured to use Burp Proxy as its proxy server, browse to
the target application. (You can turn off interception within the Proxy, to
savetime.)
 Go to the site map in the "target" tab, and select the host(s) and directories
where the target application resides. Choose the "spider this host/branch"option
from the context menu.

18 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Spider- Control Tab

This tab is used to start and stop Burp Spider, monitor its progress, and define the
spidering scope

19 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Spider- OptionsTab

This tab contains various configuration options which control the behaviour of
BurpSpider, as described below. These settings can be modified after the Spider has
startedrunning, and will be applied retrospectively to prior results.
For example, if themaximum link depth is increased, then links which were previously
outside themaximum depth will be queued to be requested if appropriate.

Burp Spider Uses:

Spider deal with complex applications, with automatic handling of login credentials and
session cookies, and detection of custom "not found" responses.

20 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Scanner

Burp Scanner is a tool for performing automated discovery of
securityvulnerabilities in web applications. It is designed to be used
by penetration testers, and to fit in closely with your existing
techniques and methodologies for performing manual and semi-
automated penetration tests of web applications.

21 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Scanner – View the Identified Issue

You can double-click any item in the scan queue to display the issues
identified so far, and view the base request and response for that item

22 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Scanner- Live Scanning Tab

A further way to initiate scans is to use the "live scanning" feature. In this
mode, youtell Burp what your target scope is for active and passive scanning,
and it willautomatically initiate active or passive scans against relevant
requests as you use the application.

23 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Scanning Uses:

Active scanning : The scanner sends various crafted

requests to theapplication, derived from a base request, and
analyses the resulting responseslooking for vulnerable
behaviour.

The issues that Burp's active scanning is able to identify mostly

fall into two categories:
 Input-based vulnerabilities targeting the client side, such as
cross-site scripting, HTTP header injection, and open
redirection.
 Input-based vulnerabilities targeting the server side, such as
SQL injection, OS command injection, and file path traversal.

24 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Scanning Uses Contd..

Passive Scanning: The scanner doesn't send any new requests of its own;
itmerely analyses the contents of existing requests and responses, and deduces
vulnerabilities from those. Burp Scanner is able to identify numerous kind of
vulnerabilities using solely passive techniques, including

• Clear-text submission of passwords.

• Insecure cookie attributes, like missing HttpOnly and secure flags.
• Liberal cookie scope.
• Cross-domain script includes and Referer leakage.
• Forms with autocomplete enabled.
• Caching of SSL-protected content.
• Directory listings.
• Submitted passwords returned in later responses.
• Insecure transmission of session tokens.
• Leakage of information like internal IP addresses, email addresses, stack
traces,etc
• Insecure ViewState configuration.
• Ambiguous, incomplete, incorrect or non-standard Content-type directives

25 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Scanning Uses Contd..
Burp Scanner- User- directed scanning
• This lets you select specific requests within any of the Burp Suite tools, and send these
for active or passive scanning

26 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Intruder

Burp Intruder is a tool for automating customised attacks against web applications.

Burp Intruder is not a point-and-click tool. To use it effectively you need to understand
how the target application functions, and have some knowledge of the HTTP protocol.

Burp Target tab:

 This tab is used to configure the details of the target server:The "host" field is used
to specify the IP address or hostname of the target server. The "port" field is used to
specify the port number of the HTTP/S service. The "use SSL" box is used to specify
whether Secure Sockets Layer connections should be used.

27 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Intruder - Positions tab

Position tab is used to configure the template for all the HTTP requests generated in
the attack.

28 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Intruder – Payloads tab
 This tab is used to configure one or more sets of payloads. If the "pitchfork" or
"cluster bomb" attack types are defined (see Positions tab) then a separate payload
set must be configured for each defined payload position (up to a maximum of 8). Use
the "payload set" drop-down menu to select which payload set to configure.

Burp Intruder Uses:

Performing fuzzing of application requests to identify common vulnerabilities, such as
SQL injection, cross-site scripting, and buffer overflows.

Deliver customized brute-force attacks against authentication schemes and session
handling mechanisms.

29 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Repeater

Burp Repeater is a tool for manually modifying and reissuing individual HTTP
requests, and analysing their responses. It is best used in conjunction with the other
Burp Suite tools.

30 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Repeater Contd...

When you send a request to Repeater from another tool, that request gets its own tab.
Each tab has its own request and response windows, and its own history. The top half of the
panel allows you to configure the target host and port, and the details of your request.

Burp Repeater Uses:

 Send requests from other Burp Suite tools to test manually in Burp Repeater.
 Repeatedly change and resubmit the same request, and review the response.

31 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Burp Sequencer

Burp Sequencer is a tool for analyzing the degree of randomness in security-critical
tokens issued by an application. It is typically used to test the quality of an application's
session tokens or other items, such as CSRF nonces, on whose unpredictability the
application depends for its security

Burp Sequencer Uses:

 Send requests that return a security token from other Burp Suite tools to test in
Burp Sequencer.
 Reissue the same request repeatedly, to generate a large sample of tokens

32 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Conclusion

Burp is easy to use and intuitive, allowing new users to begin

working right away. Burp is also highly configurable, and
contains numerous powerful features to assist the most
experienced testers with their work.

Burp gives you full control, letting you combine advanced

manual techniques with state-of-the-art automation, to make
your work faster, more effective, and more fun.

33 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Questions?

34 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL

 Thank You!!

35 © 2012 WIPRO LTD | WWW.WIPRO.COM | CONFIDENTIAL