Burp Suite

By - Gurashish Arneja, Bailey Kumar

What is Burp Suite?

- Web Application Security Tester

- Scans and discovers vulnerabilities in websites

Networking Review!

- Communication on the web is done through requests and packets

GET Http request
Response
What is a Proxy?
Networking Review Con’t

- These requests and packets can be faked/spoofed

- One common way to do this is with a proxy server

- The proxy server can read all the requests

running through it (how Burp works)

Packet Injection Attacks

- Equifax breach was made possible by packet injection attack

- Breach was called CVE-2017-5638, hacker could execute code by sending it into
the Content-Type Header
Web Security -SLIDE TOO SIMPLE. MAYBE ADD A
GRAPHIC

- If you build a website or web application, how do you know if it’s safe?

- Could take every precaution in the development phase and still be vulnerable
OWASP Top Ten

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Know Vulnerabilities
10. Insufficient Logging and Monitoring
Penetration Testing

- Open Box Pen Test

- Closed Box Pen Test
- Covert Pen Test
- Internal Pen Test
- External Pen Test
Proxy Setting

- Can modify, delete and

forward HTTP
Requests

- Can send unexpected

packets to server
Repeater
Repeater allows for the modification and
addition of query and body parameters along
with HTTP Headers
Intruder

Can modify all highlighted parameters using payloads

Burp Intruder Attack Types

Sniper - used for a single parameter (e.g. password)

Battering Ram - used for multiple parameters with a single payload (e.g. username
and password)

Pitchfork - a different payload for each parameter(e.g. One payload for username,
another payload for password)

Clusterbomb - a different payload for each parameter, but iterates through each
payload for each parameter. E.G. will use the password payload for username and
vice versa
Sequencer
Comparer
Spidering

- Visit each link available and index it

Spidering Continued

- Burp Suite spidering allows it visit/access page

not accessible by usual clicking by checking

request

- Can use to visit sensitive data not protected

- Active scanning only available in the Pro Version

Extender - Extensions

If you guys are interested in looking at type of extensions available with BurpSuite.

I have found this great list that curates some of the most popular extensions for
Burp Suite.

https://github.com/snoopysecurity/awesome-burp-extensions#sql-injection
Decoder

- Can take input and transform it to many different formats such as base64,
hex, ascii

- Smart decoder automatically detects format and transforms data

- Useful for decrypting messages and encrypting plaintext to a format the

server expects
Active Scan++

Adds additional checks in the scan for

- Host header attacks (password reset poisoning)

- XML Input handling (XXE)

- Unexpected data transformation (2+2 being returned at 4)

Password Reset Poisoning
HTTP Request Smuggling

Allows the word “smuggled” to bypass checks be left unvalidated but executed on the
backend