Burp Suite Pro

Real-life tips & tricks

Nicolas Grégoire
Me & Myself
Founder & owner of Agarri
Lot of Web PenTesting

NOT affiliated with PortSwigger Ltd

Using Burp Suite for years

And others proxies before
Yes, I'm that old...
 Warning
This is NOT about Web PenTesting methodologies
http://danielmiessler.com/projects/webappsec_testing_resources/

“Web Application Hacker's Handbook” 2nd Edition, Chapter 21

This is NOT “Burp 101”

http://portswigger.net/burp/help/suite_gettingstarted.html

http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

Everything was tested on Burp Pro v1.5.11

Pro vs. Free vs. Zap

To do...
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Data visualization

By default

Via extensions
Parameters
Parameters
XML
XML
AMF
AMF
ViewState
ViewState
Data visualization

By default

Via extensions
 JSON
http://api.twitter.com/1/statuses/user_timeline.json
 JSON
json.dumps(json.loads(msg), indent=4)
http://128nops.blogspot.com/2013/02/json-decoder.html
Javascript
 Javascript
Both beautifier extensions use
libs from jsbeautifier.org

burp-suite-beautifier-extension
Uses Rhino to call Javascript from Java
http://code.google.com/p/burp-suite-beautifier-extension/

burp_jsbeautifier
Much cleaner, uses the Python library
https://github.com/Meatballs1/burp_jsbeautifier
Javascript
 Protobuf
“Google Protocol Buffers”
https://code.google.com/p/protobuf/

Decode Protobuf messages

Allow tampering if a “.proto” is provided
https://github.com/mwielgoszewski/burp-protobuf-decoder
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
GUI navigation
Contextual buttons

Hotkeys

Auto-scroll in Proxy / History

Custom payload lists

Personalized scans
Contextual buttons
RTFM

Restore defaults
Hotkeys
 Hotkeys
Classic:
Ctrl+X|C|V for “Cut|Copy|Paste”
Decoding:
Ctrl+(Shift)+U|H|B for “URL|HTML|Base64 (de)code”
GUI navigation:
Ctrl+Shift+T|P|S|I|R for “Switching to ...”
Personal favorite:
Ctrl+G for "Issue Repeater request"
History auto-scroll
 Custom payload lists
Some payload lists are shipped with Burp
Configurable from the Intruder menu

Magic combo:
Nikto
Burp
FuzzDB
DirBuster
 Personalized scans
Define your own insertion points in Intruder
Then right-click and select “Actively scan ...”
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Managing state

Automatic backups

Saving & restoring state

 Automatic backups
Hacking is immersive
You WILL forget to use “Save state”
Of course, Murphy's Law applies ;-)
Automatic backups
 Save & restore state
Complementary to automatic backups
Can also be used to
Export to your customers
Define your own defaults
Hotkeys / Automatic backups / Scope
Display all items in “Site map” and “Proxy history”
Custom payloads lists
Extensions options - buggy
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Common tasks
Switching between GET and POST

Non proxy-aware clients

Importing & exporting an URL

 GET to POST
Classic question: is it also exploitable via POST?
Non proxy-aware
$ ./skipfish -o 8777 http://127.0.0.1:8777/
 Moving URL in & out
Import
“Paste URL as request”
Export
“Copy URL”
Works only with basic GET requests
Not body, no headers, no cookies, ...
“curlit” extension
Generates a “curl” command
Moving URL in & out

https://github.com/faffi/curlit
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Intruder payloads
HTTP Basic Authentication

Opaque data

Anti-CSRF tokens
Basic Auth
 Basic Auth
Algorithm
Base64(username + “:” + password)

Blogs
My Sys Admin Cookbook: Use prefix/suffix
SecurityNinja: Use prefix/suffix
SecureState: Use prefix/suffix or precompiled lists
SANS: Use prefix/suffix or precompiled lists
Smeege Sec: Use an extension or precompiled lists
Basic Auth
 Basic Auth
Use the “Custom Iterator” payload!

From the documentation:

The custom iterator defines up to 8 different "positions" which are used to

generate permutations. Each position is configured with a list of items, and an
optional "separator" string, which is inserted between that position and the
next.

That's exactly what we want!

Only the “ePsiLoN's Information Security Blog” was right
 Basic Auth
http://blog.securestate.com/burp-suite-series-efficient-use-of-payload-options-when-attacking-http-basic-authentication/

http://carnal0wnage.attackresearch.com/2009/08/using-burp-intruder-to-brute-force.html
http://www.smeegesec.com/2012/02/attacking-basic-authentication-with.html

http://sysadmincookbook.blogspot.fr/2013/01/test.html

http://www.securityninja.co.uk/hacking/burp-suite-tutorial-the-intruder-tool/

http://www.sans.org/reading_room/whitepapers/testing/fuzzing-approach-credentials-discovery-burp-intruder_33214

http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/

http://portswigger.net/burp/help/intruder_payloads_types.html#customiterator
 Basic Auth
Howto

Payload type : Custom Iterator

Position #1: list of usernames + separator “:”
Position #2: list of passwords
Payload processing: Base64-encode
Payload encoding: None
 Basic Auth
Another approach

Payload type : Custom Iterator

Position #1: list of usernames
Position #2: string “:”
Position #3: list of passwords
Position #4: common suffixes
Payload processing: Base64-encode
Payload encoding: None
Basic Auth
Intruder payloads
HTTP Basic Authentication

Opaque data

Anti-CSRF tokens
Opaque data
 Opaque data
No cookie + long token + authenticated access?

Is the token
An anti-cache mechanism: OK
A session ID: not safe (logs, referrer)
Authentication data provided by the client
Checked server-side: OK
Not checked server-side: not safe

From the documentation:

It cycles through the base string one character at a time, incrementing the ASCII
code of that character by one.
Opaque data
Opaque data
 Opaque data
It looks like unverified encrypted data (XOR or ECB)

We know which part of the string impacts the UID

Let's try to modify it at the bit level

Opaque data
Opaque data
Opaque data
Intruder payloads
HTTP Basic Authentication

Opaque data

Anti-CSRF tokens
Anti CSRF tokens
Anti CSRF tokens
Anti CSRF tokens
 Anti CSRF tokens
Recursive Grep to the rescue!

From the documentation

This payload type lets you extract each payload from the
response to the previous request in the attack.

The text that was extracted from the previous response in the
attack is used as the payload for the current request.
 Anti CSRF tokens
Attack type: Pitchfork
Payload #1:
Location: Parameter “token”
Type: Recursive Grep
Initial value: A valid token
Regexp: name="token" value="(.*?)"/><br/>
Payload #2:
Location: Parameter “value”
Type: Numbers from 0 to 50
 Anti CSRF tokens
Caveats

Only applies if the result page includes a valid token

You must use only one thread (idem if macro-based)

Twice faster than its macro-based counterpart

Anti CSRF tokens
Anti CSRF tokens

DEMOS?
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Mobile applications
Traffic redirection

Burp CA certificate

Missing developers tools

 Redirect to Burp
Your target is running on a rooted Android smartphone
You want to use your usual tool and workflow

Burp listens elsewhere, on an external interface

ProxyDroid redirects to the Burp instance
App-specific or global proxying
Option “DNS Proxy” should be checked
Redirect to Burp
Redirect to Burp
Redirect to Burp
Redirect to Burp
Burp CA
 Burp CA
Fetch your Burp CA certificate
GUI: Proxy / Options / Proxy Listeners / CA Certificate / Export in DER
Proxied browser: http://burp/cert

Rename from DER to CRT

No need for OpenSSL

Depending on the Android version:

Touch the file in any “File Explorer” application
Parameters / Security / Install from SD
Burp CA
 Burp CA
First request when opening Google Play
 Developers tools
Mobile browsers miss some common features

Like no built-in developers tools

I don't care, except when looking for XSS

 Developers tools
Let's include Firebug Lite in every response
“startOpened=true” is your friend
 Developers tools

This seems to be a good idea

But Firebug itself contains the “</head>” string
 Developers tools

http://www.agarri.fr/docs/JavaScriptInjector.py

Also works with BeEF and autpwn during a MITM!

Developers tools
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
Extensions

As an user

As a developer
 Resources
Repositories
http://www.burpextensions.com/Extensions/
https://github.com/Meatballs1/burp-extensions
Online documentation
http://portswigger.net/burp/help/extender.html
http://www.burpextensions.com/category/tutorials/
Forum
http://forum.portswigger.net/board/2/burp-extensions
Blog (+ samples)
http://blog.portswigger.net/search/label/burp%20extender
 May be useful
Format specific
JSON, JS, Protobuf, AMF, Serialized Java, WSDL, WCF
External tools
Google hacks, nmap, sqlmap, w3af, curl
Misc
Custom Logger, Burp Notes, Proxy Color, Referrer Checker
My own
JavaScript Injector, HTTP Traceroute, DomXssRegexp
Detect reverse-proxies
Generate from WSDL
Take notes
Takes notes
As a developer
Choose your language

Quick reload

Debugging
 Language
Java
Provides the best integration with Burp internals
Python
My personal choice
But Python != Jython
Ruby
Same drawbacks than Python
 Python vs. Java API
Java API
ApplyMarkers(
IHttpRequestResponse httpRequestResponse,
java.util.List<int[]> requestMarkers,
java.util.List<int[]> responseMarkers)

Python code
markers = []
for n in non_overloapping:
markers.append(array.array('i', [offset + n[0], offset + n[1]]))
marked_message = self._callbacks.applyMarkers(message, None, markers)
 Quick reload
Use Ctrl-Click to quickly reload an extension
 Debugging
Custom Logger captures everything
http://blog.portswigger.net/2012/12/sample-burp-suite-extension-custom.html
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
 Target & Goal
Target application requires authentication
Sessions are very short-lived

You want to work “as usual”

Manual tools: Repeater, ...
Automated tools: Intruder, Scanner, ...
 App details
/index.php
Display (GET) & process (POST) the login form
username=User33&password=S3CR3T

/logged.php
Display session info
Display & process the target form
Target value is between 1 and 100
Session lasts for 15 seconds
Debugging
Macros

DEMO?
Overview
Data visualization
GUI navigation
Managing state
Common tasks
Intruder payloads
Mobile applications
Extensions
Macros
 That's all, folks!

Thanks for your attention

Any questions?

@Agarri_FR
nicolas.gregoire@agarri.fr