Scribd
Upload
221 views

Advanced Web Attacks and Exploitation: Figure 20: Burp Suite Repeater Previous Request and Response

The document discusses using Burp Suite tools like Repeater, Comparer, and Decoder to analyze web application responses. It provides examples of comparing two responses, highlighting differences, and decoding an encoded Basic authentication header.

Uploaded by

leary
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
221 views

Advanced Web Attacks and Exploitation: Figure 20: Burp Suite Repeater Previous Request and Response

The document discusses using Burp Suite tools like Repeater, Comparer, and Decoder to analyze web application responses. It provides examples of comparing two responses, highlighting differences, and decoding an encoded Basic authentication header.

Uploaded by

leary
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Advanced Web Attacks and Exploitation

Figure 20: Burp Suite Repeater previous request and response

Figure 21: Burp Suite send second response to Comparer

We can now switch to the Comparer tab, where Burp Suite has automatically highlighted our
different responses in their respective windows. At this point, we have the option of comparing
the responses for differences in Words or Bytes. We will choose the Words option (Figure 22)
since this example does not include a binary response.

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 30


Advanced Web Attacks and Exploitation

Figure 22: Burp Suite Comparer tab

Burp Suite displays the comparison results in a dedicated window (Figure 23), highlighting each
change with color-coding for Modified, Deleted, and Added.

Figure 23: Burp Suite Comparer tab - comparing Words

In this example, Burp Suite highlighted Modified and Deleted differences between the two
responses. We previously identified the change to the Access-Control-Allow-Origin value, but
Comparer has also highlighted that the Vary and Access-Control-Allow-Credentials headers are
present on the first response but not on the second.
While this is a very simple example, it shows how the Repeater and Comparer tools can be
extremely valuable when testing a web application.

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 31


Advanced Web Attacks and Exploitation

2.1.5 Burp Suite Decoder


While inspecting modern web applications, we will often encounter encoded data in HTTP
requests and responses. Fortunately, Burp Suite has a versatile decoder tool that is easy to use in
our workflow.
As an example, let’s switch to our browser and try logging in to the Concord application with “test”
as our username and password. This returns “Invalid username and/or password”. Let’s switch
back to Burp Suite. Interestingly, our browser sent a GET request to /api/service/console/whoami.
Login requests are usually POSTs. Let’s click on the new request.
The new GET request included an authorization header with the value “Basic dGVzdDp0ZXN0”. If
we select the text “dGVzdDp0ZXN0”, the Inspector tool will detect that it is base64-encoded and
display the decoded text on the right-hand side of the Burp Suite window.

Figure 24: Burp Suite login request

The Inspector tool is useful for quickly decoding common types of encoding within the HTTP
history tab. Burp Suite’s Decoder tool is a more-powerful version of the Inspector tool. Let’s try it
out by right-clicking on the highlighted text and selecting Send to Decoder.

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 32


Advanced Web Attacks and Exploitation

Figure 25: Burp Suite Send to Decoder feature

Now if we switch to the Decoder tab, we can choose the Decode as option to the right and select
Base64 for the encoding scheme (Figure 26).

Figure 26: Burp Suite decoding the selected values

As a result, a second textbox with the decoded value opens below our original data.

Figure 27: Burp Suite successfully decoded the selected values

WEB-300 Copyright © 2022 Hide01.ir Free Learning. All rights reserved. 33

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy