Tips for an Information Security Analyst/Pentester career - Ep. 81 - Intro to Burp Suite Pro

I had talked about web recon in one of my previous post, and I had mentioned there the best tool for the job is, hands-down, BurpSuite Pro.

Yes, Kali Linux comes with a free Burp Suite Community version, but the Community version doesn't really cut it, because it lacks a series of features making your life easier as a penetration tester.

The most important features in the Pro version for pentesters are undoubtedly the scanner and content discovery tools.

Furthermore, when launching brute force attacks through the Intruder functionality in the Community version, they're way throttled down, plus you can't load your attack payloads from an existing list.

Burp is basically an interception proxy.

When redirecting your traffic through it, you're able to intercept the HTTP requests, manipulate them and forward them.

For more info about the correct web browser and Burp settings, I'd recommend visiting the official page.

Scoping 

When starting a new Burp project, the first thing I do is to define its scope.

When Burp intercepts your Internet traffic, it'll return every single website you surfed to, including those unrelated to the specific pentest.

So, I make sure Burp only shows me in-scope items.

To do this, you need to change two options in the software, as shown below.

The two bottom-most options (which are unchecked by default) force Burp to intercept only the traffic generated by in-scope items, ignoring all the rest.

With that being done, we can go to the Scope tab and manually add IP addresses and URLs to the scope.

When the scope is quite big, some handy Burp extensions like Nmap Parser allow to automatically add to the scope and spider all the relevant hosts, based on an Nmap scan saved in XML format.

After adding all the in-scope items, we start browsing them and intercepting the related HTTP requests with Burp.

By right-clicking the request, we can send that item to the scanner. When we do so, the sitemap starts being populated with new items.

When viewing the sitemap, we need to exclude out of scope items, as shown above.

We can also run content discovery scans to find hidden content.

AUTOMATED SCANNING AND MANUAL VALIDATION

Burp Pro includes a vulnerability scanner, that runs automated tests to discover specific vulnerabilities, alike Nessus.

Sometimes these automated findings result to be false positives, other times they're real findings.

The only way to understand this is to replay the highlighted specific request in the web browser.

Other than using automated tools, pentesters spend a long time manually testing the web application.

I personally try to browse every individual page and, whenever I find a page allowing the users to enter any input (e.g. search fields, contact forms, etc.), I throw attacks like XSS, SQLi, Directory Traversal, command injection, RFI, LFI, etc. at it and check what I get as a result.

Sometimes I get lucky and score reflected XSS vulnerabilities, SQL injections or alike attacks.

Two very important tools within Burp Suite for this purpose are Repeater and Intruder.

Repeater allows to replay an HTTP request and manipulate it.

Intruder allows to use the parameter/s included in an HTTP request to launch brute force attacks.

It's very useful, for example, to brute force login credentials.

Wrap-up

Burp Suite is hands-down the best tool to pentest web applications and it's a required tool for the job.

Any respectable web app pentester lives in Burp and extensively performs manual validation activities to dig deeper.

Burp also allows to validate issues like directory traversal, not always easy to understand by simply running the attack in the web browser.

In fact, when running such attack, most browsers strip away "../" from the URL or sanitize it.

When manipulating the GET request through Burp and sending it to Repeater, such an issue can get positively validated, because the pentesters can see what the response from the web server is.

Of course, this is barely scratching the surface, but it should be enough to get you guys started on it.

I know a Burp Pro license can be quite expensive but it's an investment that pays off.

I also know there are free tools like ZAP, but they just don’t cut it.

If you want to be a pro, you need to use pro tools.