<\/span><\/div>\n
![\"2013](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/2013-02-06-TOS_CHARTS.jpg\" "\\"Burp")
<\/a><\/p>\nDon\u2019t Go To Jail!<\/div>\n<\/div>\n
What we will cover:<\/span><\/strong><\/div>\n
- \n
- Outbound SOCKS Proxy Configuration<\/span><\/li>\n
- Intercept & Scope Configuration<\/li>\n
- Manual Application Walkthrough<\/li>\n
- Using The Spider & Discover<\/li>\n
- Using The Repeater Tab<\/li>\n
- Using The Intruder Tab<\/li>\n
- Text Specific Searching<\/li>\n
- Using The Automated Scanner<\/li>\n<\/ul>\n
Disclaimer: Testing web applications that you do not have written authorization to test is illegal and punishable by law.<\/em><\/strong><\/span><\/div>\n<\/h4>\n
<\/h4>\n
Burp Suite Tutorial \u2013 Configure Outbound SOCKS Proxy<\/span><\/h4>\n
Depending on the scope of your engagement, it may be necessary to tunnel your burp traffic through an outbound socks proxy. This ensures that testing traffic originates from your approved testing environment. I prefer to use a simple SSH which works nicely for this purpose. SSH out to your testing server and setup a socks proxy on your localhost via the \u2018\u2013D\u2019 option like this.<\/div>\noma, sans-serif; font-size: 13px; font-style: italic; line-height: 20px; margin: 12px 0px; padding: 0px 0px 0px 18px; vertical-align: baseline;\"><\/p>\n
ssh \u2013D 9292 \u2013l username servername<\/strong><\/span><\/div>\n<\/blockquote>\nNavigate to the Options tab located near the far right of the top menu in Burp. From the \u201cConnections\u201d sub-tab, Scroll down to the third section labeled \u201cSOCKS Proxy\u201d. Type in localhost for the host option and 9292 for the port option.<\/div>\n![\"1](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/1-socks-proxy-settings.png\" "\\"Burp")
<\/a><\/p>\nFigure #1 \u2013 SOCKS Proxy Settings<\/div>\n<\/div>\nNow burp is configured to route traffic through your outbound SSH tunnel. Configure your browser\u2019s proxy settings to use burp. Navigate to www.whatismyip.com and ensure your IP address is coming from your testing environment.<\/div>\n#ProTip<\/span> I use a separate browser for web application testing. This ensures I don\u2019t accidently pass any personal data to one of my client\u2019s sites such as the password to my gmail account for example.<\/em><\/div>\nI also prefer to use a proxy switching addon such as \u201cSwitchySharp<\/a>\u201d for Google Chrome. This allows me to easily switch back and forth between various proxy configurations that I might need during different engagements. Here is what my configuration settings look like for Burp.<\/div>\n![\"2](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/2-switchysharp-proxy-addon.png\" "\\"Burp")
<\/a><\/p>\nFigure #2 \u2013 SwitchySharp Proxy Settings<\/div>\n<\/div>\n<\/div>\nBurp Suite Tutorial \u2013 Configure Intercept Behavior<\/span><\/h4>\n
The next thing I do is configure the proxy intercept feature. Set it to only pause on requests and responses to and from the target site. Navigate to the \u201cProxy\u201d tab under the \u201cOptions\u201d sub-tab. The second and third headings display the configurable options for intercepting requests and responses. Uncheck the defaults and check \u201cURL Is in target scope\u201d. Next turn intercept off as it is not needed for the initial application walkthrough. From the \u201cIntercept\u201d sub-tab ensure that the toggle button reads \u201cIntercept is off\u201d<\/div>\n![\"3](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/3-proxy-intercept-settings.png\" "\\"Burp")
<\/a><\/p>\nFigure #3 \u2013 Proxy Intercept Settings<\/div>\n<\/div>\n<\/div>\nBurp Suite Tutorial \u2013 Application Walkthrough<\/span><\/h4>\n
For some reason, a lot of people like to skip this step. I don\u2019t recommend this. During the initial walkthrough of your target application it is important to manually click through as much of the site as possible. Try and resist the urge to start analyzing things in burp right a way. Instead, spend a good while and click on every link and view every page. Just like a normal user might do. Think about how the site works or how it\u2019s \u201csupposed\u201d to work.<\/div>\nYou should be thinking about the following questions:<\/div>\n- \n
- What types of actions can someone do, both from an authenticated and unauthenticated perspective?<\/li>\n
- Do any requests appear to be processed by a server-side job or database operation?<\/li>\n
- Is there any information being displayed that I can control<\/li>\n<\/ul>\nIf you stumble upon any input forms, be sure to do some manual test cases. Entering a single tick and hit submit on any Search form or zip code field you come across. You might be surprised at how often security vulnerabilities are discovered by curious exploration and not by automated scanning.<\/div>\n<\/div>\n
Burp Suite Tutorial \u2013 Configure Your Target Scope<\/span><\/h4>\n
Now that you have a good feel for how your target application works its time to start analyzing some GETs and Posts. However, before doing any testing with burp it\u2019s a good idea to properly define your target scope. This will ensure that you don\u2019t send any potentially malicious traffic to websites that you are not authorized to test.<\/div>\n#ProTip<\/span> I am authorized to test www.pentestgeek.com. *You* are not<\/span><\/strong>.<\/em><\/div>\nHead over to the \u201cTarget\u201d tab and then the \u201cSite map\u201d sub-tab. Select your target website from the left display pane. Right click and choose \u201cAdd to scope\u2019. Next highlight all other sites in the display pane, right click and select Remove from scope. If you\u2019ve done this correctly your scope should look something like the image below.<\/div>\n![\"4](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/4-scope_sub-tab.png\" "\\"Burp")
<\/a><\/p>\nFigure #4 \u2013 Scope Settings<\/div>\n<\/div>\n<\/div>\nBurp Suite Tutorial \u2013 Initial Pilfering<\/span><\/h4>\n
Click on the \u201cTarget\u201d tab and the \u201cSite Map\u201d sub tab. Scroll down to the appropriate site branch and expand all the arrows until you get a complete picture of your target site. This should include all of the individual pages you browsed as well as any javascript and css files. Take a moment to soak all of this in, try and spot files that you don\u2019t recognize from the manual walkthrough. You can view the response of each request in a number of different formats located on the \u201cResposne\u201d tab of the bottom right display pane. Browse through each respond searching for interesting gems. Things you might be surprised to find include:<\/div>\n- \n
- Developer comments<\/li>\n
- Email addresses<\/li>\n
- Usernames & passwords if you\u2019re lucky<\/li>\n
- Path disclosure to other files\/directories<\/li>\n
- Etc\u2026<\/li>\n<\/ul>\n<\/div>\n
Burp Suite Tutorial \u2013 Search Specific Keywords<\/span><\/h4>\n
You can also leverage burp to do some of the heavy lifting for you. Right click on a node, from the \u201cEngagement tools\u201d sub-menu select \u201cSearch\u201d. One of my favorite searches is to scan for the string \u201cset-cookie\u201d. This lets you know which pages are interesting enough to require a unique cookie. Cookies are commonly used by web application developers to differentiate between requests from multiple site users. This ensures that user \u2018A\u2019 doesn\u2019t get to view the information belonging to user \u2018B\u2019. For this reason it is a good idea to identify these pages and pay special attention to them.<\/div>\n![\"55](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/55-Search-Feature.png\" "\\"Burp")
<\/a><\/p>\nFigure #5 \u2013 Search Specific Keywords<\/div>\n<\/div>\n<\/div>\nBurp Suite Tutorial \u2013 Using Spider and Discover<\/span><\/h4>\n
After a good bit of manual poking and prodding it\u2019s usually beneficial to allow burp to spider the host. Just right click on the target\u2019s root branch in the
\n sitemap and select \u201cSpider this host\u201d.<\/div>\n![\"6](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/6-spidering-a-host.png\" "\\"Burp")
<\/a><\/p>\nFigure #6 \u2013 Spider Feature<\/div>\n<\/div>\nOnce the spider has finished, go back to your site-map and see if you picked up any new pages. If you have, take a manual look at them in your browser and also within burp to see if they produce anything interesting. Are there any new login prompts, or input boxes for example? If you\u2019re still not satisfied with all that you have found you can try Burp\u2019s discovery module. Right click on the target site\u2019s root branch and from the \u201cEngagement tools\u201d sub-menu select \u201cDiscover Content\u201d. On most sites this module can and will run for a long time so it\u2019s a good practice to keep an eye on it. Make sure that it completes or shut it off manually before it runs for too long.<\/div>\n<\/div>\nBurp Suite Tutorial \u2013 Using The Repeater<\/span><\/h4>\n
The Repeater tab is arguably one of the most useful features in Burp Suite. I use it hundreds of times on every web application that I test. It is extremely valuable and also incredibly simple to use. Just right click on any request within the \u201cTarget\u201d or \u201cProxy\u201d tab and select \u201cSend to Repeater\u201d. Next click over to the \u201cRepeater\u201d tab and hit \u201cGo\u201d. You will see something like this.<\/div>\n![\"7](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/7-repeater-screen.png\" "\\"Burp")
<\/a><\/p>\nFigure #7 \u2013 The Repeater<\/div>\n<\/div>\nHere you can manipulate any part of the HTTP request headers and see what the response looks like. I recommend spending some good time here playing with every aspect of the HTTP request. Especial any GET\/POST parameters that are besting sent along with the request.<\/div>\n<\/div>\nBurp Suite Tutorial \u2013 Using The Intruder<\/span><\/h4>\n
If you are limited on time and have too many requests and individual parameters to do a thorough manual test. The Burp Intruder is a really great and powerful way to perform automated and semi-targeted fuzzing. You can use it against one or more parameters in an HTTP request. Right click on any request just as we did before and this time select \u201cSend to Intruder\u201d. Head over to the \u201cIntruder\u201d tab and click on the \u201cPositions\u201d sub-tab. You should see something like this.<\/div>\n![\"8](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/8-Intruder-1.png\" "\\"Burp")
<\/a><\/p>\nFigure #8 \u2013 Intruder Positions<\/div>\n<\/div>\nI recommend using the \u201cClear\u201d button to remove what is selected at first. The default behavior is to test everything with an \u2018=\u2019 sign. Highlight the parameters you wan\u2019t to fuzz and click \u201cAdd\u201d. Next you need to go to the \u201cPayloads\u201d sub-tab and tell Burp which test cases to perform during the fuzzing run. A good one to start off with is \u201cFuzzing \u2013 full\u201d. this will send a number of basic test cases to every parameter that you highlighted on the \u201cPositions\u201d sub-tab.<\/div>\n
![\"9](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/9-Intruder-21.png\" "\\"Burp")
<\/a><\/p>\n![\"10](\"https:\/\/www.pentestgeek.com\/wp-content\/uploads\/2014\/07\/10-Active-Scan-Settings.png\" "\\"Burp")
<\/a><\/p>\n