Question

Burp Suite is a Java‐based web penetration testing graphical tool developed by PortSwigger Web Security. It has become an industry‐standard suite of tools used by security professionals. There are three versions: the community edition that can be downloaded freely and the professional and enterprise versions that have a trial period. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting your web applications. In its simplest form, Burp Suite can be used as a proxy server, scanner, and intruder.

While browsing a target application, penetration testers can configure their Internet browser to route traffic through the proxy server. Burp Suite then captures and analyzes each request to and from the target web application. This allows the interception, inspection, and possible modification of the raw traffic. Penetration testers can pause, manipulate, and replay individual HTTP requests to analyze potential parameters or injection points. Intruder can perform automated attacks on web applications. The tool can configure an algorithm that makes malicious HTTP requests as well as test for things like SQL injection and cross‐site scripting (CSS). Certain injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes, and error messages. Fuzzing is a technique that allows you to test software by putting invalid or unexpected data into the computer program and monitor the behavior.

In Lab 11.2 , you will be installing Burp Suite Community Edition.

---

LAB 11.2 : INSTALLING AND CONFIGURING BURP SUITE COMMUNITY

1. To download the Burp Suite Community Edition, go to https://portswigger.net/burp/communitydownload . As you see in Figure 11.8 , there is a Windows edition as well as the plain JAR file.

   

   Figure 11.8 : PortSwigger Web Security page for downloading Burp Suite Community Edition

2. Download the executable, open your Downloads folder, double‐click the proper file, and follow the directions until you finish.
3. Navigate to the start menu, and search for Burp Suite to open the software. Load the Burp Suite defaults for your initial project and then click the Start Burp Suite button in the lower‐right corner (see Figure 11.9 ).

   

   Figure 11.9 : Creating a new project in Burp Suite

4. After you have the temporary project loaded, click the User Settings tab to adjust any display settings. For example, you can change the font size and font as well as how you want HTTP messages to display, character sets, and HTML rendering. As you can see in Figure 11.10 , these settings will select how Burp Suite handles in‐tool rendering of HTML content.

   

   Figure 11.10 : Configuring Burp Suite Community

   Next, you need to configure the proxy listener to make sure it is active and working. This will allow your browser to work with Burp Suite to serve as an HTTP proxy and have all HTTP/S traffic pass through Burp Suite. This will allow you to operate as a “man in the middle” between your browser and target web applications.

5. Under the Options subtab as seen in Figure 11.11 , in the Proxy Listener section, you should see an entry in the table with the checkbox selected in the Running column, and 127.0.0.1:8080 showing in the Interface column. Click the Intercept tab and verify that “Intercept is on.” Burp Suite now can intercept the traffic between you and your HTTP destination.

   

   Figure 11.11 : Configuring your browser to listen for traffic over the Internet

6. Open your browser and visit www.example.com . Burp Suite should show you each request you have made in the form of raw data. If you have raw data, click the Forward button to cycle through each request the browser has made for more data.

   If the listener is not running, then Burp Suite was not able to open the default proxy listener port over port 8080. You will need to edit the port number of the listener to the proper port number for your device in Burp Suite or configure the browser of your choice to interact with Burp Suite. When using Burp Suite, I use Firefox as my browser because of the extensibility and ease of configuration. Go to the Firefox menu and select Preferences and then Options. Under the General tab, open Network Settings. As you see in Figure 11.12 , you should configure the manual proxy to be 127.0.0.1 over port 80 and use this proxy for all protocols.

   

   Figure 11.12 : Mozilla Firefox settings for a Burp Suite network proxy

7. If you try to view the initial request and there's no data, check your alerts. There may be a need to configure the certificate your browser is using. Again, I prefer Mozilla Firefox, so within this browser, you can visit http://burp to download the CA certificate shown in Figure 11.13 . A CA is a certificate authority. It is a trusted entity that the Internet uses for authentication. The CA will issue the SSL certificate that web browsers are going to use to authenticate content.

   

   Figure 11.13 : http://burp

8. Once you have the certificate downloaded, you will need to bring it into the browser. In Figure 11.14 , you see the options for bringing the SSL certificate into Mozilla Firefox to be used by Burp Suite. According to Marissa “Reese” Morris, senior director of Firefox at Mozilla, “In the case of Burp Suite, the CA allows professionals to test their encrypted services for vulnerabilities.”

   

   Figure 11.14 : Loading the CA certificate into Firefox Preferences located under Privacy And Security

---

With only a little bit of effort, anyone can start using the core features of Burp Suite to test the security of his or her applications. Burp Suite is very intuitive and user‐friendly, and the best way to start learning is by doing. These next steps will get you started with running Burp Suite and using some of the basic features.

The Proxy tool is the core of the product acting as a web proxy server. A proxy server is a server that sits between a web browser and a real server. As you request a file, connection, or web page, the proxy server examines the request for many reasons, such as control, simplification, or anonymity. In Burp Suite, the purpose is to inspect and possibly modify the raw traffic as it passes in both directions.

In Lab 11.3 , you will be using core features of Burp Suite Community Edition.

---

LAB 11.3 : USING BURP SUITE TO INTERCEPT HTTP TRAFFIC

1. Navigate to www.whatismyip.com to take note of your actual IP address. Knowing your true IP address is critical for any type of technical support across a network or connecting to an external device.
2. Each HTTP request made by your browser is displayed in the Intercept tab. You can view each message, and edit it if required. You then click the Forward button to send the request on to the destination web server. In fact, you may have to hit Forward many times until the page loads to cycle through all the requests.

   In Figure 11.15 , you see the successful capture of information between the Firefox browser welcome page and Burp Suite. Click through each of the message editor tabs to see different ways to view the data. There will be the raw data, then more specifically the header content, and finally, hexadecimal.

   

   Figure 11.15 : Web traffic captured over 127.0.0.1:8080 in the header view

3. While you're still in the Proxy tab, go to the HTTP History tab. Here you will have a table of all HTTP messages that have been intercepted. If you select an item in the table, you can go between the request and response.
4. Next, click a column header in the History table to sort the data. If you click it again, it will reverse the order whether it's numerical or alphabetical. In fact, you can use the column headers to sort data in any page.
5. As you're doing your analysis of web traffic in the HTTP History page, you can click the number in the first column to add a color. You can also right‐click a row to add a comment for future reference.

---

Another key part of the user‐driven workflow is the ability to take the same information and process it in different ways. You can right‐click any entry representing traffic in the HTTP history and, if available, do a vulnerability scan of that request using the Burp Scanner. As you see in Figure 11.16 , you also have the ability to take traffic and use it over and over again, making minute modifications of the request and reissue it over and over using the Repeater. With Sequencer, you can analyze the randomness in a token that is returned in the response that you receive.

Figure 11.16 : The channels you can take in analyzing individual HTTP requests in Burp Suite

Web application vulnerabilities will offer a huge amount of risk to an organization, especially to enterprise systems. Too many of the vulnerabilities are a result of lack of data validation, and bad actors can leverage that to misuse the application. Make a checklist and check everything. Best practice says check the outgoing, internal, and mail links. Test your forms for default values, and test your cookies to make sure they are deleted properly. Test HTML and CSS so there are no syntax errors and so that other search engines can crawl your site easily. Test the content and navigation as well as the database for integrity and response time.

A web application penetration tester will tell you it will be an arduous process and you are going to run into roadblocks. Deadlines will be a huge issue since everything is needed now, if not yesterday. Plan your work, know what is expected of the process, and create the best process for your organization.