Configure Outbound SOCKS Proxy – Burp Suite
Depending on the scope of your engagement, it may be necessary to tunnel your Burp Suite traffic through an outbound SOCKS Proxy. This ensures that testing traffic originates from your approved testing environment. I prefer to use a simple SSH connection which works nicely for this purpose. SSH out to your testing server and setup a SOCKS Proxy on your localhost via the ‘–D’ option like this.
ssh –D 9292 –l username servername
Navigate to the Options tab located near the far right of the top menu in Burp Suite. From the “Connections” sub-tab, Scroll down to the third section labeled “SOCKS Proxy”. Type in localhost for the host option and 9292 for the port option.
Now Burp Suite is configured to route traffic through your outbound SSH tunnel. Configure your browser’s proxy settings to use Burp Suite. Navigate to www.whatismyip.com and ensure your IP address is coming from your testing environment.
#ProTip I use a separate browser for web application testing. This ensures I don’t accidentally pass any personal data to one of my client’s sites such as the password to my gmail account for example.
I also prefer to use a proxy switching addon such as “SwitchySharp” for Google Chrome. This allows me to easily switch back-and-forth between various proxy configurations that I might need during different engagements. Here is what my configuration settings look like for Burp Suite.
Configure Intercept Behavior – Burp Suite Tutorial
The next thing I do is configure the proxy intercept feature. Set it to only pause on requests and responses to and from the target site. Navigate to the “Proxy” tab under the “Options” sub-tab. The second and third headings display the configurable options for intercepting requests and responses. Uncheck the Burp Suite defaults and check “URL Is in target scope”. Next turn intercept off as it is not needed for the initial application walkthrough. From the “Intercept” sub-tab ensure that the toggle button reads “Intercept is off”
Application Walkthrough – Burp Suite Tutorial
For some reason, a lot of people like to skip this step. I don’t recommend this. During the initial walkthrough of your target application it is important to manually click through as much of the site as possible. Try and resist the urge to start analyzing things in Burp Suite right a way. Instead, spend a good while and click on every link and view every page. Just like a normal user might do. Think about how the site works or how it’s “supposed” to work.
You should be thinking about the following questions:
- What types of actions can someone do, both from an authenticated and unauthenticated perspective?
- Do any requests appear to be processed by a server-side job or database operation?
- Is there any information being displayed that I can control
If you stumble upon any input forms, be sure to do some manual test cases. Entering a single tick and hit submit on any Search form or zip code field you come across. You might be surprised at how often security vulnerabilities are discovered by curious exploration and not by automated scanning.
Configure Your Target Scope – Burp Suite Tutorial
Now that you have a good feel for how your target application works its time to start analyzing some GETs and Posts. However, before doing any testing with Burp Suite it’s a good idea to properly define your target scope. This will ensure that you don’t send any potentially malicious traffic to websites that you are not authorized to test.
#ProTip I am authorized to test www.pentestgeek.com. *You* are not.
Head over to the “Target” tab and then the “Site map” sub-tab. Select your target website from the left display pane. Right click and choose “Add to scope’. Next highlight all other sites in the display pane, right click and select Remove from scope. If you’ve done this correctly your Burp Suite scope tab should look something like the image below.
Initial Pilfering – Burp Suite Tutorial
- Developer comments
- Email addresses
- Usernames & passwords if you’re lucky
- Path disclosure to other files/directories
Search Specific Keywords – Burp Suite Tutorial
You can also leverage Burp Suite to do some of the heavy lifting for you. Right click on a node, from the “Engagement tools” sub-menu select “Search”. One of my favorite searches is to scan for the string “set-cookie”. This lets you know which pages are interesting enough to require a unique cookie. Cookies are commonly used by web application developers to differentiate between requests from multiple site users. This ensures that user ‘A’ doesn’t get to view the information belonging to user ‘B’. For this reason it is a good idea to identify these pages and pay special attention to them.
Using Spider and Discover – Burp Suite Tutorial
After a good bit of manual poking and prodding it’s usually beneficial to allow Burp Suite to spider the host. Just right click on the target’s root branch in the sitemap and select “Spider this host”.
Once the spider has finished, go back to your site-map and see if you picked up any new pages. If you have, take a manual look at them in your browser and also within Burp Suite to see if they produce anything interesting. Are there any new login prompts, or input boxes for example? If you’re still not satisfied with all that you have found you can try Burp Suite’s discovery module. Right click on the target site’s root branch and from the “Engagement tools” sub-menu select “Discover Content”. On most sites this module can and will run for a long time so it’s a good practice to keep an eye on it. Make sure that it completes or shut it off manually before it runs for too long.
Using The Repeater – Burp Suite Tutorial
The Repeater tab is arguably one of the most useful features in Burp Suite. I use it hundreds of times on every web application that I test. It is extremely valuable and also incredibly simple to use. Just right click on any request within the “Target” or “Proxy” tab and select “Send to Repeater”. Next click over to the “Repeater” tab and hit “Go”. You will see something like this.
Here you can use burp suite to manipulate any part of the HTTP request headers and see what the response looks like. I recommend spending some good time here playing with every aspect of the HTTP request. Especial any GET/POST parameters that are besting sent along with the request.
Using The Intruder – Burp Suite Tutorial
If you are limited on time and have too many requests and individual parameters to do a thorough manual test. The Burp Suite Intruder is a really great and powerful way to perform automated and semi-targeted fuzzing. You can use it against one or more parameters in an HTTP request. Right click on any request just as we did before and this time select “Send to Intruder”. Head over to the “Intruder” tab and click on the “Positions” sub-tab. You should see something like this.
I recommend using the “Clear” button to remove what is selected at first. The default behavior is to test everything with an ‘=’ sign. Highlight the parameters you wan’t to fuzz and click “Add”. Next you need to go to the “Payloads” sub-tab and tell Burp Suite which test cases to perform during the fuzzing run. A good one to start off with is “Fuzzing – full”. this will send a number of basic test cases to every parameter that you highlighted on the “Positions” sub-tab.
Automated Scanning – Burp Suite Tutorial
The last thing that I do when testing a web application is perform an automated scan using Burp Suite. Back on your “Site map” sub-tab, right click on the root branch of your target site and select “Passively scan this host”. This will analyze every request and response that you have generated during your Burp Suite session. It will produce a vulnerability advisor on the “Results” sub-tab located on the “Scanner” tab. I like to do the passive scan first because it doesn’t send any traffic to the target server. Alternatively you can configure Burp Suite to passively analyze requests and responses automatically in the “Live scanning” sub-tab. You can also do this for Active Scanning but I do not recommend it.
When doing an active scan I like to use the following settings.
How To Use Burp Suite – Validating Scanner Results
Its always a good idea to thoroughly validate the results of any automated scanning tool. Burp Suite provides everything you need to do this on the “Scanner/Results” tab. Click on a node in the left pane to see the identified vulnerabilities associated with that target. The right-hand lower pane displays the verbose Request/Response information pertaining to the specific vulnerability selected from the right-hand upper pane.
The “Advisory” tab contains information about the vulnerability including a high-level detail, description and proposed recommendation. The “Request” & “Response” tabs will display exactly what Burp Suite sent to the target application in order to check for the vulnerability as well as what was returned by the application. Take a look at the example below.
The request tab shows us which page generated the alert.
Just by requesting this page in a browser, or viewing the “Response” tab, We are able to validate that the email address allegedly disclosed was in fact present in the response. We can consider this issue to be validated and move on.
#ProTip Make sure to perform this step on each and every vulnerability identified by the scanner. All automated scanning tools produce false-positives due to the nature of the testing being done. Most companies are capable of buying tools and running them on their networks. Pentesters are hired specifically to identify and remove these false positives
How To Use Burp Suite – Exporting Scanner Reports
Once you have validated the scanner results you might want to generate some type of a report. There are two report options available from the “Scanner/Results” tab, HTML and XML. To generate a report right-click on a target from the left-hand display pane and select “Report selected issues”. This will present you with the following Dialog box.
Click through the Wizard and select which items you want in your report and which format. The HTML report can be opened up in a browser and then exported to a PDF format which can be useful to help communicate findings to your client. The XML report allows you to parse out specific sections of a report for more granular detail. If you generate an XML report, make sure you uncheck the Base64 encoder option to see full HTTP Request/Responses.
How To Use Burp Suite – Parsing XML Results
I’ve written a simple Ruby script to parse out data from the XML output generated from an automated Scan. The script utilizes the Nokogiri gem and outputs the results into a column delimitated CSV file which can be imported into Excel to produce a nice spreadsheet. If you have a basic understanding of parsing XML nodes using CSS selectors, you will have no trouble modifying the script to suite your specific needs.
Head over to the Git repository and clone the branch. Looking at the source code we can see where the parsing magic takes place.
def clean_finding(finding) output =  output << 'Web Application Findings' output << '' output << finding.css('severity').text output << 'Open' output << finding.css('host').text output << finding.css('path').text output << finding.css('issueDetail').text output << finding.css('name').text output << finding.css('issueBackground').text output << finding.css('remediationBackground').text response = finding.css('response').text if response.include?('Server:') output << response.split('Server: ').split("\n") end output end
You can see that simply calling the .css method and passing (‘[VALUE YOU WANT]’).text as a paramater will allow you to scoop out whatever specific items you would like from the XML soup. Run the script with no arguments and you’ll see it takes an XML file and spits output to the screen.
[ # ] $ ./parse-burp.rb
Parse Burp Suite XML output into Tab delimited results
Example: ./parse-brup.rb > output.csv
[ # ] $
You can cat out the results into a file.csv if you like. The CSV file can then be imported into an Excel spreadsheet which looks like this.
How To Use Burp Suite – Saving a Burp session
In some cases it might be necessary to pause an assessment and come back later. You also might find yourself wanting to share your Burp Suite session with another consultant. Two eyes are often better then one after all. In these instances the easiest thing to do is to save a local copy of your session. Simply select “Save state” from the Burp menu at the top. This will create a flat file which you or another consultant can import into Burp Suite and see all of the captured traffic and test cases. This is an extremely useful feature.
If you have tried to do this in the past and noticed the size of the resulting file to be unnecessarily large (hundreds of MBs). It is possible you forgot to check the “Save in-scope items only” check-box.
If you setup your scope following the guidelines in Part 1 you shouldn’t have to worry about a massive sate file. The next page of the Wizard asks you which tools you would like to store the configuration of. I have found that having them all checked or all unchecked does not appear to affect the size of the file much if at all but feel free to play with these options and make up your own mind.
To restore a previously saved burp sate simply select “Restore state” from the Burp menu at the top. Select the file from your system, click “Open” and follow the instructions of the Wizard. Depending on the size of the state file it may take a moment to import everything but once finished you can continue your assessment or someone else’s for that mater as if you had never paused in the first place. Its pretty cool!
How To Use Burp Suite – Burp Extensions
Burp extensions are after-market additions written by other pentesters that can be easily installed and configured to add enhanced or additional features to Burp Suite. To demonstrate this process we’ll download and install the “Shellshock Burp Plugin” from the Accuvant LABS Github page. Browse to the following URL https://github.com/AccuvantLABS/burp-shellshock and click the “Download here!” link.
Next click on the “Extender” tab within Burp Suite and click he “Add” button at the top-left corner. When the dialog box pops up select the Shell Shock .jar file you just downloaded and click Next.
If everything went well you should see a message stating “The extension loaded successfully” with no errors messages or output. Now the Extensions tab shows our “Shellshock Scanner” extension is loaded. We can see from the Details section that a new Scanner check has been added.
Author: Royce Davis