Friday, March 10, 2023

Security Testing | Security 4 No0bs - Burp Suite


Today's tool to learn: Burp Suite


So what is Burp Suite?

Burp Suite is a proxy tool that sits between your application and your computer. When configured to do so, it "reads" the interactions/requests of the application and allows you to interact with it in all kinds of ways. Interactions such as:

  • With Target you can create a site map of the entire application and its pages for future use
  • You can employ view the application requests with Proxy/HTTP History
  • Intruder lets you configure automated attacks like Brute-force login
  • The Repeaterallows you to intercept the request, modify it in some way, then send it back into the system. A really deadly tool in the hands of a skilled person

And this is just the tip of the proverbial iceberg. There are a plethora of features and functions to use. There's a Community Edition and a PRO version of Burp Suite. The Community Edition is a great introduction to learning how to proxy an application and play with the requests. The PRO version allows you to add a plethora of extensions that transform this platform into a powerful tool in your arsenal.


Why Burp Suite?

There might be many options available to use, but none can match Burp Suite's array of features. It is only limited by the mind of the user. The setup is simple and the learning curve is optimal.


How to use Burp Suite?

I won't go into the many many .. many ways to use Burp Suite, but I can offer a quick example. We'll use a simple scenario where you browse a fake website, visit the product details page, intercept the request to change the price, then send it and place the order:

  1. To begin: download Burp Suite (Community or PRO)
  2. If using Firefox, follow the directions on how to configure FoxyProxy. For chrome, no action needed.
  3. Launch Burpsuite and skip past the options configure a new project. Simply click "Start.."
  4. Once the application is launched, click Target > Open browser -> this opens a built-in Chromium instance that is pre-configured by Burp Suite to proxy the requests.
  5. Paste the following url in the address bar: https://5elementslearning.dev/demosite/index.php
  6. In Burp Suite, click Proxy > Http History. Pro-tip: right-click into the pane and click Clear History .. just to remove any noise from site navigation.
  7. Browse the site and select a product to arrive at the product details page. Note the displayed price.
  8. Add the item to the cart, then look for the request in Burp Suite
  9. Right-click on the request and click send to Repeater
  10. In the Repeater, scroll to where the price is displayed and modify it so the price is more to your liking then click the SEND button.
  11. Proceed through the checkout flow with product and it's new price. If the price reverts, change it again in the final step before submission.

Et Voila! You have just 'hacked' an e-commerce site. Congratulations!! This is one of many many ... many scenarios you can learn via the labs.

For the complete list of labs, visit: portswigger.net/web-security/all-labs

Ciao For Now!

Tune in next week, I will give a brief write-up on MITRE ATT&CK and this cool book I've been reading.

No comments:

Post a Comment