Table of Contents for
Burp Suite Cookbook

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Burp Suite Cookbook by Sunny Wear Published by Packt Publishing, 2018
  1. Burp Suite Cookbook
  2. Title Page
  3. Copyright and Credits
  4. Burp Suite Cookbook
  5. Packt Upsell
  6. Why subscribe?
  7. Packt.com
  8. Contributors
  9. About the author
  10. About the reviewer
  11. Packt is searching for authors like you
  12. Table of Contents
  13. Preface
  14. Who this book is for
  15. What this book covers
  16. To get the most out of this book
  17. Conventions used
  18. Sections
  19. Getting ready
  20. How to do it…
  21. How it works…
  22. There's more…
  23. See also
  24. Get in touch
  25. Reviews
  26. Disclaimer
  27. Targeting legal vulnerable web applications
  28. Getting Started with Burp Suite
  29. Introduction
  30. Downloading Burp (Community, Professional)
  31. Getting ready
  32. Software tool requirements
  33. How to do it...
  34. Setting up a web app pentesting lab
  35. Getting ready
  36. Software tool requirements
  37. How to do it...
  38. How it works
  39. Starting Burp at a command line or as an executable
  40. How to do it...
  41. How it works...
  42. Listening for HTTP traffic, using Burp
  43. Getting ready
  44. How to do it...
  45. How it works...
  46. Getting to Know the Burp Suite of Tools
  47. Introduction
  48. Software tool requirements
  49. Setting the Target Site Map
  50. Getting ready
  51. How to do it...
  52. How it works...
  53. Understanding the Message Editor
  54. Getting ready
  55. How to do it...
  56. Repeating with Repeater
  57. Getting ready
  58. How to do it...
  59. Decoding with Decoder
  60. Getting ready
  61. How to do it...
  62. Intruding with Intruder
  63. Getting ready
  64. How to do it...
  65. Target
  66. Positions
  67. Payloads
  68. Payload Sets
  69. Payload Options
  70. Payload Processing
  71. Payload Encoding
  72. Options
  73. Request Headers
  74. Request Engine
  75. Attack Results
  76. Grep - Match
  77. Grep - Extract
  78. Grep - Payloads
  79. Redirections
  80. Start attack button
  81. Configuring, Spidering, Scanning, and Reporting with Burp
  82. Introduction 
  83. Software tool requirements
  84. Establishing trust over HTTPS
  85. Getting ready
  86. How to do it...
  87. Setting Project options
  88. How to do it...
  89. The Connections tab
  90. The HTTP tab
  91. The SSL tab
  92. The Sessions tab
  93. The Misc tab
  94. Setting user options
  95. How to do it...
  96. The SSL tab
  97. The Display tab
  98. The Misc tab
  99. Spidering with Spider
  100. Getting ready 
  101. The Control tab
  102. The Options tab
  103. How to do it...
  104. Scanning with Scanner
  105. Getting ready 
  106. How to do it...
  107. Reporting issues
  108. Getting ready 
  109. How to do it...
  110. Assessing Authentication Schemes
  111. Introduction
  112. Software tool requirements
  113. Testing for account enumeration and guessable accounts
  114. Getting ready
  115. How to do it...
  116. Testing for weak lock-out mechanisms
  117. Getting ready
  118. How to do it...
  119. Testing for bypassing authentication schemes
  120. Getting ready
  121. How to do it...
  122. How it works
  123. Testing for browser cache weaknesses
  124. Getting ready
  125. How to do it...
  126. Testing the account provisioning process via the REST API
  127. Getting ready
  128. How to do it...
  129. Assessing Authorization Checks
  130. Introduction
  131. Software requirements
  132. Testing for directory traversal
  133. Getting ready
  134. How to do it...
  135. How it works...
  136. Testing for Local File Include (LFI)
  137. Getting ready
  138. How to do it...
  139. How it works...
  140. Testing for Remote File Inclusion (RFI)
  141. Getting ready
  142. How to do it...
  143. How it works...
  144. Testing for privilege escalation
  145. Getting ready
  146. How to do it...
  147. How it works...
  148. Testing for Insecure Direct Object Reference (IDOR)
  149. Getting ready
  150. How to do it...
  151. How it works...
  152. Assessing Session Management Mechanisms
  153. Introduction
  154. Software tool requirements
  155. Testing session token strength using Sequencer
  156. Getting ready
  157. How to do it...
  158. How it works...
  159. Testing for cookie attributes
  160. Getting ready
  161. How to do it...
  162. How it works...
  163. Testing for session fixation
  164. Getting ready
  165. How to do it...
  166. How it works...
  167. Testing for exposed session variables
  168. Getting ready
  169. How to do it...
  170. How it works...
  171. Testing for Cross-Site Request Forgery
  172. Getting ready
  173. How to do it...
  174. How it works...
  175. Assessing Business Logic
  176. Introduction
  177. Software tool requirements
  178. Testing business logic data validation
  179. Getting ready
  180. How to do it...
  181. How it works...
  182. Unrestricted file upload – bypassing weak validation
  183. Getting ready
  184. How to do it...
  185. How it works...
  186. Performing process-timing attacks
  187. Getting ready
  188. How to do it...
  189. How it works...
  190. Testing for the circumvention of work flows
  191. Getting ready
  192. How to do it...
  193. How it works...
  194. Uploading malicious files – polyglots
  195. Getting ready
  196. How to do it...
  197. How it works...
  198. There's more...
  199. Evaluating Input Validation Checks
  200. Introduction
  201. Software tool requirements
  202. Testing for reflected cross-site scripting
  203. Getting ready
  204. How to do it...
  205. How it works...
  206. Testing for stored cross-site scripting
  207. Getting ready
  208. How to do it...
  209. How it works...
  210. Testing for HTTP verb tampering
  211. Getting ready
  212. How to do it...
  213. How it works...
  214. Testing for HTTP Parameter Pollution
  215. Getting ready
  216. How to do it...
  217. How it works...
  218. Testing for SQL injection
  219. Getting ready
  220. How to do it...
  221. How it works...
  222. There's more...
  223. Testing for command injection
  224. Getting ready
  225. How to do it...
  226. How it works...
  227. Attacking the Client
  228. Introduction
  229. Software tool requirements
  230. Testing for Clickjacking
  231. Getting ready
  232. How to do it...
  233. How it works...
  234. Testing for DOM-based cross-site scripting
  235. Getting ready
  236. How to do it...
  237. How it works...
  238. Testing for JavaScript execution
  239. Getting ready
  240. How to do it...
  241. How it works...
  242. Testing for HTML injection
  243. Getting ready
  244. How to do it...
  245. How it works...
  246. Testing for client-side resource manipulation
  247. Getting ready
  248. How to do it...
  249. How it works...
  250. Working with Burp Macros and Extensions
  251. Introduction
  252. Software tool requirements
  253. Creating session-handling macros
  254. Getting ready
  255. How to do it...
  256. How it works...
  257. Getting caught in the cookie jar
  258. Getting ready
  259. How to do it...
  260. How it works...
  261. Adding great pentester plugins
  262. Getting ready
  263. How to do it...
  264. How it works...
  265. Creating new issues via the Manual-Scan Issues Extension
  266. Getting ready
  267. How to do it...
  268. How it works...
  269. See also
  270. Working with the Active Scan++ Extension
  271. Getting ready
  272. How to do it...
  273. How it works...
  274. Implementing Advanced Topic Attacks
  275. Introduction
  276. Software tool requirements
  277. Performing XXE attacks
  278. Getting ready
  279. How to do it...
  280. How it works...
  281. Working with JWT
  282. Getting ready
  283. How to do it...
  284. How it works...
  285. Using Burp Collaborator to determine SSRF
  286. Getting ready
  287. How to do it...
  288. How it works...
  289. See also
  290. Testing CORS
  291. Getting ready
  292. How to do it...
  293. How it works...
  294. See also
  295. Performing Java deserialization attacks
  296. Getting Ready
  297. How to do it...
  298. How it works...
  299. There's more...
  300. See also
  301. Other Books You May Enjoy
  302. Leave a review - let other readers know what you think

How to do it...

Ensure Burp and OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.

  1. From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
  2. Open the Firefox browser to the login screen of OWASP Mutillidae II. From the top menu, click Login.
  3. Find the request you just performed within the Proxy | HTTP history table. Look for the call to the login.php page. Highlight the message, move your cursor into the Raw tab of the Request tab, right-click, and Send to Intruder.
  4. Switch over to the Intruder | Positions tab, and clear all Burp-defined payload markers by clicking the Clear § button on the right-hand side.
  5. Highlight the value currently stored in the page parameter (login.php), and place a payload marker around it using the Add  § button on the right-hand side.
  1. Continue to the Intruder | Payloads tab.  Select the following wordlist from the wfuzz repository: Traversal.txtThe location of the wordlist from the GitHub repository follows this folder structure: wfuzz/wordlist/injections/Traversal.txt.
  1. Click the Load button within the Payload Options [Simple list] section of the Intruder | Payloads tab. A popup will display, prompting for the location of your wordlist.
  2. Browse to the location where you downloaded the wfuzz repository from GitHub. Continue to search through wfuzz folder structure until you reach the admin-panels.txt file. Select the file and click Open:

  1. Scroll to the bottom and uncheck (by default, it is checked) the option URL-encode these characters.
  2. You are now ready to begin the attack.  Click the Start attack button at the top-right-hand corner of the Intruder | Positions page.
  1. The attack results table will appear. Allow the attacks to complete. Sort on the Length column from ascending to descending order, to see which of the payloads hit a web page. Notice the payloads with larger lengths; perhaps we gained unauthorized access to the system configuration files!

  1. Select the Request #2 in the list. From the attack results table, look at the Response | Render tab and notice the page displays the host file from the system!

  1. Continue scrolling down the list of requests in the attack results table. Look at request #6, and then look at the Response | Render tab and notice the page displays the /etc/passwd file from the system!