Table of Contents for
Burp Suite Cookbook

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Burp Suite Cookbook by Sunny Wear Published by Packt Publishing, 2018
  1. Burp Suite Cookbook
  2. Title Page
  3. Copyright and Credits
  4. Burp Suite Cookbook
  5. Packt Upsell
  6. Why subscribe?
  7. Packt.com
  8. Contributors
  9. About the author
  10. About the reviewer
  11. Packt is searching for authors like you
  12. Table of Contents
  13. Preface
  14. Who this book is for
  15. What this book covers
  16. To get the most out of this book
  17. Conventions used
  18. Sections
  19. Getting ready
  20. How to do it…
  21. How it works…
  22. There's more…
  23. See also
  24. Get in touch
  25. Reviews
  26. Disclaimer
  27. Targeting legal vulnerable web applications
  28. Getting Started with Burp Suite
  29. Introduction
  30. Downloading Burp (Community, Professional)
  31. Getting ready
  32. Software tool requirements
  33. How to do it...
  34. Setting up a web app pentesting lab
  35. Getting ready
  36. Software tool requirements
  37. How to do it...
  38. How it works
  39. Starting Burp at a command line or as an executable
  40. How to do it...
  41. How it works...
  42. Listening for HTTP traffic, using Burp
  43. Getting ready
  44. How to do it...
  45. How it works...
  46. Getting to Know the Burp Suite of Tools
  47. Introduction
  48. Software tool requirements
  49. Setting the Target Site Map
  50. Getting ready
  51. How to do it...
  52. How it works...
  53. Understanding the Message Editor
  54. Getting ready
  55. How to do it...
  56. Repeating with Repeater
  57. Getting ready
  58. How to do it...
  59. Decoding with Decoder
  60. Getting ready
  61. How to do it...
  62. Intruding with Intruder
  63. Getting ready
  64. How to do it...
  65. Target
  66. Positions
  67. Payloads
  68. Payload Sets
  69. Payload Options
  70. Payload Processing
  71. Payload Encoding
  72. Options
  73. Request Headers
  74. Request Engine
  75. Attack Results
  76. Grep - Match
  77. Grep - Extract
  78. Grep - Payloads
  79. Redirections
  80. Start attack button
  81. Configuring, Spidering, Scanning, and Reporting with Burp
  82. Introduction 
  83. Software tool requirements
  84. Establishing trust over HTTPS
  85. Getting ready
  86. How to do it...
  87. Setting Project options
  88. How to do it...
  89. The Connections tab
  90. The HTTP tab
  91. The SSL tab
  92. The Sessions tab
  93. The Misc tab
  94. Setting user options
  95. How to do it...
  96. The SSL tab
  97. The Display tab
  98. The Misc tab
  99. Spidering with Spider
  100. Getting ready 
  101. The Control tab
  102. The Options tab
  103. How to do it...
  104. Scanning with Scanner
  105. Getting ready 
  106. How to do it...
  107. Reporting issues
  108. Getting ready 
  109. How to do it...
  110. Assessing Authentication Schemes
  111. Introduction
  112. Software tool requirements
  113. Testing for account enumeration and guessable accounts
  114. Getting ready
  115. How to do it...
  116. Testing for weak lock-out mechanisms
  117. Getting ready
  118. How to do it...
  119. Testing for bypassing authentication schemes
  120. Getting ready
  121. How to do it...
  122. How it works
  123. Testing for browser cache weaknesses
  124. Getting ready
  125. How to do it...
  126. Testing the account provisioning process via the REST API
  127. Getting ready
  128. How to do it...
  129. Assessing Authorization Checks
  130. Introduction
  131. Software requirements
  132. Testing for directory traversal
  133. Getting ready
  134. How to do it...
  135. How it works...
  136. Testing for Local File Include (LFI)
  137. Getting ready
  138. How to do it...
  139. How it works...
  140. Testing for Remote File Inclusion (RFI)
  141. Getting ready
  142. How to do it...
  143. How it works...
  144. Testing for privilege escalation
  145. Getting ready
  146. How to do it...
  147. How it works...
  148. Testing for Insecure Direct Object Reference (IDOR)
  149. Getting ready
  150. How to do it...
  151. How it works...
  152. Assessing Session Management Mechanisms
  153. Introduction
  154. Software tool requirements
  155. Testing session token strength using Sequencer
  156. Getting ready
  157. How to do it...
  158. How it works...
  159. Testing for cookie attributes
  160. Getting ready
  161. How to do it...
  162. How it works...
  163. Testing for session fixation
  164. Getting ready
  165. How to do it...
  166. How it works...
  167. Testing for exposed session variables
  168. Getting ready
  169. How to do it...
  170. How it works...
  171. Testing for Cross-Site Request Forgery
  172. Getting ready
  173. How to do it...
  174. How it works...
  175. Assessing Business Logic
  176. Introduction
  177. Software tool requirements
  178. Testing business logic data validation
  179. Getting ready
  180. How to do it...
  181. How it works...
  182. Unrestricted file upload – bypassing weak validation
  183. Getting ready
  184. How to do it...
  185. How it works...
  186. Performing process-timing attacks
  187. Getting ready
  188. How to do it...
  189. How it works...
  190. Testing for the circumvention of work flows
  191. Getting ready
  192. How to do it...
  193. How it works...
  194. Uploading malicious files – polyglots
  195. Getting ready
  196. How to do it...
  197. How it works...
  198. There's more...
  199. Evaluating Input Validation Checks
  200. Introduction
  201. Software tool requirements
  202. Testing for reflected cross-site scripting
  203. Getting ready
  204. How to do it...
  205. How it works...
  206. Testing for stored cross-site scripting
  207. Getting ready
  208. How to do it...
  209. How it works...
  210. Testing for HTTP verb tampering
  211. Getting ready
  212. How to do it...
  213. How it works...
  214. Testing for HTTP Parameter Pollution
  215. Getting ready
  216. How to do it...
  217. How it works...
  218. Testing for SQL injection
  219. Getting ready
  220. How to do it...
  221. How it works...
  222. There's more...
  223. Testing for command injection
  224. Getting ready
  225. How to do it...
  226. How it works...
  227. Attacking the Client
  228. Introduction
  229. Software tool requirements
  230. Testing for Clickjacking
  231. Getting ready
  232. How to do it...
  233. How it works...
  234. Testing for DOM-based cross-site scripting
  235. Getting ready
  236. How to do it...
  237. How it works...
  238. Testing for JavaScript execution
  239. Getting ready
  240. How to do it...
  241. How it works...
  242. Testing for HTML injection
  243. Getting ready
  244. How to do it...
  245. How it works...
  246. Testing for client-side resource manipulation
  247. Getting ready
  248. How to do it...
  249. How it works...
  250. Working with Burp Macros and Extensions
  251. Introduction
  252. Software tool requirements
  253. Creating session-handling macros
  254. Getting ready
  255. How to do it...
  256. How it works...
  257. Getting caught in the cookie jar
  258. Getting ready
  259. How to do it...
  260. How it works...
  261. Adding great pentester plugins
  262. Getting ready
  263. How to do it...
  264. How it works...
  265. Creating new issues via the Manual-Scan Issues Extension
  266. Getting ready
  267. How to do it...
  268. How it works...
  269. See also
  270. Working with the Active Scan++ Extension
  271. Getting ready
  272. How to do it...
  273. How it works...
  274. Implementing Advanced Topic Attacks
  275. Introduction
  276. Software tool requirements
  277. Performing XXE attacks
  278. Getting ready
  279. How to do it...
  280. How it works...
  281. Working with JWT
  282. Getting ready
  283. How to do it...
  284. How it works...
  285. Using Burp Collaborator to determine SSRF
  286. Getting ready
  287. How to do it...
  288. How it works...
  289. See also
  290. Testing CORS
  291. Getting ready
  292. How to do it...
  293. How it works...
  294. See also
  295. Performing Java deserialization attacks
  296. Getting Ready
  297. How to do it...
  298. How it works...
  299. There's more...
  300. See also
  301. Other Books You May Enjoy
  302. Leave a review - let other readers know what you think

How to do it...

Ensure Burp and the OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view OWASP BWA applications.

  1. From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
  2. Open the Firefox browser to access the home page of OWASP Mutillidae II (URL:  http://<your_VM_assigned_IP_address>/mutillidae/). Make sure you are starting a fresh session of the Mutillidae application and not logged into it already:

  1. Switch to the Proxy | HTTP History tab and select the request showing your initial browse to the Mutillidae home page.
  2. Look for the GET request and the associated response containing the Set-Cookie: assignments. Whenever you see this assignment, you can ensure you are getting a freshly created cookie for your session. Specifically, we are interested in the PHPSESSID cookie value:

  1. Highlight the value of the of the PHPSESSID cookie, right-click, and select Send to Sequencer:

Sequencer is a tool within Burp designed to determine the strength or the quality of the randomness created within a session token.

  1. After sending the value of the PHPSESSID parameter over to Sequencer, you will see the value loaded in the Select Live Capture Request table.
  2. Before pressing the Start live capture button, scroll down to the Token Location Within Response section. In the Cookie dropdown list, select PHPSESSID=<captured session token value>:

  1. Since we have the correct cookie value selected, we can begin the live capture process. Click the Start live capture button, and Burp will send multiple requests, extracting the PHPSESSID cookie out of each response. After each capture, Sequencer performs a statistical analysis of the level of randomness in each token.
  1. Allow the capture to gather and analyze at least 200 tokens, but feel free to let it run longer if you like: 

  1. Once you have at least 200 samples, click the Analyze now button. Whenever you are ready to stop the capturing process, press the Stop button and confirm Yes:

  1. After the analysis is complete, the output of Sequencer provides an overall result. In this case, the quality of randomness for the PHPSESSID session token is excellent. The amount of effective entropy is estimated to be 112 bits. From a web pentester perspective, these session tokens are very strong, so there is no vulnerability to report here. However, though there is no vulnerability present, it is good practice to perform such checks on session tokens: