Burp Suite, as OWASP ZAP, is more than just a simple web proxy. It is a fully featured web application testing kit; it has a proxy, request repeater, request automation, string encoder and decoder, vulnerability scanners (in the Pro version), and other useful features.
In this recipe, we will do the previous exercise but this time using Burp's proxy to intercept and alter the requests.
- Browse to
http://192.168.56.102/mutillidae/. - By default, interception is enabled in Burp's proxy, so it will capture the first request. We need to go to Burp Suite and click on the Intercept is on button in the Proxy tab.
- The browser will continue loading the page. When it finishes, we will use Toggle Security to set the correct security level in the application: 1 (Arrogant).
- From the menu, navigate to OWASP Top 10 | A1 – SQL Injection | SQLi – Extract Data | User Info.
- In the Name text box, introduce
user<>(including the symbols) for Username andsecret<>in the Password box; after this click on View Account Details.We will get an alert telling us that we introduced some characters that may be dangerous to the application.
- Now we know that symbols are not allowed in the form, and we also know that it is a client-side validation because no request was registered in the proxy's HTTP history tab. Let's try to bypass this protection. Enable message interception by clicking on Intercept is off in Burp Suite.
- The next step is to send valid data, such as
userandsecret. - Proxy will intercept the request. Now we change the values of username and password by adding the
<>forbidden characters.
- We can send the edited request and disable the interception by clicking on Intercept is on, or we may want to send it and keep intercepting messages by clicking Forward. For this exercise, let's disable the interception and check the result:
As seen in the previous recipe, we use a proxy to capture a request after it passes the validation mechanisms established client-side by the application and then modify its content by adding characters that are not permitted by such validation.
Being able to intercept and modify requests is a highly important aspect of any web application penetration test, not only to bypass some client-side validation—as we did in the current and past recipes—but to study what kind of information is sent and try to understand the inner workings of the application. We may also need to add, remove, or replace some values at our convenience based on that understanding.