You can easily access Burp Suite from the Applications Menu. If it is not already in the Favorites panel, it can be found under the Web Applications Analysis submenu, like OWASP ZAP.
Burp Suite is a powerful framework for web application testing. A favorite of many application security testers, Burp Suite has several sections marked by tabs:
|
Burp Suite Tools | |||
|---|---|---|---|
|
Tab |
Purpose |
Tab |
Purpose |
|
Target |
Sets the test subject |
Scanner |
Scans the domain for vulnerabilities |
|
Proxy |
Uses Burp Suite as a proxy service |
Spider |
Makes a site map of all files accessible within a site |
|
Repeater |
Sends individual packets in a session multiple times |
Intruder |
Finds and exploits unusual vulnerabilities |
|
Burp Suite Utilities and Tool Configuration | |||
|
Tab |
Purpose |
Tab |
Purpose |
|
Comparer |
Used to compare any two character strings |
Sequencer |
Tests for how random your session tokens are |
|
Decoder |
Replaces coded strings with plain language strings |
Extender |
Creates your own custom plugins for complicated or multi-step exploits |
|
Options |
Alerts | ||
We will dig into three of the tools in this chapter:
- Targeting
- Setting up the proxy
- Spidering the target site
Click on the Target tab and then inside that window, choose the Scope tab. You can add a range of IPs, a single IP, or a fully qualified domain (FQDN). For this example, we have chosen an IP range.
We can exclude certain IPs, and in this case we are excluding the gateway device at 10.0.0.1 and the Kali Linux platform at 10.0.0.7. Your customer may want you to exclude various machines, but to get a valid test for vulnerabilities you want to test everything. If a vulnerable machine is on the segment with your tested machines, it doesn't get any less vulnerable by being ignored.
The first thing you have to do is recon an analysis of the target. To do this, we will move to the Proxy tab. The proxy function, like the proxy function of the OWASP ZAP tool, acts as a man-in-the-middle between the browser on your Kali Linux platform and the sites being tested.
Burp Suite opens a proxy listener at port 8080 of the IPv4 loopback. If this port is being used by some other application, Burp Suite will send an alert. You can set different or additional listeners with the Proxy Listener Options.
You have to set your browser to use the Burp Suite Proxy in your browser configuration. In this case, we are using the default Ice Weasel Browser.
When you put the proxy in the middle of your browsing, it will cause sites with perfectly good TLS certificates to come up with an untrusted alert. It will be easier to make sense of the data if you set the Burp Suite cert as accepted.
In your browser, while Burp Suite is running, enter http://burp in the address bar. This opens a local page generated by Burp where you can get a customized-for-your-installation CA Certificate.
For the sake of neatness, save the certificate to your /root/.ssh/ folder. This will make it easier to find later. If you discover you don't have a hidden directory called .ssh, you can either create it with mkdir ~/.ssh or you can create your own Kali Linux SSH key set by typing ssh-keygen, which will create the folder to put the new keys into.
Once you have saved the new CA certificate, go to the Ice Weasel Preferences | Advanced | Certificates tab. Click on View Certificates, which opens the certificate manager. Choose the Authorities tab and click the Import Button.
Navigate to your /root/.ssh file and select the new cacert.der file.
This opens a dialog where you could use the cert to identify websites, identify email users, or identify software developers. You could choose all three at once, but in this case we are only using it to identify websites.
To check and see if your proxy is set up properly, try to go to an HTTP site. Then, go back to your Burp Suite Window. The Proxy Tab and the Intercept Tab within that window should both be highlighted and there should be some site information in the display. In this case, we have gone back to http://30309.info.
At this point, we have not made any overt moves to test the site. We are about to try this. As you may have noticed, our Plug-N-Hack tool is available for Burp Suite Proxy as well. This does not seem to have full support, so we leave it for now and will address it in the next edition of this book.
Click on the
Spider tab. Since we had a very limited internal scope, we are going to spider the http://30309.info site. To do that, we have to set a custom scope. To do this, just click on Use custom scope and add the site to the scope.
We can also exclude items from our new scope for spidering, but we will just leave the Class C network in place, even though it may not produce much useful data. To start the spider, just click the Spider is paused button. Doing so changes the button text to Spider is running.
The Spider has triggered the site's security features while running through the many pages on the site. This is good for us to know because the site defences are working as expected. The Spider automatically notes forms to be filled and asks for possible login credentials that will allow it to dig deeper in the site.
This is a good sign, but you can slow down the spider so that it doesn't trigger a security response. For instance, you can passively spider the site as you manually surf through the site. Plainly, good security controls on your site can make it harder to investigate a site or for the evil hacker to take over your site.