Burp Suite, as OWASP ZAP, is more than just a simple web proxy. It is a fully featured web application testing kit; it has a proxy, request repeater, request automation, string encoder and decoder, vulnerability scanners (in the Pro version), and other useful features.
In this recipe, we will do the previous exercise but this time using Burp's proxy to intercept and alter the requests.
http://192.168.56.102/mutillidae/
.user<>
(including the symbols) for Username and secret<>
in the Password box; after this click on View Account Details.We will get an alert telling us that we introduced some characters that may be dangerous to the application.
user
and secret
.<>
forbidden characters.As seen in the previous recipe, we use a proxy to capture a request after it passes the validation mechanisms established client-side by the application and then modify its content by adding characters that are not permitted by such validation.
Being able to intercept and modify requests is a highly important aspect of any web application penetration test, not only to bypass some client-side validation—as we did in the current and past recipes—but to study what kind of information is sent and try to understand the inner workings of the application. We may also need to add, remove, or replace some values at our convenience based on that understanding.
3.143.255.36