Presented by Santiago
Special Note: First live meetup in over a year!
- Ubuntu 20.04 – https://ubuntu.com/download/desktop
- BurpSuite CE – https://portswigger.net/burp/communitydownload
- Docker – https://docs.docker.com/engine/install/ubuntu/
- Damn Vulnerable Web App – https://dvwa.co.uk/
Designed for web app security assessments
CE vs Professional – Professional has a couple of thing that are useful – vulnerability scanner (automatic), intruder is throttled.
Turbo Intruder is free and does just as well (have to learn how to use it)
$399/year – Pro edition
HTTP (HyperText Transfer Protocol) is built on a Client-Server architecture.
Consists of :
- Request Line
- A method (GET, POST, etc)
- Resource (/ denotes a document root for instance)
- Headers that contain:
- Requested domain
- User agent
- A lot of other possibilities
- Status codes (HTTP status codes)
- Inspect and modify content of requests before they are sent to the server
- See history
- High light requests
- send request to other tools
All traffic is sent through Burp by default when launching the built in browser
Can filter the type of content you want to see in a breakdown that’s something like WireShark – allows you to step through what’s happening in the communication session.
Use color coding to help track what’s happened since last check
- Re-Send message
- Modify and send message
- Craft new messages and send them
Great for command injection
- Encode and decode data into:
- Hash into:
- MD2, MD4, MD5
- SHA1, SHA2, SHA3
Cyberchef is much more powerful, but you have control of the data – you don’t know what they do with the data (if you’re using it through a web browser) and it’s convenient – you can send data from other BurpSuite utilities right to decoder.
Main idea is to check for hidden data.
Compare two different requests for two different responses, highlights what’s different (basically a diff).
Analyzes the entropy of data, sends multiple requests and compare the randomness of the different responses.
Good for identifying things like weak session ids.
- Send multiple modified requests
- Modifications based on rules set by the analyst
- CE doesn’t include the full version
- No Payloads (binaries)
Types of attacks:
Use for things like SQL injection.
Can analyze results programmatically – extract useful information and ignore everything else.
When doing things like SQL injection, simple lists can be used with Intruder to see what types of results happen with different values.
- Install external extensions to Burp
- Extensions add functionality
- Some of the extension are only available to Pro
- Users can develop extensions in Java and Python
ZAP – Free Vuln Scanner
Another proxy that is completely free and maintained by OWASP.
Zaproxy – Zed Attack Proxy
OWASP is a good place to get information about vulnerabilities and tools – geared toward helping write better code.
Portswigger’s Web Academy (Free)
- Theory and Exercises