Presented by Santiago

Special Note: First live meetup in over a year!

Setup

• Ubuntu 20.04 – https://ubuntu.com/download/desktop
• BurpSuite CE – https://portswigger.net/burp/communitydownload
• Docker – https://docs.docker.com/engine/install/ubuntu/
  • Damn Vulnerable Web App – https://dvwa.co.uk/

BurpSuite

Designed for web app security assessments

Default Tools:

• Proxy
• Repeater
• Decoder
• Comparer
• Sequencer
• Intruder
• Extender

CE vs Professional – Professional has a couple of thing that are useful – vulnerability scanner (automatic), intruder is throttled.

Turbo Intruder is free and does just as well (have to learn how to use it)

• https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack

$399/year – Pro edition

HTTP Primer

HTTP (HyperText Transfer Protocol) is built on a Client-Server architecture.

Client Requests

Consists of :

• Request Line
• A method (GET, POST, etc)
• Resource (/ denotes a document root for instance)
• Headers that contain:
  • Requested domain
  • User agent
  • A lot of other possibilities

Server Response

Consists of:

• Status codes (HTTP status codes)
• Headers
  • Date
  • Content-type
• Body:
  • HTML/markup/etc

Burp

Proxy

• Inspect and modify content of requests before they are sent to the server
• See history
• High light requests
• send request to other tools

All traffic is sent through Burp by default when launching the built in browser

Can filter the type of content you want to see in a breakdown that’s something like WireShark – allows you to step through what’s happening in the communication session.

Use color coding to help track what’s happened since last check

Repeater

• Re-Send message
• Modify and send message
• Craft new messages and send them

Great for command injection

Decoder

• Encode and decode data into:
  • Base64
  • URL
  • Hex
  • Binary

• Hash into:
  • MD2, MD4, MD5
  • SHA1, SHA2, SHA3

Cyberchef is much more powerful, but you have control of the data – you don’t know what they do with the data (if you’re using it through a web browser) and it’s convenient – you can send data from other BurpSuite utilities right to decoder.

Main idea is to check for hidden data.

Comparer

Compare two different requests for two different responses, highlights what’s different (basically a diff).

Sequencer

Analyzes the entropy of data, sends multiple requests and compare the randomness of the different responses.

Good for identifying things like weak session ids.

Intruder

• Send multiple modified requests
• Modifications based on rules set by the analyst
• CE doesn’t include the full version
  • Throttled
  • No Payloads (binaries)

Types of attacks:

• Sniper
• Bettering
• Pitchfork
• Cluster-bomb

Use for things like SQL injection.

Can analyze results programmatically – extract useful information and ignore everything else.

When doing things like SQL injection, simple lists can be used with Intruder to see what types of results happen with different values.

Extender

• Install external extensions to Burp
• Extensions add functionality
• Some of the extension are only available to Pro
• Users can develop extensions in Java and Python

ZAP – Free Vuln Scanner

Another proxy that is completely free and maintained by OWASP.

Zaproxy – Zed Attack Proxy

• https://www.zaproxy.org/

OWASP is a good place to get information about vulnerabilities and tools – geared toward helping write better code.

• https://owasp.org/

Resources

Portswigger’s Web Academy (Free)

• Theory and Exercises
• https://portswigger.net/web-security

Hacker101 (Free)

• https://www.hacker101.com

TryHackMe (Freemium)

• https://tryhackme.com

HackTheBox (Freemium)

• https://www.hackthebox.eu