Burp Suite Definition

2/14/2022by admin
  1. Burp Suite Issue Definitions
  2. Burp Suite Definition Psychology

Burp Suite Enterprise Edition The enterprise-enabled web vulnerability scanner. Burp Suite Professional The world's #1 web penetration testing toolkit. Burp Suite Community Edition The best manual tools to start web security testing. View all product editions. Burp Suite extension for parsing Swagger web service definition files. Many thanks to the Wsdler team for much of the UI code that made this possible. Later intercept the response of the particular URL using Burp suite Proxy Tool. Spider the host to get the 302-redirect page and intercept the request with Burp suite.

Nowadays internet usage is growing dramatically because of this, a vast majority of companies and individuals that provide services have a website so customers can know about the service(s) that is available to them. These companies and individuals usually have an access portal that will ask their customers to enter a chosen username and password, If the credentials are valid, customers will be redirected to the home page of that particular user. Moreover, the access portal is an administrative access portal which if you have successfully logged in, you will have full access on that application. From this point of view we can assume that choosing a password is a critical issue and everyone should be aware while choosing their password.

Today we are going to talk about attacking these portals to gain access to the administrative panel using a password brute-forcing technique called Dictionary attack.

A password is a secret word or string of characters used for authentication to prove a particular user’s identity, or access approval to gain entry to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.

A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Dictionary attack definition according to Wikipedia is:

As you can see from the previous definition, Dictionary attack is just a technique that uses a file that has thousands of common, default and weak passwords and uses them against the login portal and tries all of them until one of these passwords allow the attacker to gain access to the private resources (for example an administration panel).

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. It’s a java base web application, so it’s multiplatform where you can use it in windows OS, Linux OS and any other operating system.

According to the Burp Suite website, Burp Suite contains the following key components:

  • An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
  • An application-aware Spider, for crawling content and functionality.
  • An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
  • An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
  • A Repeater tool, for manipulating and resending individual requests.
  • A Sequencer tool, for testing the randomness of session tokens.
  • The ability to save your work and resume working later.
  • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp Suite Issue Definitions

For downloading Burp Suite tool, you can download it form here, in this tutorial we will focus on a burp intruder component that we will use it as a brute force tool.

Burp intruder tool can be used as a fuzzer and a tool for performing brute force attacks, and many other purposes.

Burp intruder has four attack types which are sniper, battering ram, pitchfork and cluster bomb. It’s set to Sniper by default, according to Burp’s documentation.

Burp Suite Definition Psychology

In this demo, we will use Damn Vulnerable Web Application (DVWA) as our target application. So we will browse the application and click on the brute force tab, then we will enter any username/password, making sure sure that we are intercepting the traffic using Burp Suite, then click on Login.

After clicking the login button, the request will be intercepted by Burp Suite, so right click on the request and click on send to intruder.

Now let’s go to the Intruder tab, we will have to configure Burp Suite to launch our attack. Under the target tab, we can see that it has already set the target by looking at the request host and port.

Now let’s go to the positions tab , As you can see there are somethings highlighted in the request. The highlighted parameters are just a guess by Burp Suite to help you to figure out what parameters you can attack.

But according to our attack scenario we need to change the values of username and password only with each request. So click on the clear button, this will remove all the highlighted text. Now to configure Burp to change only username and password, we need to highlight the username parameter value in our case (“NOTEXIST”) then click add and do the same thing with the password parameter value, In addition as you can see the default attack type is Sniper, So we will change it to Cluster Bomb.

It’s the time to set the payload for each attack parameter, so lets go to the payload tab, then select payload set 1, click on load and load the file containing a list of usernames. For demonstration purposes we will use a small list of usernames and passwords.

Also select payload set 2, click on load and load the file containing a list of passwords.

Now let’s go to the options tab, this tab is the most important tab because we will use it to configure the rules that will help us to figure out which request is successful.

Normally when we enter wrong credentials, the application will show the following error message “Username and/or password incorrect”

And if we enter the right credentials, it will show the following message “Welcome to the password protected area admin”

In the options tab, go to grep – match and remove all string patterns and add the following pattern “Welcome to the password protected area admin” which will indicate that the credentials are valid. Finally click on the “Intruder” tab on the top left and click “start attack”. We will see a window pop up with all the requests being made.

Now the Intruder will use all possible tries form the two lists, and you will find a tab called “Welcome to the password protected area admin”, If this tab is checked, It means that the credentials used in this request are valid

Now let’s take a look at the response:

Another way to know if the credentials are valid or not is that a successful request will have a different response than an unsuccessful request or will have a different status response. As you can see from the previous screenshot that the successful request length 4963 and the unsuccessful request length 4902.

Dictionary attack is a very common technique, that is often used by the attackers to gain access on private and forbidden resources and it’s become easier by using a powerful tool as like Burp Suite.

  • Security Testing Tutorial
  • Security Testing Useful Resources
  • Selected Reading

There are various methodologies/approaches which we can make use of as a reference for performing an attack.

Web Application - PenTesting Methodologies

One can take into account the following standards while developing an attack model.

Among the following list, OWASP is the most active and there are a number of contributors. We will focus on OWASP Techniques which each development team takes into consideration before designing a web app.

OWASP Top 10

The Open Web Application Security Protocol team released the top 10 vulnerabilities that are more prevalent in web in the recent years. Below is the list of security flaws that are more prevalent in a web based application.

Application - Hands On

In order to understand each one of the techniques, let us work with a sample application. We will perform the attack on 'WebGoat', the J2EE application which is developed explicitly with security flaws for learning purposes.

The complete details about the webgoat project can be located https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project. To Download the WebGoat Application, Navigate to https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0) and goto downloads section.

Burp suite professional download

To install the downloaded application, first ensure that you do not have any application running on Port 8080. It can be installed just using a single command - java -jar WebGoat-6.0.1-war-exec.jar. For more details, visit WebGoat Installation

Post Installation, we should be able to access the application by navigating to http://localhost:8080/WebGoat/attack and the page would be displayed as shown below.

We can use the credentials of guest or admin as displayed in the login page.

Web Proxy

In order to intercept the traffic between client (Browser) and Server (System where Webgoat Application is hosted in our case), we need to use a web proxy. We will use Burp Proxy that can be downloaded from https://portswigger.net/burp/download.html

It is sufficient if you download the free version of burp suite as shown below.

Configuring Burp Suite

Burp Suite is a web proxy which can intercept each packet of information sent and received by the browser and webserver. This helps us to modify the contents before the client sends the information to the Web-Server.

Step 1 − The App is installed on port 8080 and Burp is installed on port 8181 as shown below. Launch Burp suite and make the following settings in order to bring it up in port 8181 as shown below.


Step 2 − We should ensure that the Burp is listening to Port#8080 where the application is installed so that Burp suite can intercept the traffic. This settings should be done on the scope tab of the Burp Suite as shown below.

Step 3 − Then make your browser proxy settings to listen to the port 8181 (Burp Suite port). Thus we have configured the Web proxy to intercept the traffic between the client (browser) and the server (Webserver) as shown below −

Step 4 − The snapshot of the configuration is shown below with a help of a simple workflow diagram as shown below

Comments are closed.