Burp Suite Owasp Top 10

2/14/2022by admin
Burp suite owasp top 10 website

Welcome back to the OWASP Top 10 training series. Today, you are going to learn how to install OWASP WebGoat and OWASP WebWolf using both java and Docker. We are slowly but surely building out our OWASP Top 10 lab to start practicing how to exploit the OWASP Top 10 vulnerabilities. If you haven’t been following along from the beginning, it’s not too late. All you have to do is follow the instructions on OWASP Zap or Burp Suite setup blog posts. Or, if you prefer videos, I created the OWASP Top 10 video training series just for you. I will be adding more episodes to it as we progress on this training.

What is OWASP Webgoat and why using it for this OWASP Top 10 training?

OWASP WebGoat is a deliberately insecure web application to test Java-based applications against common web application vulnerabilities. It is well maintained and contains most of the OWASP Top 10 vulnerabilities.

OWASP WebGoat comes with another web application called OWASP WebWolf, which makes it easy for you to host malicious files, receive emails and HTTP requests. It is really handy for testing things like out-of-band attacks.

Both OWASP WebGoat and WebWolf are released as jar files, Docker images and, of course, source code. So it is very convenient for our OWASP Top 10 training. In fact, this is a great opportunity to learn how Docker can be used to setup a lab and learn web application hacking.

Disclaimer: this is a deliberately vulnerable Web application. I strongly discourage running it on your host machine. For this reason, I a m going to start on a fresh Debian 9 VM on Virtualbox. I explain how to setup one in my video on Youtube. For now, I’ll assume that you already have a Debian 9 VM running on your favorite Virtualization software. I am using VirtualBox.

How to install OWASP Webgoat and WebWolf using the JAR

Feel free to skip this part if you’d like to use Docker in your OWASP Top 10 training. I’ve included it here so that you know how to install Java on your machine. Knowing how to install packages is a good skill to have in your learning journey. It allows you to discover and experiment with new tools, especially with the increasing number of open-source tools published everyday.

Installing Java

Welcome to Autowasp, a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester! Click on Extender located on the top row of tabs. Under the Extensions tab on the second row, click Add. What is Broken Access Control? Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

Once you’ve connected to your Debian 9 guest machine, run the following commands. Again, make sure to watch the video if you are blocked.

OWASP WebGoat download and run

Note that you have to set the server.address option to 0.0.0.0. In fact, by default, WebGoat listens on localhost only.

OWASP WebWolf download and run

How to install OWASP Webgoat in Docker

Docker has many advantages over using plain Java. I can’t recommend it enough, not only in this OWASP Top 10 training series, but also in your overall hacking journey. In fact, you don’t need to install and configure any dependencies. Plus, Webgoat and webwolf are all run using one command. Finally, Docker will help you to easily setup other applications in the future.

Install Docker

The docker documentation includes a one-time script installation, but I wouldn’t recommend it. You need to develop the habit of understanding what a code does before running it on your own machines. Most of the following steps are inspired by the official Docker documentation for Debian.

You should have a response similar to this one

Download and run OWASP WebGoat for docker

Run WebGoat and WebWolf all in one go. Notice that you have to set the timezone variable TZ for JWT challenges to work properly. Here is a list of timezones that you can use according to your host machine location.

Testing our OWASP WebGoat setup

Now that OWASP WebGoat and WebWolf are running, let’s test if they work with OWASP ZAP or Burp Suite as intended.

  1. Launch OWASP Zap or BurpSuite.
  2. Choose your proxy from the FoxyProxy add-on. If you haven’t followed from the beginning, here is the link for installing and configuring FoxyProxy.
  3. Go to http://your-machine-ip:8080/WebGoat, where your-machine-ip is the IP address of the Debian 9 VM.
  4. If everything went well, you should have a login screen like the following screenshot.
Burp suite owasp top 10 schools

Testing our OWASP WebWolf setup

  1. Launch OWASP Zap or BurpSuite.
  2. Choose your proxy from the FoxyProxy add-on. If you haven’t followed from the beginning, here is the link for installing and configuring FoxyProxy.
  3. Go to http://your-machine-ip:9090/WebWolf, where your-machine-ip is the IP address of the Debian 9 VM.
  4. If everything went well, you should have a login screen.

Congratulations! You’ve made another step towards practicing OWASP Top 10 vulnerabilities! In the next episode of this OWASP Top 10 training series, we will set up and configure OWASP Juice Shop.

If you enjoyed this tutorial, consider subscribing to the Newsletter below to be notified when there is news on thehackerish.com. Until then, stay curious, crave for learning, be ethical and share with the world!

If you enjoy learning on Youtube, I prepared the Owasp Top 10 training videos series just for you. Here is the OWASP WebGoat setup video.

Burp Suite and OWASP ZAP is very widely used tools for hacking and pentesting, these two tools are very useful to scan, find bugs and exploit the target web, because many features that available to perform hacking and pentesting. But with HUNTSuite you can get more extra features and extentions for both of these tools.

What is HUNT Suite?

  • HUNT Suite is a collection of Burp Suite Pro/Free and OWASP ZAP extensions.
  • Identifies common parameters vulnerable to certain vulnerability classes (Burp Suite Pro and OWASP ZAP).
  • Organize testing methodologies (Burp Suite Pro and Free).
Burp Suite Owasp Top 10

HUNT Parameter Scanner – Vulnerability Classes

Top

Owasp 10 Top

  • SQL Injection
  • Local/Remote File Inclusion & Path Traversal
  • Server Side Request Forgery & Open Redirect
  • OS Command Injection
  • Insecure Direct Object Reference
  • Server Side Template Injection
  • Logic & Debug Parameters
  • Cross Site Scripting
  • External Entity Injection
  • Malicious File Upload

TODO

  • Change regex for parameter names to include user_id instead of just id
  • Search in scanner window
  • Highlight param in scanner window
  • Implement script name checking, REST URL support, JSON & XML post-body params.
  • Support normal convention of Request tab: Raw, Params, Headers, Hex sub-tabs inside scanner
  • Add more methodology JSON files:
    • Web Application Hacker’s Handbook
    • PCI
    • HIPAA
    • CREST
    • OWASP Top Ten
    • OWASP Application Security Verification Standard
    • Penetration Testing Execution Standard
    • Burp Suite Methodology
  • Add more text for advisory in scanner window
  • Add more descriptions and resources in methodology window
  • Add functionality to send request/response to other Burp tabs like Repeater

Installing HUNT Suite for Burp Suite Pro/Free

Getting Started

1. Download the latest standalone Jython jar.

2. Navigate to Extender -> Options.

  • Locate the section called Python Environment.
  • Add the location of the Jython jar by clicking Select file….

3. Navigate to Extender -> Extensions.

  • Click Add.
  • Locate Extension Details.
    • Select “Python” as the Extension Type.
    • Click “Select file…” to select the location of where the extension is located in your filesystem.
    • Do this for both the HUNT Parameter Scanner and HUNT Testing Methodology

4. The HUNT Parameter Scanner will begin to run across traffic that flows through the proxy.

Setting Scope

This is an important step to set your testing scope as the passive scanner is incredibly noisy. Instead of polluting the Scanner window, the HUNT Parameter Scanner creates its own window with its own findings.

1. Navigate to Target -> Scope.

Owasp top 10 project
  • Click the “Use advanced scope control” checkbox.
  • Click add to include to your scope.

2. Navigate to Scanner -> Live scanning.

  • Under the “Live Passive Scanning” section, click “Use suite scope [defined in the target tab]”.

HUNT Suite for Burp Suite Pro/Free

HUNT Parameter Scanner (hunt_scanner.py)

This extension does not test these parameters, but rather alerts on them so that a bug hunter can test them manually. For each class of vulnerability, Bugcrowd has identified common parameters or functions associated with that vulnerability class. We also provide curated resources in the issue description to do thorough manual testing of these vulnerability classes.

HUNT Testing Methodology (hunt_methodology.py)

This extension allows testers to send requests and responses to a Burp Suite tab called “HUNT Methodology”. This tab contains a tree on the left side that is a visual representation of your testing methodology. By sending request/responses here testers can organize or attest to having done manual testing in that section of the application or having completed a certain methodology step.

Important Notes

HUNT Parameter Scanner leverages the passive scanning API within Burp. Here are the conditions under which passive scan checks are run:

  • First request of an active scan
  • Proxy requests
  • Any time “Do a passive scan” is selected from the context menu

Passive scans are not run on the following:

  • On every active scan response
  • On Repeater responses
  • On Intruder responses
  • On Sequencer responses
  • On Spider responses

HUNT Scanner for OWASP ZAP (Alpha – Contributed by Ricardo Lobo @_sbzo)

  • Find the “Manage Addons” icon, ensure you have Python Scripting installed.
  • Ensure “show All Tabs” icon is clicked
  • Click the Tools menu, navigate to the Options section. Select Passive Scanner and check the box Scan messages only in scope and then OK
  • Click into the Scripts tab (next to the Sites tab)
  • Click the load script icon and load each python script into ZAP. They should appear under passive rules
  • Right click on each script under passive rules and enable them and save them
  • Browse sites and recieve alerts!

Authors

  • JP Villanueva
  • Jason Haddix

Contributors

Burp Suite Owasp Top 10 2020

  • Ryan Black
  • Fatih Egbatan
  • Vishal Shah
Comments are closed.