Burp Proxy: the tool that keeps on giving
As any web application tester knows, the most essential tool to have in your testing toolbox is a good intercepting proxy. This allows the tester to capture and edit requests being sent from the browser to server. I haven'ver compared all the proxies out there, but the truth is I've never felt the need to look any further than Burp Proxy. I LOVE Burp, and I keep falling deeper in love with it all the time. I've restrained from listing all the reasons why, as if you use Burp every day like I do, you'll be aware of its brilliance. Instead, I thought I'd share some of the potentially lesser-known features, or ones that are just a bit fiddly to configure, so that it saves you time when you come to do it.
Brute-forcing Basic Authentication
1. Trap the request containing the 'Authorization: ' header, and send to Intruder e.g:
GET /readme.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept-Encoding: gzip, deflate
Authorization: Basic YWJjOjEyMw==
2. Configure the payload position to encapsulate the Authorization header value e.g.:
Authorization: Basic § YWJjOjEyMw==§
3. Select the Payloads tab, and in Payload Options load your dictionary file:imageIMAGE
Payload Processing -> choose Add
Choose 'Add Prefix' from dropdown
Payload Processing again -> choose Add
Choose Encode, Base64-encode
4. Intruder -> Start attack
Putting Burp into invisible mode to test thick clients
1. Set the target hostname (i.e. the server that the thick client is communicating with) to resolve to your localhost in your hosts file e.g:
So that all traffic being sent from thick client to targethostname gets directed to your proxy instead.
2. Set Burp to listen on the target port that your thick client would normally connect to e.g. port 80 if its http://targethostname
2.1 So Navigate to Proxy -> Options and choose to Add a new proxy listener
2.2 Set the following:
3. You need Burp to forward all traffic on to targethostname. So :
Click on the Request Handling tab next and input the following:
i.e. Redirect to host: targethostname's IP
Redirect to port: 80 (i.e. the target server's port)
Select 'support invisible proxying'.
** note: make sure other programs e.g. IIS, Skype and Spotify aren't listening on port 80 **
Have Burp intercepting, trap and change, send to repeater just as you'd normally do.
I recently had a request containing a username parameter and another parameter which was a corresponding hash of the username (e.g. MD5 of Helen). As the server responded differently to valid usernames, and therefore allowed verification of valid usernames, I wanted to iterate through a long list of usernames to discover which were valid. It wasn't enough to just send the request to intruder and fire a load of username guesses - as each corresponding hash had to be sent too. This is where pitchforking came in handy…
1/ Send request to intruder and choose Attack Type: Pitchfork
2/ For Payload Set 1 choose:
And load your list of usernames.
3/ For Payload Set 2 choose:
And load your list of usernames.
But this time add a payload processing rule:
Add -> Hash.
Intruder -> Start attack.
In the 'Target' tab, right click and select 'spider this host'. Afterwards, right click and select 'Engagement Tools' -> Find comments, as shown below:
See if there is anything juicy in there.