Join Malcolm Shore for an in-depth discussion in this video Testing websites with Burp Suite, part of Penetration Testing Essential Training.
- [Instructor] While there are many tools for web testing, Burp Suite is the tool of choice for most pen testers and is the tool used for the pen testing series of courses. The Burp Suite Free Edition comes as one of the tools prebuilt into Kali in the Applications, Web Applications Analysis menu, and it appears on the Favorites toolbar. Let's start it up. The Free Edition only allows temporary projects and a license is required if we want to store projects on disk, which is usually required when doing a full customer website test.
However, the temporary project will be fine for our testing. Burp Suite creates a new project and opens the main screen. The Burp Suite menu is at the top left and offers five main menu items, Burp, Intruder, Repeater, Window, and Help. Below the menu is the Burp Activity tabs. These allow the various types of Burp activity to be run. Let's initially select Scanner. Here we get a description of the Burp Suite.
The first tab is Target, which has two of its own tabs called Site and Scope. The Site tab shows the construction of the website and the Scope is used to set the target or targets for testing. The second tab is Proxy. When I select that, we can see Intercept is on. This will intercept anything coming through Burp Suite and stop it for us to inspect. I'll turn this off for the moment and let traffic flow through. I'll go to the Options tab on the lower tab line and we can see that we have a listener on port 8080.
The first thing I'll use Burp Suite for is to spider through a site to expose all its webpages. I'll go to the Spider tab and start the spider by clicking Spider is paused button. We can now see that it's running. Let's go to the Target tab and select Scope, and I'll add and then enter the host or IP range as my Metasploitable server 10.0.2.8.
I've opened Firefox and I'll reset it to do proxy operation with Burp Suite. I'll select the Options button at the top right, Preferences, Advanced, Network, Settings, and I'll select Manual Proxy Configuration and make sure it's set to 8080. I'll now navigate to 10.0.2.8. When I look at the Target tab in Site Map, I can see the Burp Suite has spidered its way through the Metasploitable web server as well as spidering all reference sites.
As a pen tester, I can now look at the structure of the site and start to built a testing strategy based on what I find. At this point, I can also click on a webpage. I'll expand 10.0.2.8, expand dvwa, and select login.php. We can now see the webpage. McAfee provides a set of websites to use for testing. I've downloaded the Hacme Casino shown here and installed it on my Windows system on 10.0.2.7, I can access it using port 3000.
Okay, we're at the casino. I'll log in now using test credentials of John Doe, johndoe. I can see in the Target and Site Map tab that the traffic to and from the casino is being captured. The top of the left-hand list is 10.0.2.7, the casino site. If I right-click this, I have an option to spider the site. Spider now pops up a window asking for credentials to be entered.
To enable an authenticated access, I'll enter johndoe in both fields and submit the form. A second form pops up, this is the registration form. I'll enter the details for a second user, I'll set it as johndoe2. If I click on the arrow to the left of the site URL in the Site Map panel, I can see the structure of the site. I can expand the lower level structures until I get to a page with no sub-pages.
In the right-hand panel, I can click on an HTTP message and the request and response packets are shown in the bottom panel, by default these are shown in RAW form. I can use the tabs to see them in hexadecimal. Over at the right in the Response tab, there's a webpage rendered. Let's use Burp Suite to intercept and modify an HTTP transaction. Firstly, I'll log in as bobby_blackjack with a password of 21 to check his account.
We can see Bobby has 9,000 chips. Okay, I'll now press options on Bobby's page. This will allow me to transfer some of Bobby's chips to another player. I'll go back to Burp Suite and select Proxy and set Intercept on. This will allow me to inspect and, if I want, make changes to web requests and responses. Back at the casino, I'll transfer 10 chips to Andy Aces.
I'll enter 10 and then press Transfer Chips. Back in Burp Suite, we have a message held waiting for us to inspect. We can see the 10 chip transfer in the request message. I'll just edit the 10 to a hundred and then press Forward, and I'll let all the other transactions go through. Back in the casino, we can see that a hundred chips have been moved from Bobby's account, he's now got 8,900 remaining.
Using Burp Suite, we've been able to intercept and modify the request message to transfer more chips than were originally requested.
Cybersecurity expert Malcolm Shore reviews popular pen testing tools, as well as the Bash and Python scripting skills required to be able to acquire, modify, and re-use exploit code. He also provides a refresher on Kali Linux and introduces techniques for testing web services. At the end of this course, you'll be prepared to take more advanced training, and to pursue the popular Offensive Security Certified Professional (OSCP) certification.
- Pen testing overview
- Pen testing tools
- Bash scripting
- Python scripting
- Kali and Metasploit
- Web testing
- Finding exploit code