Book Image

Hands-On Application Penetration Testing with Burp Suite

By : Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar
Book Image

Hands-On Application Penetration Testing with Burp Suite

By: Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar

Overview of this book

Burp suite is a set of graphic tools focused towards penetration testing of web applications. Burp suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks. The book starts by setting up the environment to begin an application penetration test. You will be able to configure the client and apply target whitelisting. You will also learn to setup and configure Android and IOS devices to work with Burp Suite. The book will explain how various features of Burp Suite can be used to detect various vulnerabilities as part of an application penetration test. Once detection is completed and the vulnerability is confirmed, you will be able to exploit a detected vulnerability using Burp Suite. The book will also covers advanced concepts like writing extensions and macros for Burp suite. Finally, you will discover various steps that are taken to identify the target, discover weaknesses in the authentication mechanism, and finally break the authentication implementation to gain access to the administrative console of the application. By the end of this book, you will be able to effectively perform end-to-end penetration testing with Burp Suite.
Table of Contents (19 chapters)
Title Page
Copyright and Credits
Contributors
About Packt
Preface
12
Exploiting and Exfiltrating Data from a Large Shipping Corporation
Index

Quick settings before beginning


This section highlights five quick settings that can be enabled/set/configured before beginning a test to become productive immediately:

  • Enable server response interception: By default, Burp is not configured to intercept server responses. This can, however, be enabled using the Intercept Server Responsesoptions underProxy | Options. Enable interception of responses whenRequest|Was modifiedand whenRequest|Was intercepted.
  • Enable the Unhide hidden form fields and select the Prominently highlight unhidden fields option: This can be found under the Proxy | Options | Response Modification panel. This is very useful when browsing an application that stores or uses hidden HTML form fields to make application decisions.

The hidden field is visible on the page and highlighted very conspicuously, allowing you to edit the contents directly in the page if required.

  • Enable the Don't send items to Proxy history or other Burp tools, if out of scope option: This option can be found under Proxy | Options | Miscellaneous. When enabled, this option prevents Burp from sending out-of-scope requests and responses to the Proxy | History and other Burp tools, such as Scanner and Target. These requests and responses are sent and received, but not logged in any of Burp's feature sets.
  • Set a keyboard shortcut to issue a Repeater request: This is a very useful setting that can be enabled to avoid clicking the Go button using the mouse when working with the Repeater module of Burp. Burp already allows items to be sent to Repeater via the Proxy | History tab using Ctrl + R. Switching to the Repeater window can be achieved with Ctrl + Shift + R. Adding a shortcut to sending a request using Repeater completes the chain of keystrokes required to pick an item from Proxy | History, and sending it forward.
  • Schedule a Save state operation: Burp has a task scheduler that can be invoked for certain tasks, such as resuming and pausing scans and spidering. You can reach the task scheduler from Project Options | Misc | Scheduled Tasks.
  • One of the key operations that the task scheduler supports is the auto save state. Select Save state and click Next:
    1. Select a file that will contain the save state and, if required, select the In-scope items only checkbox, as shown in the following screenshot:
    1. Select when to start the task and the interval. During a busy engagement, saving every 30 minutes is a good interval to begin with:
    1. Click finish to activate the Scheduled Task, as shown in the following screenshot: