Sign In Start Free Trial
Account

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Hands-On Application Penetration Testing with Burp Suite
  • Table Of Contents Toc
Hands-On Application Penetration Testing with Burp Suite

Hands-On Application Penetration Testing with Burp Suite

By : Carlos A. Lozano , Dhruv Shah, Riyaz Ahemed Walikar
2 (2)
close
close
Hands-On Application Penetration Testing with Burp Suite

Hands-On Application Penetration Testing with Burp Suite

2 (2)
By: Carlos A. Lozano , Dhruv Shah, Riyaz Ahemed Walikar

Overview of this book

Burp suite is a set of graphic tools focused towards penetration testing of web applications. Burp suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks. The book starts by setting up the environment to begin an application penetration test. You will be able to configure the client and apply target whitelisting. You will also learn to setup and configure Android and IOS devices to work with Burp Suite. The book will explain how various features of Burp Suite can be used to detect various vulnerabilities as part of an application penetration test. Once detection is completed and the vulnerability is confirmed, you will be able to exploit a detected vulnerability using Burp Suite. The book will also covers advanced concepts like writing extensions and macros for Burp suite. Finally, you will discover various steps that are taken to identify the target, discover weaknesses in the authentication mechanism, and finally break the authentication implementation to gain access to the administrative console of the application. By the end of this book, you will be able to effectively perform end-to-end penetration testing with Burp Suite.
Table of Contents (14 chapters)
close
close
12
Exploiting and Exfiltrating Data from a Large Shipping Corporation

Detecting XML-related issues, such as XXE


The XML issues need that the request accepts XML, so we need this information in the header's content-type, as follows:

text/xmlapplication/xml

We can configure a filter in Burp Suite to detect requests that have this information in the headers. To configure the filter, go to the Target tool, and then click on the Filter bar. Once there, select the XML file format, and if you want, write the content-type string that we know all requests need to have, as shown in the following screenshot:

After filtering the request that could be vulnerable, add common testing strings as a payload list in the Intruder tools, as with the past vulnerabilities, and launch them to all the potential requests. For example, one of the most common strings to detect XXE is the following:

<!ENTITY % three SYSTEM "file:///etc/passwd">

When the file appears in the response, it means that you have detected a vulnerability. I recommend the use of the next cheat sheet created by...

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Hands-On Application Penetration Testing with Burp Suite
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected

Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon