Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Hands-On Application Penetration Testing with Burp Suite
  • Table Of Contents Toc
Hands-On Application Penetration Testing with Burp Suite

Hands-On Application Penetration Testing with Burp Suite

By : Carlos A. Lozano , Dhruv Shah, Ahemed Walikar
2 (2)
Buy this Book
close
close
Hands-On Application Penetration Testing with Burp Suite

Hands-On Application Penetration Testing with Burp Suite

2 (2)
By: Carlos A. Lozano , Dhruv Shah, Ahemed Walikar
Buy this Book

Overview of this book

Burp suite is a set of graphic tools focused towards penetration testing of web applications. Burp suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks. The book starts by setting up the environment to begin an application penetration test. You will be able to configure the client and apply target whitelisting. You will also learn to setup and configure Android and IOS devices to work with Burp Suite. The book will explain how various features of Burp Suite can be used to detect various vulnerabilities as part of an application penetration test. Once detection is completed and the vulnerability is confirmed, you will be able to exploit a detected vulnerability using Burp Suite. The book will also covers advanced concepts like writing extensions and macros for Burp suite. Finally, you will discover various steps that are taken to identify the target, discover weaknesses in the authentication mechanism, and finally break the authentication implementation to gain access to the administrative console of the application. By the end of this book, you will be able to effectively perform end-to-end penetration testing with Burp Suite.
Table of Contents (14 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Get in touch
Lock Free Chapter
1
Configuring Burp Suite
Icon
Configuring Burp Suite
Icon
Getting to know Burp Suite
Icon
Setting up proxy listeners
Icon
Managing multiple proxy listeners
Icon
Working with non-proxy-aware clients
Icon
Creating target scopes in Burp Suite
Icon
Working with target exclusions
Icon
Quick settings before beginning
Icon
Summary
2
Configuring the Client and Setting Up Mobile Devices
Icon
Configuring the Client and Setting Up Mobile Devices
Icon
Setting up Firefox to work with Burp Suite (HTTP and HTTPS)
Icon
Setting up Chrome to work with Burp Suite (HTTP and HTTPS)
Icon
Setting up Internet Explorer to work with Burp Suite (HTTP and HTTPS)
Icon
Additional browser add-ons that can be used to manage proxy settings
Icon
Setting system-wide proxy for non-proxy-aware clients
Icon
Setting up Android to work with Burp Suite
Icon
Setting up iOS to work with Burp Suite
Icon
Summary
3
Executing an Application Penetration Test
Icon
Executing an Application Penetration Test
Icon
Differences between a bug bounty and a client-initiated pentest
Icon
Initiating a penetration test
Icon
Why Burp Suite? Let's cover some groundwork!
Icon
Why Burp Suite Scanner?
Icon
Summary
4
Exploring the Stages of an Application Penetration Test
Icon
Exploring the Stages of an Application Penetration Test
Icon
Stages of an application pentest
Icon
Getting to know Burp Suite better
Icon
Summary
5
Preparing for an Application Penetration Test
Icon
Preparing for an Application Penetration Test
Icon
Setup of vulnerable web applications
Icon
Reconnaissance and file discovery
Icon
Testing for authentication via Burp
Icon
Summary
6
Identifying Vulnerabilities Using Burp Suite
Icon
Identifying Vulnerabilities Using Burp Suite
Icon
Detecting SQL injection flaws
Icon
Detecting OS command injection
Icon
Detecting XSS vulnerabilities
Icon
Detecting XML-related issues, such as XXE
Icon
Detecting SSTI
Icon
Detecting SSRF
Icon
Summary
7
Detecting Vulnerabilities Using Burp Suite
Icon
Detecting Vulnerabilities Using Burp Suite
Icon
Detecting CSRF
Icon
Detecting Insecure Direct Object References
Icon
Detecting security misconfigurations
Icon
Detecting insecure deserialization
Icon
Detecting OAuth-related issues
Icon
Detecting broken authentication
Icon
Summary
8
Exploiting Vulnerabilities Using Burp Suite - Part 1
Icon
Exploiting Vulnerabilities Using Burp Suite - Part 1
Icon
Data exfiltration via a blind Boolean-based SQL injection
Icon
Executing OS commands using an SQL injection
Icon
Executing an out-of-band command injection
Icon
Stealing session credentials using XSS
Icon
Taking control of the user's browser using XSS
Icon
Extracting server files using XXE vulnerabilities
Icon
Performing out-of-data extraction using XXE and Burp Suite collaborator
Icon
Exploiting SSTI vulnerabilities to execute server commands
Icon
Summary
9
Exploiting Vulnerabilities Using Burp Suite - Part 2
chevron up
Icon
Exploiting Vulnerabilities Using Burp Suite - Part 2
Icon
Using SSRF/XSPA to perform internal port scans
Icon
Using SSRF/XSPA to extract data from internal machines
Icon
Extracting data using Insecure Direct Object Reference (IDOR) flaws
Icon
Exploiting security misconfigurations
Icon
Using insecure deserialization to execute OS commands
Icon
Exploiting crypto vulnerabilities
Icon
Brute forcing HTTP basic authentication
Icon
Brute forcing forms
Icon
Bypassing file upload restrictions
Icon
Summary
10
Writing Burp Suite Extensions
Icon
Writing Burp Suite Extensions
Icon
Setting up the development environment
Icon
Writing a Burp Suite extension
Icon
Executing the extension
Icon
Summary
11
Breaking the Authentication for a Large Online Retailer
Icon
Breaking the Authentication for a Large Online Retailer
Icon
Remembering about authentication
Icon
Large online retailers
Icon
Performing information gathering
Icon
Summary
12
Exploiting and Exfiltrating Data from a Large Shipping Corporation
Icon
Exploiting and Exfiltrating Data from a Large Shipping Corporation
Icon
Discovering Blind SQL injection
Icon
Summary
13
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think

Exploiting crypto vulnerabilities

More than exploiting vulnerabilities related to cryptography, Burp Suite allows users to perform analysis to detect weak algorithms.

To perform this analysis, we need to create a capture. This capture is just a navigation where we log in and log out from an application in order to create sessions, tokens, and IDs. The idea is to create the biggest capture that we can in order to have a sample.

 

 

After creating the capture, use the normal history in Burp Suite, go to the Sequencer tool, and click on Analyze now, as demonstrated in the following screenshot:

Here, you can see the final analysis, as follows:

The Final Analysis

Now, you can determine whether the algorithm used is weak or not based on the entropy, the charset, and the probability.

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Hands-On Application Penetration Testing with Burp Suite
End of Section 9
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon