Burp Suite is a set of graphics tools focused on the penetration testing of web applications. Burp Suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks.
The book will start with an introduction to web penetration testing and Burp Suite. Then, immediately afterward, we'll deep dive into the core concepts of web application security and how to implement services, including the spider module, intruder module, and more. We will also cover some advanced concepts, such as writing extensions and macros for BurpSuite.
This will act as a comprehensive guide toward performing end-to-end penetration testing with Burp Suite.
If you are interested in learning how to test web applications and the web part of mobile applications using Burp, then this is the book for you. It is specifically designed to meet your needs if you have basic experience of using Burp, and are now aiming to become a professional Burp user.
Chapter 1, Configuring Burp Suite, takes us through preparing the system that will be used to attack the end application, before starting the actual application penetration test. This involves configuring Burp Suite to become the interception proxy for various clients and traffic sources.
Chapter 2, Configuring the Client and Setting Up Mobile Devices, will look at the three most popular user agents (Firefox, Chrome, and Internet Explorer) and configure them to work in tandem with the Burp Suite configuration, which we created, to be able to intercept HTTP and HTTPS traffic. We will also set the system proxy in the Windows, Linux, and macOS X operating systems for non-proxy aware clients. Before beginning an application penetration test, we must be aware of the scope and target that we intend to attack. To ensure that our attack traffic is sent to the right target, and to prevent unnecessary clutter and noise during the testing, we can configure Burp Suite to work with specific scopes.
Chapter 3, Executing an Application Penetration Test, uses an example web application to look at how a lot of security professionals jump to attacking the application without context, without understanding the application, and without scoping the target properly. We will look at the common areas that get overlooked due to this non-standard approach to penetration testing, and build the background for a staged approach to application penetration testing.
Chapter 4, Exploring the Stages of an Application Penetration Test, outlines the stages that are involved in the application penetration test and provides a wide overview of Burp Suite tools. Based on that knowledge, we are going to enumerate and gather information about our target.
Chapter 5, Preparing for an Application Penetration Test, details the key stages of an application penetration test performed to successfully meet the desired objectives of an engagement. Each of these stages produces data that can be used to progress to the next stage, until the desired set objective is met. The various stages of an application penetration test, namely reconnaissance, scanning, exploitation, and reporting, are covered in this chapter.
Chapter 6, Identifying Vulnerabilities Using Burp Suite, explains how various features of Burp Suite can be used to detect various vulnerabilities as part of an application penetration test. We will cover the detection of vulnerabilities, such as SQL injections, OS command injection, Cross-Site Scripting (XSS) vulnerabilities, XML-related issues, XML external entity processing, Server-Side Template Injection (SSTI), and Server-Side Request Forgery/Cross-Site Port Attacks (SSRF/XSPA).
Chapter 7, Detecting Vulnerabilities Using Burp Suite, details how various features of Burp Suite can be used to detect additional vulnerabilities as part of an application penetration test. We will cover the detection of vulnerabilities, including Cross-Site Request Forgery (CSRF), insecure direct object references, issues arising out of security misconfiguration, weaknesses with deserialization, authentication issues surrounding OAuth (aside from generic authentication issues), issues regarding poor authorization implementations, and the detection of padding oracle attacks.
Chapter 8, Exploiting Vulnerabilities Using Burp Suite – Part 1, explains how, once detection is completed and the vulnerability is confirmed, it is time to exploit the vulnerability. The goal of the exploitation phase is to either gain access to data the application uses/protects, to gain access to the underlying operating system, to gain access to the accounts of other users, or any combination of these. In this chapter, we shall see how Burp Suite's various features can be used to exploit a detected vulnerability to fulfill the objective of the penetration test, or simply to generate a proof of concept to be used in the reporting phase.
Chapter 9, Exploiting Vulnerabilities Using Burp Suite – Part 2, covers the exploitation of even more vulnerabilities using Burp Suite once the initial detection is completed.
Chapter 10, Writing Burp Suite Extensions, shows you how Burp Suite's functionality can be extended using custom extensions that can be written in a variety of languages, and added to Burp Suite using its Extender module. Burp Suite extensions can be used to process and modify HTTP requests and responses, customize the placement of attack insertion points within scanned requests, implement custom session handling, and retrieve and analyze headers, parameters, cookies, and other objects.
Chapter 11, Breaking the Authentication for a Large Online Retailer, walks you through a real-world case study of how a large online retailer was compromised by breaking its authentication implementation. This chapter outlines the various steps that were taken to identify the target, discover weaknesses in the authentication mechanism using Burp Suite, and finally attack and break the authentication implementation to gain access to the administrative console of the application.
Chapter 12, Exploiting and Exfiltrating Data from a Large Shipping Corporation, is a real-world case of how a large shipping corporation was compromised and data exfiltrated. This chapter walks the reader through the various steps that were taken to identify the target, discover weaknesses in the search functionality using Burp Suite and finally attack and exploit the discovered Blind SQL injection to exfiltrate data.
To work through the samples and examples in this book, you'll require the following:
- Burp Suite Professional
- A PC
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The secret variable is the data assigned by the user during his registration."
A block of code is set as follows:
GET /?url=http://localhost/server-status HTTP/1.1 Host: example.com
Any command-line input or output is written as follows:
$ mkdir css $ cd css
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on New scan."
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.