Penetration Testing has been an Important field in Information Security . Over time it has evolved and expanded from just standalone computers to networks and now to Web Applications .Web Applications are an important part of an organisations Infrastructure as well as seen as E-commerce websites by the commons . In this artical , we will be talking about a very important and widely used web application penetration testing tool , The BurpSuite .
Penetration testing [also referred to as pen testing] is a methodology for testing a computer system, network or Web application to find vulnerabilities[the loopholes] that an attacker could exploit.The objective of a penetration test is to find the security loopholes and the vulnerabilities . Penetration testing tools are used as part of a penetration test to automate certain tasks, improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone.
Web Application Penetration Testing
Burp Suite is lots of web application tools bundled into one and the best of available tools for web application testing.This wide variety of features in one tool (that has a user friendly interface)helps to perform various penetration testing tasks within one tool Window .
- The Burp comes with the following features :
- Intercepting a Request
- Modifying Request on the fly
- Scanning a web application for vulnerabilities
- Brute forcing login forms
- Perform a check for the randomness of session tokens and what not . You think of a strategy of web application pentest
In this post we will discuss the features of Burp and how they will be helpful during a web application penetration test .
1) Proxy –Proxy is the most useful feature of the Burpsuite and must be understood before proceeding to any other feature . Burp Suite comes with an inbuilt proxy, which is configured and run on port 8080 by default(however we can always change the port number as per the requirements of the penetration test). Using this proxy, we can intercept and modify the traffic as it flows from the client system to the web application. To use this proxy, all we need to do is to configure our browser for using this proxy. The proxy feature allows us to intercept and modify the HTTP requests and responses shared between the Burp Client and the Server. Not only you can change the port of the proxy , but also set up a new proxy altogether .
2) Spider – The spider feature of Burp Suite is used to crawl web applications and look for new links, content, etc. It automatically submits login forms (through user defined input) in case it finds any, and looks for new content from the responses. This information can then be sent to the Burp Scanner to perform a detailed scan on all the links and content provided by the spider.Burp Spider is used for mapping web application. It will automatically crawl the web application looking for links and will submit any login forms it finds and hence provide a detailed analysis of the whole application. These links can then be passed over to Burp Scanner to perform a detailed scan using the information provided by the scanner.
3) Scanner – It is used to scan web applications for vulnerabilities. The type of scanning can be passive, active or user-directed. Some false positives might occur during the tests. It is important to remember that no automated scanner is 100 percent accurate in its results. Unfortunately Burp Scanner is not available with the free edition that is included in Backtrack 5.Burp Scanner is one of the most powerful web application scanners. Though, like any other web application scanner, it is not perfect and some false positives may occur. Burp Scanner is not available with the free edition. You can find more information about Burp Scanner
4) Intruder – This feature can be used for various purposes like exploiting vulnerabilities, fuzzing web applications, carrying out brute force attacks etc.Burp Intruder can be used for exploiting vulnerabilities, fuzzing, carrying out brute force attacks and many other purposes. In this case we will be using the Intruder feature in Burp Suite to carry out a brute force attack against DVWA. Browse over to DVWA and click on Brute Force. Enter any username/password, make sure Intercept is on in Burp Suite, and click on Login.The request will be intercepted by Burp Suite, right click on it and click on send to intruder.
5) Repeater – This feature is used to modify and send the same request a number of times and analyze the responses in all those different cases.With Burp Repeater, we can manually modify a request, and resend it to analyze the response. We need to send a request to Burp Repeater for this. The request can be sent to it from various places like Intruder, proxy, etc.
6) Sequencer – This feature is mainly used to check the randomness of session tokens provided by the web application. It performs various advanced tests to figure this out.Burp Suite Sequencer is used to figure out the randomness of the session tokens generated by a web application. This is because session tokens are usually used to authenticate a user, and hence should not be compromised. It is important for a web application to have a high degree of randomness for session tokens, so that brute force attacks are not successful against it. We need to send a request which returns a session token to the sequencer, the Sequencer then repeatedly sends the request, thus obtaining a high number of session IDs. It then passes these session IDs through various statistical tests to determine the randomness.
7) Decoder – Decoder feature is utilized to decode data to get back the original form, or to encode and encrypt the data.Burp Suite Decoder can be used to decode encoded data and get it back into its canonical form. It can also be used to encode and encrypt data to get the encoded and encrypted forms. We can manually paste data into the decoder or send an encoded request to it. In this case I will be sending an HTML Basic authentication request that contains the username and password in base64 encoded form to the decoder. Right click on the request and click on Send to Decoder
8) Comparer – Comparer feature of the Burp Suite is used to perform a comparison between any two requests, responses or any other form of data. This feature could be useful when comparing the responses with different inputs.