Sunday, May 24, 2020

Burp Suite Complete Guide (Part 2- Proxy Module)

We are Done with Configuring Burp Suite with Firefox Browser now its time to use it. 

Burp Suite has a number of modules inbuilt in it which acts as a different set of tools itself so we will be going to see each one of them separately with practical examples and detailed but useful descriptions and settings options in them.  

After intercepting browser request Proxy Module pops up automatically which is the one we will see in this post.

Burp Suite Proxy Module Tutorial


Going to use DVWA for getting some requests and we will find out how to analyze those requests and filter out important things we need to find also some settings and configurations with a proxy module.

 Now Head over to it directly.

So we will Understand Proxy module requests with CSRF (Cross-Site Request Forgery) Vulnerability. which is directly associated with crafting requests to gain victim credentials.


Burp Suite Intercept Tab


Before changing the password in DVWA make sure to switch proxy in FoxyProxy and keep intercept on.

DVWA

After hitting on the change tab you will see Burp Suite will Automatically pop up and request which is going to send to DVWA application is intercepted by it. 

Burp suite intercepted request

Which looks like this, It is a classic GET request sent to web Application which reveals us many things how web application interacting with the browser, like
User-Agent, Cookie, Encoding, and Referer, etc. are the things we can use or craft and make our forged requests.

Head over to the CSRF tutorial to know more about crafting requests.

 Burp Suite Forward Tab


After analyzing or  crafting requests we can forward it to web application by using Forward tab (Web-Application stuck till the request are forwarded and then respond according to the request after pressing forward)

Burp Suite Drop Tab


Some Times you need to only analyze requests but not send it to a web application ( pentesting web with limited requests) for example it comes very handily when you have only 3 requests to send to a web application and after wrong entries it will block requests after that. 
After Pressing Drop this page will show up

Intercept drop request


 This says the request is dropped by the user and after pressing back you will come up with the same page you received request.

 Burp Suite Action Tab


Another very important tab in Burp Suite which allows it to interact with other modules within such as Intruder, Repeater, Comparator, and Decoder. 


Change Request Method -  With interaction tools it gives us one-click functionality to change request method, It changes GET request into POST request in one click saving lots of time and hassle.

Change Body Encoding - works well when you need to change body encoding of request just click on Change Body encoding and it does it for you.

Copy URL -  Lot of you are thinking after modifying and crafting requests how to get URL of that request then Click on Copy URL and it will copy it for you.

Copy as curl command - Many Time requests need additional to run with curl then click on a copy as curl command and it is ready to paste in terminal as curl command and it will execute directly from curl. (important sometimes )

Action tab Also gives a copy to file and paste from file feature which is useful and very handy to use. also save item can save requests so we can use it next time with intercepting again.

Don't intercept this request - If you  want to don't intercept request some host, IP, File Extensions, or Directory then click on don't intercept this request and select which of then you don't want to intercept. if you getting uninteresting requests or unwanted things then use this filter rules.

Do Intercept response allows us to intercept the response of requests that is currently displaying requests response intercepted and used for pen-testing.

URL encoding While Typing can automatically encode the URL of requests while editing requests.



Proxy Module Intercept requests

  • Raw Requests - 

These are the request you get when burp suite pops up and shows your browser request send to an application you can also modify request in this tab this is the basic way burp suite show you requests, nothing fancy but useful and easy to understand


  • Param Requests -

 Also called Parameterised requests which are very easy to see and very distinct where you can put parameters in a request.


Burp suite request parameters

This is the request of this page.

DVWA Burp suite request parameters


Here we can clearly see Username and Password Parameters where we can use inputs or send it to other modules to work with.
We can also see a cookie parameter which is also very useful in terms of hacking such as session hijacking.



  • Headers (Request Headers)

If you having trouble in distinguishing various headers in raw requests then jump up to the header tab and you will see all headers and requests associated with them are seen here in a very good tabular manner.

header requests burp suite

As you can see in the picture you can get a clear idea of Host, user agent, referrer, cookies, and lots of other things here well described.


  • Hex Requests - 

In this tab all requests are in Hex. Hex language is not that much used but can be used in some cases like MAC addresses, HTML & CSS codes, and Assembly codes and memory dumps. 


Burp suite requests in HEX

As you can see it's difficult to understand and BIT of a headache we leave it to understand by systems and machines.


  • HTTP History Tab (Proxy)

This the place where all of our formal intercepted requests are stored and we can also access them again from here.


Burp suite proxy HTTP history

A big advantage of this HTTP history is it gives pretty good information about the request that is host, GET or POST request, URL, Parameters, and so on...
We can also add filters and find the request we want.

Websocket History gives us a little bit of different information such as Direction, TLS, and listening ports. 


Burp Suite Proxy Options

 

Proxy Listeners


Proxy listeners create a local HTTP proxy server that helps to connect with browser and different HTTP clients. When configured it will listen and intercept all the requests traveling from browser to web and also responses from client to server.
By default this proxy listener is set to 127.0.0.1:8080 and the browser also needed to configure on this proxy.

All browsers can be listened and intercepted using this one proxy only if we want to test an unusual application or need to work with non-browser based applications then we can use different proxy listeners as per use.


Intercept client response




This control setting allows requests and responses coming in the intercept tab and we can also apply several settings to filter requests and responses.



Proxy intercept Client request burp suite

Several rules can be used by activated or deactivated by using checkboxes. these rules are even added removed or modified by our use.


We can filter requests and responses by using many parameters such as URL, IP addresses, MIME type, port number, HTML and CSS types, various parameters, cookies, HTTP methods, status codes, Lenth and so on..this rules can also be adjusted to work within the scope.
you can use boolean logic such as AND and OR to process in order or to combine requests.

Proxy intercept Client response burp suite


Automatically fix missing or superfluous new lines at end of requests - if any edited request doesn't have blank line following the header then burp will add this. 
If edited request which contains URL encoded parameters in any new line character then burp will remove that line.
this option is sometimes useful vell editing a large amount of requests in intercept and avoids issuing invalid requests to the server.

Automatically update Content-Length - this functionality controls the content length of the header message when it has been modified by the user.
useful when HTTP body has been modified.

Intercepting WebSocket messages


This setting checkboxes can control which WebSocket messages are blocked for editing and viewing in the intercept tab. 

you can configure outgoing messages which are client to the server or incoming messages which are server to the client you want to intercept.


Burp Suite Responce modification


 Responce Modification -


You can use this option to automatically modification or rewrite HTML in the Application response.

client-side controls can be removed using the following options 


  • Unhide hidden form field ( for easy identification we have sub-option that prominently highlight unhidden field on-screen
  • Enable Disabled form field
  • Remove input field length limits
  • remove JavaScript form validation
This is options which can be useful for client-side logic for testing purpose

  • Remove all JavaScript
  • Remove <object> tags

These are some options used to deliver sslstrip like attacks to the victim user whose traffic is unwittingly listened by burp suite. using this options with force TLS in outgoing requests to effectively strip TLS from the user's connection.


  • Convert HTTPS link to HTTP
  • Remove the secure flag from cookies

Match and Replace 


Another very important option of burp suite which allows us to change or replace parts of passing through the proxy for each HTTP requests. rules for match and replace can be executed in turn and application replacement are made

Burp Suite Match ans replace

Rules can be defined separately for the first line of request, body, header, or requests and responses, each rule can be specified with literal match string or regex pattern and string to replace with it.

There are many rules default available to assist with tasks,
they are disabled by default.

If you having a problem with regex here is a cheat sheet to make your day easier.


Regex chest sheet

Match and replace can be very useful when fuzz testing user agents and other parameters.


TLS pass through



This setting can be useful when application using different HTTP and HTTPS connections or passing through problematic TLS connection then this setting will pass through TLS connection directly and requests and responses from the connection made available to intercept.

If option checkbox automatically adds entries on client TLS negotiation is enabled then burp will add a relevant server in TLS pass through the list when the client fails to TLS negotiation. ( fail to recognize burp CA certificates)

 Miscellaneous


This setting is to control certain behavior of the proxy module,
let's see them one by one.



  • Use HTTP/1.0 in request to server 

This option is used to force HTTP version 1.0 in request to server, by default any HTTP request can be send by burp suite. 
Useful when some legacy server strictly requires HTTP version 1.0 to function correctly.
Leave it unchecked in other instances.


  • Use HTTP/1.0 in response to client

Current browsers support both versions of HTTPS i.e. 1.0 and 1.1 and version 1.0 has some reduced functionality over 1.1 but 1.0 can be useful when control of browser behavior is needed such as when performing HTTP pipelining.
Keep it unchecked except when using such things.

  • Set response header connection:close 

This option can be useful when need to prevent HTTP pipelining in some situations.
Keep it unchecked otherwise.

  • Set "Connection:Close" on incoming requests 

This option may help in sometime in HTTP pipeline prevention in some cases.

  • Strip Proxy-* headers in incoming requests 

Sometimes browsers sent information to proxy servers that are intended to be used. some attacks like buffer overflow can cause site to include sensitive data or requests to the browser within the header. burp proxy strips the header for getting that information.
keep this option checked so burp will not leave headers unmodified.
  • Remove unsupported encoding from Accept-Encoding headers in incoming requests

The browser uses various types of encoding for compression of content etc. this encoding sometimes causes problem when processing requests in burp so burp by default remove these unsupported encodings to reduce the chance they can be used and get clear request.
If you working with a server that supports only unsupported encoding then uncheck this option. 

  • Strip Sec-WebSocket-Extensions headers in incoming requests 
Sometimes Browsers offer many extensions to WebSocket connections for compression of content etc.
Some encoding in this extension can cause problems to burp when processing those responses, so by default burp remove this headers to reduce the chances of that extension being used.
If testing needs to mandate certain extensions then uncheck this option.

  • Unpack GZIP / deflate in requests - 
Many applications compress these message body in requests. this option can automatically unpack compressed bodies and make them available but some times application can be break if they see compression has been removed by a burp.
check it only when the application seems to accept it.

  • Unpack GZIP / deflate in response

Most websites over there use GZIP to compress content in response. using this option can help you to unpack compressed responses bodies.
you can also prevent servers from compressing response by removing Accept-Encoding  header from requests in the match and replace feature.

  • Disable web interface at http://burp 
This option can be used when you want to use your listener to accept connections that are unprotected interface and prevent others from gaining access to Burps in-browser interface.

  • Suppress Burp error messages in the browser

when some errors happen in burp then burp sends some error messages to the browser. but sometimes we need to run burp suite in stealth mode in attack such as man in the middle than where a victim can know our presence by these errors so we can suppress these messages and disguises our involvement with a burp.

  • Don't send items to proxy history or live tasks 

when you want to do some specific task like authenticating upstream server or performing any match and replace operation then you don't want to incur the memory and storage overhead with their logging details you can use this option this will prevent burp suit from logging any requests and tasks such as live auditing and passive crawling.
  • Don't send items to Proxy history or live tasks if out of scope 

 This option is useful to avoid accumulating project data for out of scope items. this prevent burp suit from logging any out of scope request to proxy history or sending them to live tasks such as passive crawling and live auditing.






Share:

Popular Posts