Saturday, June 13, 2020

Burp Suite Complete Tutorial ( Part-3 Target Tab)

Burp Suite Target tab

 Burp Suites Target Tab gives us all vital information about our target functionalities and content. a site map shows the content of target neatly and easy to access by applying scopes to target.

Target Tab is all about discovering target applications content with functionality with the site map and with the scope we can only focus on things we want to test.

Now we will see about the sub-tabs of Target Tab

  • Site Map
  • Scope
  • Issue Definitions. 


Burp Suite Target Site Map 

In Burp Suite we can see target application thoroughly and with this application, we can see we can find many juicy things about the target (parameters, status code, length, MIME type etc.)

Burp Suite Target Site Map

 Discovering Target Manually

  • First Set up burp proxy with browser.
  • After intercepting the first request turn off Intercept but keep proxy running.
  • Now go in a browser and manually browse every page, fill in all forms, login in where it requires ( basically explore application) 
  • After manually mapping in the browser you will see content and functionality we browsed in is showing in Burp suites target site map.


After completing this step you will see that new pages and contents are filling up in our burp suite site maps with lots of information in it like Hosts, URL, Status code, length, MIME type, and also when looking in Requests and responses sub-tabs you can see a whole lot of information about that webpage such as raw requests, parameters, headers and Hex.



Pro Tip - Always pay your attention to parameters because sometimes comes with very confidential login admin pages or restricted webpages for other users. (those can be great find)

 

Burp Suite Site Map Display Filters


Many times website has a very large amount of content in them (Found more that lacks pages in some) so it can be so time-consuming to evaluate them all by one. so if we found tons of content on the site then we will filter that website with the things we want.

Click on the filter and it looks like this.


 Burp Suite Site Map Display Filters


  • Filter by request type - 
This filter is for sampling requests with some parameters like in-scope items, only requested items, parameterized requests only, and hide not found items.
If you working on a website that gives you a fixed scope to work with then you check that box to stop wasting your time in other stuff around there.
 burp suite crawls on the website more than you requested sometimes so checking out show only requested items can help you here. Also, I told you above that parameterized requests can sometimes be great find so check out show only parameterized requests if you want to find them.
keep checked up hide not found items till you don't want to fill up your site map with garbage pages.


  • Filter by MIME Type

     MIME - (Multipurpose Internet Mail Extensions)
    This Filter can be very useful when you need to find some given ready to in burp suites extensions like HTML or Image

Along with that, we have a script, XML, Other texts, Flash, and other binary extensions.
This filter can be used as per requirement for extensions shown in the list but be can also do a broad search we will see it in the filter by extension

  • Filter by Status Code

    Status Codes are HTTP response codes that help us to understand the webpage's response in codes. there are lots of codes present but here I will show you some important ones.

    1. 200 - OK.  Simply means the webpage is up and responds the correct way it should be.
    2. 301 - Moved Permanently. a webpage is redirected permanently to another URL.
    3. 404 - Not Found. webpage not found that URL.
    4. 500 - Internal Server error. The server encountered a several conditions where requests which is preventing it to fulfilling requests. 
    There are lots of them you can check them here.
  • Also always check for Hide empty folders. you surely don't want to waste your time there. 
     
  •  Filter by Extensions - 

    Very important filter to sort out site map for extensions we specifically want to test for.
    Unlike MIME type we can specify here what extensions we want to search for which gives us very good information about target  
    HTML, PHP, JS, ASPX and CSS are common extentions.
    Check out for more

    Pro Tip -  While exploiting file upload vulnerabilities it's sometimes difficult to find where it is saved in the server so using these extensions to filter can save lots of time.

    Also, we have two checkboxes here, Show only and hide.
    use them accordingly. 

     
  • Filtering by comment or annotations can also be useful if you need to find them in thousands of webpages. (obviously, you need to comment and annotate first)


Target tab Testing Workflow

Target tab and tools in it act like sorting our attack scopes and other important in scope items and also working as a bridge in between other burp suite tools and functionalities.
we will be going to see all the important functions used for penetration testing and bug bounty.


  • Add to or remove from Scope.

 The scope is a specific website or part of a web server or something that client wants you to test only. other than that will be out of scope means we are not authorized to test on that part.

After discovering what we want to test then right-click on it (also called context) and you will see the second option is add to the scope.

Similarly, if you want to remove from scope right click and hit remove from a scope. (if you added in scope)


  • Send to ___  Functionality.

 Another very important function of the Burp Suite site map that helps us to interact and send requests to burp suites different powerful tools such as intruder and repeater.

 Now, using site map you found out some parameters which can be fuzz using dictionary then you can directly send that request to burp suite intruder tool using this context.
also, you can send it to test manually using a burp suite repeater.

similarly to test request or response using comparer and sequencer.

  • Show Response in Browser

 After right-clicking on request and clicking on show responses in the browser will give you a URL to copy and paste in your browser.
But the catch here is instead of interacting with web server it interacts with burp proxy and gives us render response like original web server. all additional requests are handled bu browser itself.
This feature works better than burp suites inbuilt HTML renderer and also browser makes additional requests for CSS or images etc.

  •  Request in Browser


you can use this to open requests in your browser which is already configured to burp proxy before.
 you can use two types of options here.

  • In original Session - In this type exact cookie header is used while issuing the request which appeared in original request sent by a burp.
  • In current browser session - this feature works as it cookie header is used issuing requests which supplied by your browser. 
this feature is widely used when testing for access control vulnerability.
like you are logged in as an ordinary user in web server but you can reissue that request with cookies to different user contexts such as administrator which is very easy to do by using this so you don't have to modify and process cookies over and over using the proxy. 

  • Compare Site Maps

you can use compare site maps function to find difference between two site maps.

Compare Site Maps
 
This powerful feature of the burp suite can be used for many different purposes. best works with access control vulnerability.
you can simply compare two site maps with all information between them like request, response, and headers. gives us wide overview to find and the difference that can be exploitable. 

  • Annotations in Site Map

 In the Site map, you can annotate URLs using highlights and comments. use this when you find something interesting to use further or sort the URL for different types of testing.

You can highlight URL using two ways.
  • simply using host column which is rightmost column use dropdown menu from there to use various colours to highlight.
  • Right-click on URL and select highlight and also which colour you want.
 you can use the comment also in two ways.
  • Double click on empty space in comment column and type whatever you want to comment in there.
  • right-click and hit on add comment on URL you want to comment on.
You can filter your annotation in-display filter the topic we covered above.

  • Burp Suite Target Scope

Burp suite Target scope is exactly those hosts and URL's you want to work with as target. you can say the scope is items that you are currently interested in and willing to attack.

Adding a scope configuration can affect other functionality of burp, like:
  • setting up display filters and site map using a scope.
  • set proxy to intercept only in scope responses.
  • configuring burp suites Repeater and Intruder for in scope URL's only. 
 You can use Advance scope control also as below.
 

Burp Suite Target Scope


 Here you can specify protocol, port, IP ranges, and files also.

You can add or exclude host or URL within scope using exclude from scope to exclude something.

  •  Issue Definition

 Issue definitions are a list of all issues that can be detected by the burp suit. you can call these issues as bugs, vulnerabilities and exploits.

burp suite  Issue Definition

These issues can be used for gaining more information about that topic and also gives out some links to help in further exploiting those vulnerabilities.
this gives a description, remediation, and reference resources about those issues.
Also helpful to understand the severity of that issue.

Share:

Popular Posts