TryHackMe: Burp Suite The Basic

This particular room in TryHackme (https://tryhackme.com/room/burpsuitebasics) aims to understand the basics of the Burp Suite web application security testing framework. Our focus will revolve around the following key aspects:

1. A thorough introduction to Burp Suite.
2. A comprehensive overview of the various tools available within the framework.
3. Detailed guidance on the process of installing Burp Suite on your system.
4. Navigating and configuring Burp Suite.

Question 1> No Answer needed

What is Burp Suite

Burp Suite is a Java-based framework designed to serve as a comprehensive solution for conducting web application penetration testing. It has become the industry standard tool for hands-on security assessments of web and mobile applications, including those that rely on application programming interfaces (APIs).

Burp Suite captures and enables manipulation of all the HTTP/HTTPS traffic between a browser and a web server. This fundamental capability forms the backbone of the framework. By intercepting requests, users have the flexibility to route them to various components within the Burp Suite framework, which we will explore in upcoming sections. The ability to intercept, view, and modify web requests before they reach the target server or even manipulate responses before they are received by our browser makes Burp Suite an invaluable tool for manual web application testing

Edition of Burp Suite: Community Edition(Free), Professional (Manual Pen Testing), Enterprise (Continuous scanning)

Features of Burp Suite

Some of the features of Community edition are

• Proxy: The Burp Proxy is the most renowned aspect of Burp Suite. It enables interception and modification of requests and responses while interacting with web applications.
• Repeater: Another well-known feature. Repeater allows for capturing, modifying, and resending the same request multiple times. This functionality is particularly useful when crafting payloads through trial and error (e.g., in SQLi — Structured Query Language Injection) or testing the functionality of an endpoint for vulnerabilities.
• Intruder: Despite rate limitations in Burp Suite Community, Intruder allows for spraying endpoints with requests. It is commonly utilized for brute-force attacks or fuzzing endpoints.
• Decoder: Decoder offers a valuable service for data transformation. It can decode captured information or encode payloads before sending them to the target. While alternative services exist for this purpose, leveraging Decoder within Burp Suite can be highly efficient.
• Comparer: As the name suggests, Comparer enables the comparison of two pieces of data at either the word or byte level. While not exclusive to Burp Suite, the ability to send potentially large data segments directly to a comparison tool with a single keyboard shortcut significantly accelerates the process.
• Sequencer: Sequencer is typically employed when assessing the randomness of tokens, such as session cookie values or other supposedly randomly generated data. If the algorithm used for generating these values lacks secure randomness, it can expose avenues for devastating attacks.

Beyond the built-in features, the Java codebase of Burp Suite facilitates the development of extensions to enhance the framework’s functionality. These extensions can be written in Java, Python (using the Java Jython interpreter), or Ruby (using the Java JRuby interpreter). The Burp Suite Extender module allows for quick and easy loading of extensions into the framework, while the marketplace, known as the BApp Store, enables downloading of third-party modules.

Installation

Please go through the room for links on the same

No Answers required

The Dashboard

When the dashboard is opened generally 4 widgets are displayed named as below

1. Tasks: The Tasks menu allows you to define background tasks that Burp Suite will perform while you use the application. In Burp Suite Community, the default “Live Passive Crawl” task, which automatically logs the pages visited, is sufficient for our purposes in this module. Burp Suite Professional offers additional features like on-demand scans.
2. Event log: The Event log provides information about the actions performed by Burp Suite, such as starting the proxy, as well as details about connections made through Burp.
3. Issue Activity: This section is specific to Burp Suite Professional. It displays the vulnerabilities identified by the automated scanner, ranked by severity and filterable based on the certainty of the vulnerability.
4. Advisory: The Advisory section provides more detailed information about the identified vulnerabilities, including references and suggested remediations. This information can be exported into a report. In Burp Suite Community, this section may not show any vulnerabilities.

Navigation

In Burp Suite, Navigation can easily be performed within 3 major sections

1> Module Sections: The top row of the menu bar displays the available modules in Burp Suite. You can click on each module to switch between them. For example, the Burp Proxy module is selected in the image below.

2> Sub Tabs: If a selected module has multiple sub-tabs, they can be accessed through the second menu bar that appears directly below the main menu bar.

3> Detaching Tabs: If you prefer a custom look with seperate tabs, you can detach the tabs. Windows -> Select preferable Detach option

There are several shortcut in Burp Suite as well.

Options

This section basically tells you about the settings present in Burp Suite. There are generally two type of settings: Global and Project Specific.

In the settings window,

1> you can search any specific setting,

2>use pre-defined type filter i.e. User or Project,

3> Check for a setting using Category type.

(We highly recommend you try to find answers to these questions at your own first to get an experience)

Introduction to Burp Proxy

The Burp Proxy is a fundamental and crucial tool within Burp Suite. It enables the capture of requests and responses between the user and the target web server. This intercepted traffic can be manipulated, sent to other tools for further processing, or explicitly allowed to continue to its destination.

Key Points to understand: Intercepting Requests, Taking Control, Capture and Logging, WebSocket Support, Logs and History,

No Answer is required for this section

Connecting through the Proxy(FoxyProxy)

The room gives elaborated and step by step guide to set up Foxy Proxy. Please follow the same.

No Answer is required for this section

Site Map and Issue Definitions

The Target Tab in Burp Suite gives wide range to actions which can be utilized for reconning before final attack.

SiteMap: Helps drawing the full picture of the application. Can be utilised to identify hidden webpages, APIs connecting to Web page etc.

Issue Definition: This contains extensive list of web vulnerabilities with description and references.

Scope Setting: This helps us to control the scope of our target in Burp Suite

Take the challenge, its easy and interesting for learning.

Burp Suite Browser

Burp Suite has an inbuilt browser with Chrome base. You can use that from Proxy -> Intercept -> Open Browser

No Answer required for this section.

Scoping and Targeting

By setting a scope for the project, we can define what gets proxied and logged in Burp Suite. We can restrict Burp Suite to target only the specific web application(s) we want to test. The easiest way to do this is by switching to the Target tab, right-clicking on our target from the list on the left, and selecting Add To Scope. Burp will then prompt us to choose whether we want to stop logging anything that is not in scope, and in most cases, we want to select yes.

No Answer required for this section

Proxying HTTPS

When you configure a proxy, sometimes there is an issue with certificate. This issue is more prominent while using Firefox. This section shows how to configure

Please go through this section if you use Firefox

No Answer required for this section

Example Attack

This section gives an example of XSS attack being performed on the Webpage’s contact section. The XSS is performed by Payload tampering wherein Client filters are bypassed by capturing the request and editing the email payload data.

Please try it in burp suite to have a better understanding.

No Answer required for this section