Description: A lot of services are provided through the Web. Pentesters are spending a lot of time testing Web applications, Web Services, REST and JSON interfaces, mobile applications and thick clients. For all these assessments, an interactive HTTP proxy is mandatory to intercept, analyze, modify and replay the traffic. Burp Pro is the "de facto" tool for this kind of job. This presentation conveys many years of experience in using this tool and will try to address real-life situations. Topics covered: recent features like Burp Extender, testing of mobile applications, automatic scanning despite CSRF tokens (using "Recursive Grep" or Macros) and session logout, interactive parsing and manipulation of items, useful tricks like shortcuts and backups, efficient brute-forcing of BasicAuth forms, ...
Summary :
There's no specific research in this talk, outside of the coding of custom scripts and extensions. However, here's a more detailed but non definitive list of items which could be covered, based on the private Burp Pro training I propose:
Intro :
- Why Burp Pro? (Burp Pro vs Burp Free vs Zap)
- Not covered in this talk: web testing methodologies
[=] Mobile applications
- Deploying the installation-specific CA certificate
- Redirecting to Burp via ProxyDroid
- Using Burp to launch FireBug on iPhone/iPad
Useful tricks :
- Productivity * Hotkeys: Ctrl+T for "Proxy intercept", Ctrl+G for "Go", Ctrl+Shift+? for switching between tabs * Automatic backups: the JVM always crashes juste before you think to backup your work ;-) * Switching from GET to POST
- Data visualization * Builtin views: Parameters, XML and AMF * JSON via the JSONDecoder.py extension
Manipulation * Altering opaque data at the byte or bit level * Using the Active Scanner with personnalized insertion points
Advanced uses :
- Brute-forcing BasicAuth The blogosphere is wrong, there's a builtin and efficient way to do that
- "Recursive Grep" * Extracting content via SQL injection * Fighting CSRF tokens
- Session macros Automatic scanning even with anti-CSRF tokens and automatic logout
- Non proxy aware clients Some tools like skipfish or some thick clients do not support an external proxy Using some Listener tricks allows to bypass this limitation
Burp Extender :
- "JSON beautifier": view an item body as JSON
- "JS Injector": inject JavaScript in a page going through the Proxy
- "Custom logger": useful for logging the requests sent by Spider
- "Python interactive shell": can be used, amon others, to comment and highlight given some keywords
- "HTTP Traceroute": detetect reverse-proxies via Max-Forwards
- "Gason": sqlmap wrapper
Demonstrations :
- Recursive grep (SQL injection, linked list, CSRF token)
- Sesions and Macros (Application deconnecting users every 30 secs)
- Probably many more!
For More Information Please visit : - http://www.hackinparis.com/
Tags: securitytube , hacking , hackers , information security , convention , computer security , HIP13 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.