Burp Suite is an integrated platform for attacking web applications. It contains the entire Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility. BurpSuite is OWASP Project tool.
Burp Suite allows you to combine manual and automated techniques to enumerate, analyses, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
Proxy: Burp Proxy is an interactive HTTP/HTTPS proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.
Spider: Burp Spider is a tool for mapping web applications. It uses various intelligent techniques to generate a comprehensive inventory of an application’s content and functionality.
Intruder: Burp Intruder is a tool for automating customized attacks against web applications.
Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses. It is best used in conjunction with the other Burp Suite tools.
Sequencer: Burp Sequencer is a tool for analysing the degree of randomness in an application’s session tokens or other items on whose unpredictability the application depends for its security.
Decoder: Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data. In the context of attacking a web application, this requirement will typically arise when you want to quickly identify the differences between two application responses (for example, between two responses received in the course of a Burp Intruder attack, or between responses to a failed login using valid and invalid usernames), or between two application requests (for example, to identify the different request parameters that give rise to different behavior).
Procedure to run the BurpSuit_v1.3 proxy tool using SITE
http://testfire.net/bank/login.aspx
CASE: 1-TASK
STEP 1:
The Burp Suite will now begin logging the requests and responses that pass through the proxy. We have browsed to the logon page of www.testfire.net/bank/login.aspx application and the Burp Suite proxy has captured the request and response: as shown in screen shot-1
STEP 2:
Select the POST or GET type of method and right click on send to Intruder then go to payloads ->add type of possible attack vector syntax for SQL injection(1’ or ‘1’=’1), XSS(<script>alert(‘XSS’)</script> and code injection(cd-) etc as shown in the screen shot-2 .And the result view shows the possibility are displayed as shown in screen shot-3 .
No comments:
Post a Comment