The challenge for Day Three is to use a Security tool – For example ZAP or BurpSuite
For this challenge I’ll be looking into BurpSuite, a security testing tool for web applications.
I’d heard of BurpSuite, but never knew what it was really about or how to drive the thing. So I went to the knower of all things – Wikipedia – which listed the tools available in Burp
- HTTP Proxy – It operates as a web proxy server, and sits as a man-in-the-middle between the browser and destination web servers. This allows the interception, inspection and modification of the raw traffic passing in both directions.
- Scanner – A web application security scanner, used for performing automated vulnerability scans of web applications.
- Intruder – This tool can perform automated attacks on web applications. The tool offers a configurable algorithm that can generate malicious HTTP requests. The intruder tool can test and detect SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible to brute-force attacks.
- Spider – A tool for automatically crawling web applications. It can be used in conjunction with manual mapping techniques to speed up the process of mapping an application’s content and functionality.
- Repeater – A simple tool that can be used to manually test an application. It can be used to modify requests to the server, resend them, and observe the results.
- Decoder – A tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
- Comparer – A tool for performing a comparison (a visual “diff”) between any two items of data.
- Extender – Allows the security tester to load Burp extensions, to extend Burp’s functionality using the security testers own or third-party code (BAppStore)
- Sequencer – A tool for analyzing the quality of randomness in a sample of data items. It can be used to test an application’s session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.
Free tutorials are great, free high quality tutorials that would usually cost a monthly subscription are even better!
If you are a member of the Auckland City Library , Wellington City Library or Christchurch City Library you can get free access to Lynda.com and their full catalogue of courses, for example this one on Testing Websites Using BurpSuite
The example in the Lynda video demonstrated how the user could intercept a HTTP request, change the values and send the request to the application.
The application can be used to run a vulnerability scan which would be very useful for high level security tests, and the spider function allows you to drill down to specific parts of the app. I need to spend more time playing with it, but at first glance it looks very cool.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!