Hands-On Application Penetration Testing with Burp Suite
eBook - ePub

Hands-On Application Penetration Testing with Burp Suite

Use Burp Suite and its features to inspect, detect, and exploit security vulnerabilities in your web applications

  1. 366 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Hands-On Application Penetration Testing with Burp Suite

Use Burp Suite and its features to inspect, detect, and exploit security vulnerabilities in your web applications

About this book

Test, fuzz, and break web applications and services using Burp Suite's powerful capabilities

Key Features

  • Master the skills to perform various types of security tests on your web applications
  • Get hands-on experience working with components like scanner, proxy, intruder and much more
  • Discover the best-way to penetrate and test web applications

Book Description

Burp suite is a set of graphic tools focused towards penetration testing of web applications. Burp suite is widely used for web penetration testing by many security professionals for performing different web-level security tasks.

The book starts by setting up the environment to begin an application penetration test. You will be able to configure the client and apply target whitelisting. You will also learn to setup and configure Android and IOS devices to work with Burp Suite. The book will explain how various features of Burp Suite can be used to detect various vulnerabilities as part of an application penetration test. Once detection is completed and the vulnerability is confirmed, you will be able to exploit a detected vulnerability using Burp Suite. The book will also covers advanced concepts like writing extensions and macros for Burp suite. Finally, you will discover various steps that are taken to identify the target, discover weaknesses in the authentication mechanism, and finally break the authentication implementation to gain access to the administrative console of the application.

By the end of this book, you will be able to effectively perform end-to-end penetration testing with Burp Suite.

What you will learn

  • Set up Burp Suite and its configurations for an application penetration test
  • Proxy application traffic from browsers and mobile devices to the server
  • Discover and identify application security issues in various scenarios
  • Exploit discovered vulnerabilities to execute commands
  • Exploit discovered vulnerabilities to gain access to data in various datastores
  • Write your own Burp Suite plugin and explore the Infiltrator module
  • Write macros to automate tasks in Burp Suite

Who this book is for

If you are interested in learning how to test web applications and the web part of mobile applications using Burp, then this is the book for you. It is specifically designed to meet your needs if you have basic experience in using Burp and are now aiming to become a professional Burp user.

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
Packt Publishing
Year
2019
Print ISBN
9781788994064
eBook ISBN
9781788995283
Edition
1
Topic
Informatique
Subtopic
Réseaux informatiques

Exploiting Vulnerabilities Using Burp Suite - Part 1

Burp Suite is an excellent tool to detect vulnerabilities. As we've seen in the previous chapters, it has a large variety of tools and options, and of course, extensions to help us to be more accurate and efficient while looking for bugs in an application. However, Burp Suite also has options to help us to exploit vulnerabilities, generate a proof about the exploitation, and reproduce the exploitation all of the times this is needed.
In this chapter, we will check how to exploit different kinds of vulnerabilities using Burp Suite's options, and in some cases the tools and extensions. We will be looking at the following topics in the chapter:
  • Data exfiltration via a blind Boolean-based SQL injection
  • Executing operating system (OS) commands using an SQL injection
  • Executing out-of-band command injection
  • Stealing session credentials using cross-site scripting (XSS)
  • Taking control of the user's browser using XSS
  • Extracting server files using XML external entity (XXE) vulnerabilities
  • Performing out-of-data extraction using XXE and Burp Suite collaborator
  • Exploiting Server-Side Template Injection (SSTI) vulnerabilities to execute server commands

Data exfiltration via a blind Boolean-based SQL injection

An SQL injection is a vulnerability based on an input validation error, which allows a malicious user to insert unexpected SQL statements into an application to perform different actions on it. For example, extract information, delete data or modify the original statements.
There are three types of SQL injections, as follows:
  • In-band SQL injection: This type of SQL injection has the characteristic that is possible to analyze using the same channel used to send the statement. It means that the response generated by the database management system (DBMS) is received in the same analyzed application.
  • Inferential: This type of SQL injection is different from the previous one, as it is not possible to see the errors or the results in the application's response. We need to infer what is happening in the application's backend or use external channels to get the information. At the same time, into the inferential SQL injections are further divided into two types:
    • Boolean-based blind SQL injection: In this type of SQL injection, the statements are focused on changing a Boolean value into the application in order to get different responses. Even though the SQL injection result is not showed directly, the HTTP response content could change to infer the result.
    • Time-based blind SQL injection: This inferential SQL injection depends on the time lapsed to generate a response by the database server. With time variations, it is possible to infer whether the SQL injection is successful or not. To do so, the malicious user inserts functions included in the DBMS to determine what is happening in the backend.
  • Out-of-band SQL injection: In this type of SQL injection, it is not possible to use the same channel to see the error response or infer the result directly. So, we need to use an external channel to know whether the SQL injection is successful or not. For example, using second data storage to receive the results, such as DNS resolution to infer the time lapsed in a request, which is not possible to see in the application.
We will see how it is possible to use Burp Suite to exploit a Boolean-based SQL injection vulnerability.

The vulnerability

Analyze the following snippet of PHP code:
ini_set('display_errors', 0); $connection = $GLOBALS['connection']; $id = ($_POST['id']); $query_statement = "SELECT * from polls where id = ".$id; $result = $conection->query($query_statement); if ($result->num_rows > 0 ){ while($row = $result->fetch_assoc()){ echo "<p class=''>Thank you for your response!</p>"; } }
This code uses the $id variable, which is a number, to pass information to a query that is directly executed on the database in a SELECT statement. The $id variable is used in a WHERE expression to look for the exact $id variable passed by the user and only display filtered information depending on the number in the variable $id variable.
The most important thing about the $id variable is that it is not validated in any way, it is used directly from a form to the statement. So, a malicious user can insert information to the $id variable.
However, when a malicious user inserts an unexpected value into the $id variable, no error is showed to the user. Why? This is because the 'display_errors' option is set to 0.

The exploitation

Imagine this database just has 10 registers, so if a user passes a number 1 as value to the $id variable, the application returns the first register. When the user enters the number 10, the application returns the last register. However, when the user enters the value 11, the application does not have a register to show, but it does not show any error explaining to the user that it is not showing anything because it has nothing more to show. The output just doesn't do anything.
As the application is not validating the value entered into the $id variable, a user can enter any kind of information. For example, a '1 or 1=1-- string, which is a common string used to detect SQL injection flaws. However, as we said, the application will not show an error.
Forgetting that the application is not showing errors, why is it possible to enter a string, such as '1 or 1=1--? We will see in the flow given here:
  1. When the user enters the '1 or 1=1-- string, this string is converted to a true value, which is interpreted by the application as a number 1, so, the application returns the first register.
  2. What happens if we pass a value out of 1 to 10? If we pass the number 11 to the $id variable, the WHERE conditional will try to look for the eleventh register, but as it is missing, the $query_statement variable will not have a register stored in itself. When the following if statement in the PHP code verifies the register stored in the $query_statement variable, the application will fail.
  3. We know that when the application receives a number between 1 to 10, the application will work; and also, we know that we can pass an arbitrary statement when a result is a number between 1 to 10. Keeping this in mind, it is valid if we pass the 11-1 value.
  4. The result of 11-1 is 10; therefore, when the WHERE conditional verifies the $id value, it will have a number 10, so the application will show the last value. This is the key for exploiting this vulnerability!
Now, use a more complex statement, as follows:
11-(select case when '0'='0' then 1 else 0 end)
This statement produces a final number 10 as value to $id; now, also consider the following statement:
11- (select case when 'a'=(substring((select 'abcd'),1,1)) then 1 else 0 end)
The preceding statement produces t...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Contributors
  4. About Packt
  5. Preface
  6. Configuring Burp Suite
  7. Configuring the Client and Setting Up Mobile Devices
  8. Executing an Application Penetration Test
  9. Exploring the Stages of an Application Penetration Test
  10. Preparing for an Application Penetration Test
  11. Identifying Vulnerabilities Using Burp Suite
  12. Detecting Vulnerabilities Using Burp Suite
  13. Exploiting Vulnerabilities Using Burp Suite - Part 1
  14. Exploiting Vulnerabilities Using Burp Suite - Part 2
  15. Writing Burp Suite Extensions
  16. Breaking the Authentication for a Large Online Retailer
  17. Exploiting and Exfiltrating Data from a Large Shipping Corporation
  18. Other Books You May Enjoy

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Hands-On Application Penetration Testing with Burp Suite by Carlos A. Lozano, Dhruv Shah, Riyaz Ahemed Walikar in PDF and/or ePUB format, as well as other popular books in Informatique & Réseaux informatiques. We have over 1.5 million books available in our catalogue for you to explore.