Learn Burp Suite, the Nr. 1 Web Hacking Tool - 07 - Intruder and Comparer

Опубликовано: 19 Февраль 2016
на канале: ÆTHER SECURITY LAB

19,715

118

Full training is available for free at:
http://hackademy.aetherlab.net

In this lecture we are going to try the Intruder module, which is the semi-automated testing tool of the Burp Suite. We are going to brute-force the "Password Forget" feature of the WebGoat. The Comparer will be also used in this attack to make your testing more efficient.

Website: http://aetherlab.net
Blog: / gergely.revay
Trainings:
Web Hacking: Become a Web Pentester - https://hackademy.aetherlab.net/p/web...
Learn Burp Suite, the Nr. 1 Web Hacking Tool - https://hackademy.aetherlab.net/p/bur...
Reverse Engineering with Radare2 - https://hackademy.aetherlab.net/p/rad...

Video Transcript:
So finally we got to the most interesting tool of the Burp Suite. And actually in this section, I will talk about two modules – the Intruder and the Comparer, which is a really simple tool, but you often use them together so that’s why I chose this place to introduce the Comparer and not in a separate section or something.
But first, we are gonna start with the Intruder. The Intruder is basically the automated fuzzer [sp] where you can set the values how you wanna test or fuzz various inputs. So, we are going to work with our vulnerability in WebGoat and that’s the Authentication Flows and Forgot Password. You know, lots of applications have this feature that you can, if you forgot your password, you can request a new password or there are different methods to solve this problem, either you put in your e-mail address and then you get a password through that e-mail or you get a new password in e-mail or there is some security question that you can answer, then you’re allowed to change your password, et cetera.
So, in WebGoat, there’s also this feature. So here there is a possibility to give your username. Actually it’s written in the description that your username is WebGoat, but let me just check what happens if I put in a nonexistent username. Yeah, you get an error message. When I put in the correct username, which is WebGoat and I submit it, there is the Choose the Security Queestion method. So you have to put in your favorite color. Let’s try green. No, it not green. But what’s happening here is that you have a finite number of possibilities here because there are a finite number of well-known colors. So, what we want to do somehow is to have a list a colors and then test all of these colors with the request and try to find out somehow from the response which one is correct. You could use the Repeater here and test every single color by yourself which will actually still work with the Repeater because there are not so many colors usually. But if the scenario is more complicated like the set of possible answers if like tens or hundreds or thousands, then you wouldn’t be able to test that with the Repeater manually. So in this case you can use the Intruder.
So what we are going to do is we are gonna put here, yeah, I am just gonna try it again, black. And it’s wrong again. Now let’s go back to Burp and go to the Proxy and we’ll look for that request. Yeah, it’s there. You see here that the color was black and there is also another parameter called SUBMIT, which is not that interesting. So we wanna test this request so we’ll right-click and Send to Intruder. Now you request appears in the Intruder. Just a quick hint, you can give names to your tabs so I can name this “password forget”. It’s pretty cool. I use it a lot in the Repeater because I test like user creation or user approval or login and then I can name all these tabs. And if I come back, I will see them all. This is the request to the user and this is the request to login, et cetera. So if you come back later, it’s easier. So here in the Intruder, what you have here is you have the attack Target which is there if you send the request from some other modules. And then you come to the Positions. And then as you can see, here’s your request and Burp already marked you the positions, the possible positions. So you can test anything here but Burp tries to find all the parameters of the request. But if you don’t like it, then you can just like say Clear. And if there are some attacks against the Host header, then you can just say Add or you can Auto again and then it will be marked as it was.
Now, there’s another setting called Attack type. Since I keep forgetting what these attack types are, I always have to Google it so I will show it to you as well so “burp attack type intruder sniper”. So you can see, there are quite a few documentations here we could, but we could just go to the Portswigger website and check the definition there.
So Sniper if the most basic one. What happens there is you select one payload list and if you have different positions, what you test so for instance, here we have five positions to test. We will select it. If you come here to the payload, there is
-Cut due to length limit-