Learn Burp Suite, the Nr. 1 Web Hacking Tool - 06 - Sequencer and Scanner

Опубликовано: 19 Февраль 2016
на канале: ÆTHER SECURITY LAB
20,445
128

Full training is available for free at:
https://hackademy.aetherlab.net/p/bur...

Website: http://aetherlab.net
Blog:   / gergely.revay  
Trainings:
Web Hacking: Become a Web Pentester - https://hackademy.aetherlab.net/p/web...
Reverse Engineering with Radare2 - https://hackademy.aetherlab.net/p/rad...

Video Transcript:
So in this video, I will talk about two tools. One is the Sequencer and the other one will be the Scanner. Let’s start with the Sequencer. The Sequencer is essentially a tool to do mathematical analysis of entropy. What you wanna find out here is how random something is. By something, I mean usually cookies or session tokens or anything what you usually use in your application as a random string. What the Sequencer can do for you is to send requests automatically to collect these tokens and then run a bunch of mathematical analysis on them to find out how good entropy was to generate these random values. And by that, show you how random they really are. These tests could be good to you when you have like a suspicion that the cookies what you are receiving are not really random. So, they do change. They look random, but you have a feeling that they probably aren’t and you want to test them because if they aren’t random, then you might find a way to forge [sp] an estimate and generate session cookies for yourself and that’s also if you can do that.
So let’s quickly see how this really works. So this is the main Sequencer page, and what you wanna do is find a request which you can test here and with that you can collect these tokens that you wanna test. So we’re gonna go back to the WebGoat. So I’m gonna restart the browser to have a clean environment and re-load this page. And now let’s see here in Burp what happened exactly. So you can see when we sent the first request, we don’t have any cookies. And in response, we don’t get anything. But in the second request, this is the authorization so we add the authorization code or the username password. And then in the response, we get a set cookie parameter, set cookie header. And what we wanna use Sequencer for is to figure out whether this value here is random or not. And for that we have to send this request as many times as we can to have a list of these session cookies to be able to run the Sequencer on them. So we say Send to Sequencer and then we have this one request here in the Sequencer. So the value which you wanna test is going to be in the response. You have various options how you want to choose what part of the response you wanna test. So you can choose here that it’s gonna be a cookie so Burp is looking for this cookie set header and allows you to choose one of these cookies. Since we have only cookie, we can only choose the JSESSIONID there. Also, you can use form fields, but that’s also not that interesting now. That could be interesting for you if there’s a cross-site request for forgery protections but usually a good way to protect against cross-site scripting forgery is to put a random cross-site scripting token in every form as a hidden parameter or hidden input. And here with the form field, you could choose that input and test whether these cross-site request forgery tokens are always new and always random. Because if they’re not random, then you could be able to generate and then like fake this or bypass this cross-site request forgery protection.
In the custom location, I show you it’s actually a pretty cool tool. You have the response here. And you can either put here like regular expressions or things like that, but what I really like is you can come here and select what you want. And as you can see, Burp automatically generated these expressions for you to mark for you which part you want to look at. This is really useful when the token is something which you cannot really define well so like not a cookie or not an input field. It’s just like one part of the webpage the response which you get. And with this tool, you can very well define what you wanna look for and it’s pretty easy so you don’t have to really write a real regular expression by yourself. But we can just use here the cookie now. There is some speed options here which I’m not gonna change now. I’m just gonna say Start live capture. And then as you can see, here are the requests sent and the tokens collected. You can use this auto analysis which will do this mathematical analysis after like every 100 tokens I usually wait for like 1,000 tokens at least. Sometimes the application’s really slow and then it’s not possible, but the more tokens you have, the better it is because then the analysis will be more accurate. As you can see, it’s starting to slow down so actually I will stop it and do an Analyze Now. I’m not gonna explain you everything on this page because usually what I’m looking at is this line here, which is the overall quality of randomness..
-Cut due to length limit-