Burp Suite Tutorial – Web Application Penetration Testing (Part 2)

[Nytro]

Burp Suite Tutorial – Web Application Penetration Testing (Part 2)

2014/11/14

Author: Royce Davis

In the last article we introduced some of the useful features that Burpsuite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will explore some additional functionality including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!

Burp Suite Tutorial – Validating Scanner Results

Its always a good idea to thoroughly validate the results of any automated scanning tool. Burpsuite provides everything you need to do this on the “Scanner/Results” tab. Click on a node in the left pane to see the identified vulnerabilities associated with that target. The right-hand lower pane displays the verbose Request/Response information pertaining to the specific vulnerability selected from the right-hand upper pane.

The “Advisory” tab contains information about the vulnerability including a high-level detail, description and proposed recommendation. The “Request” & “Response” tabs will display exactly what Burpsuite sent to the target application in order to check for the vulnerability as well as what was returned by the application. Take a look at the example below.

Figure #1 – Validating Scanner Results

The request tab shows us which page generated the alert.

https://www.pentestgeek.com/wp-content/cache/minify/000000/NYtBDoAgDMA-JFsML5oEYShDYSbwez3goUl7qMV0P76OxU4xmUMl9ZBZlhVdpVHEtCFK3UQO8fxQXzE13Enc2EqfK_wNLKxwkTte.js

Just by requesting this page in a browser, or viewing the “Response” tab, We are able to validate that the email address allegedly disclosed was in fact present in the response. We can consider this issue to be validated and move on.

Figure #2 – Validating Scanner Results

#ProTip Make sure to perform this step on each and every vulnerability identified by the scanner. All automated scanning tools produce false-positives due to the nature of the testing being done. Most companies are capable of buying tools and running them on their networks. Pentesters are hired specifically to identify and remove these false positives

Burp Suite Tutorial – Exporting Scanner Reports

Once you have validated the scanner results you might want to generate some type of a report. There are two report options available from the “Scanner/Results” tab, HTML and XML. To generate a report right-click on a target from the left-hand display pane and select “Report selected issues”. This will present you with the following Dialog box.

Figure #3 – Exporting Scanner Reports

Click through the Wizard and select which items you want in your report and which format. The HTML report can be opened up in a browser and then exported to a PDF format which can be useful to help communicate findings to your client. The XML report allows you to parse out specific sections of a report for more granular detail. If you generate an XML report, make sure you uncheck the Base64 encoder option to see full HTTP Request/Responses.

Burp Suite Tutorial – Parsing XML Results

I’ve written a simple Ruby script to parse out data from the XML output generated from an automated Scan. The script utilizes the Nokogiri gem and outputs the results into a column delimitated CSV file which can be imported into Excel to produce a nice spreadsheet. If you have a basic understanding of parsing XML nodes using CSS selectors, you will have no trouble modifying the script to suite your specific needs.

Head over to the Git repository and clone the branch. Looking at the source code we can see where the parsing magic takes place.

def clean_finding(finding) output = [] output << 'Web Application Findings' output << '' output << finding.css('severity').text output << 'Open' output << finding.css('host').text output << finding.css('path').text output << finding.css('issueDetail').text output << finding.css('name').text output << finding.css('issueBackground').text output << finding.css('remediationBackground').text response = finding.css('response').text if response.include?('Server:') output << response.split('Server: ')[1].split("\n")[0] end output end

[TABLE=class: crayon-table]

[TR=class: crayon-row]

[TD=class: crayon-nums]1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

[/TD]

[TD=class: crayon-code]def clean_finding(finding)

output = []

output << 'Web Application Findings'

output << ''

output << finding.css('severity').text

output << 'Open'

output << finding.css('host').text

output << finding.css('path').text

output << finding.css('issueDetail').text

output << finding.css('name').text

output << finding.css('issueBackground').text

output << finding.css('remediationBackground').text

response = finding.css('response').text

if response.include?('Server:')

output << response.split('Server: ')[1].split("\n")[0]

end

output

end

[/TD]

[/TR]

[/TABLE]

You can see that simply calling the .css method and passing (‘[VALUE YOU WANT]‘).text as a paramater will allow you to scoop out whatever specific items you would like from the XML soup. Run the script with no arguments and you’ll see it takes an XML file and spits output to the screen.

[ # ] $ ./parse-burp.rb

Parse Burpsuite XML output into Tab delimited results

Example: ./parse-brup.rb > output.csv

[ # ] $

You can catout the results into a file.csv if you like. The CSV file can then be imported into an Excel spreadsheet which looks like this.

Figure #4 – Parsing XML Results

Burp Suite Tutorial – Saving a Burp session

In some cases it might be necessary to pause an assessment and come back later. You also might find yourself wanting to share your Burpsuite session with another consultant. Two eyes are often better then one after all. In these instances the easiest thing to do is to save a local copy of your session. Simply select “Save state” from the Burp menu at the top. This will create a flat file which you or another consultant can import into Burpsuite and see all of the captured traffic and test cases. This is an extremely useful feature.

If you have tried to do this in the past and noticed the size of the resulting file to be unnecessarily large (hundreds of MBs). It is possible you forgot to check the “Save in-scope items only” check-box.

Figure #5 – Saving a Burp session

If you setup your scope following the guidelines in Part 1 you shouldn’t have to worry about a massive sate file. The next page of the Wizard asks you which tools you would like to store the configuration of. I have found that having them all checked or all unchecked does not appear to affect the size of the file much if at all but feel free to play with these options and make up your own mind.

Figure #6 – Saving a Burp session

To restore a previously saved burp sate simply select “Restore state” from the Burp menu at the top. Select the file from your system, click “Open” and follow the instructions of the Wizard. Depending on the size of the state file it may take a moment to import everything but once finished you can continue your assessment or someone else’s for that mater as if you had never paused in the first place. Its pretty cool!

Burp Suite Tutorial – Burp Extensions

Burp extensions are after-market additions written by other pentesters that can be easily installed and configured to add enhanced or additional features to Burpsuite. To demonstrate this process we’ll download and install the “Shellshock Burp Plugin” from the Accuvant LABS Github page. Browse to the following URL https://github.com/AccuvantLABS/burp-shellshock and click the “Download here!” link.

Figure #7 – Click the Download here! link

Next click on the “Extender” tab within Burpsuite and click he “Add” button at the top-left corner. When the dialog box pops up select the Shell Shock .jar file you just downloaded and click Next.

Figure #8 – Select the .jar file

If everything went well you should see a message stating “The extension loaded successfully” with no errors messages or output. Now the Extensions tab shows our “Shellshock Scanner” extension is loaded. We can see from the Details section that a new Scanner check has been added.

Figure #9 – Burp Extension loaded successfuly

Burp Suite Tutorial – End Of Part2

I hope this tutorial was useful to you. After reading both articles in this series you should be familiar with many of the critical features offered within the Burpsuite. Please take advantage of the comment section below to provide feedback/questions or check us out on the Pentestgeek Forums. Thanks for reading!

Sursa: https://www.pentestgeek.com/2014/11/14/burp-suite-tutorial-web-application-penetration-testing-part-2/

Edited December 1, 2014 by Nytro