To complete the recipes in this chapter, you will need the following:

• Burp Proxy Community or Professional (https://portswigger.net/burp/)
• The Firefox browser configured to allow Burp to proxy traffic (https://www.mozilla.org/en-US/firefox/new/)

Now that we have traffic flowing between your browser, Burp, and the OWASP Broken Web Applications (BWA) virtual machine (VM), we can begin setting the scope of our test. For this recipe, we will use the OWASP Mutillidae II link (http://<Your_VM_Assigned_IP_Address>/mutillidae/) available in the OWASP BWA VM as our target application.

Looking more closely at the Target tab, you will notice there are two subtabs available: Site map and Scope. From the initial proxy setup between your browser, Burp, and the web server, you should now have some URLs, folders, and files shown in the Target | Site map tabs. You may find the amount of information overwhelming, but setting the scope for our project will help to focus our attention better.

Getting ready

Using the Target | Site map and Target | Scope tabs, we will assign the URL for Mutillidae (http://<Your_VM_Assigned_IP_Address>/mutillidae/) as the scope.

How to do it...

Execute the following...

On almost every tool and tab within Burp Suite that displays an HTTP message, you will see an editor identifying the request and response. This is commonly referred to as the message editor. The message editor allows viewing and editing HTTP requests and responses with specialties.

Within the message editor are multiple subtabs. The subtabs for a request message, at a minimum, include the following:

• Pretty
• Raw
• Hex

The subtabs for a response message include the following:

• Pretty: The Pretty subtab gives you the same information as Raw but in a more readable format. Please note the Pretty subtab may be disabled. This is due to the supported formats. For the Pretty subtab to be enabled, the message must be in one of the following formats:
  • JSON
  • XML (including image/SVG + XML content)
  • HTML
  • CSS
  • JavaScript
• Raw: The Raw subtab gives you the message in its raw HTTP form.
• Hex: The Hex subtab, which presents the message in...

Repeater allows for slight changes or tweaks to a request, and it is displayed in the left-hand window. The Send button allows a request to be reissued, and the response is displayed in the right-hand window.

Details related to your HTTP request include standard message editor details such as Pretty, Raw, and Hex as subtabs along with the Inspector side tab.

Details related to the HTTP response include standard message editor details including Pretty, Raw, and Hex as subtabs along with the Inspector side tab and, sometimes, Render.

At the bottom of each panel is a search box, allowing the tester to quickly find a value present in a message:

Figure 2.10 – Search box at the bottom of the request in Repeater

There are additional search box settings available when the gear icon is clicked, including Case sensitive, Regex, and Auto-scroll to match when text changes. When searching for text, if case sensitivity is necessary...

Burp Decoder is a tool that allows the tester to convert raw data into encoded data or to take encoded data and convert it back to plain text. Decoder supports several formats, including URL encoding, HTML encoding, Base64 encoding, binary code, hashed data, and others. Decoder also includes a built-in hex editor.

Getting ready

As a web penetration test progresses, a tester might happen upon an encoded value. Burp eases the decoding process by allowing the tester to send the encoded value to Decoder and try the various decoding functions available.

How to do it...

Let’s try to decode the value of the PHPSESSID session token found in the OWASP Mutillidae II application. When a user initially browses to the URL (http://<Your_VM_Assigned_IP_Address>/mutillidae/), that user will be assigned a PHPSESSID cookie. The PHPSESSID value appears to be encrypted and then wrapped in Base64 encoding. Using Decoder, we can unwrap the value:

1. Browse...

Burp Intruder allows a tester to brute-force or fuzz specific portions of an HTTP message, using customized payloads.

To properly set up customized attacks in Intruder, a tester will need to use the settings available in the four subtabs of Intruder:

Figure 2.17 – Intruder and subtabs available

Getting ready

A tester may wish to fuzz or brute-force parameter values within a message. Burp Intruder eases this process by providing various intruder attack styles, payloads, and options.

How to do it...

1. Browse to the login screen of Mutillidae and attempt to log in to the application. For example, type a username of admin and an invalid password of adminpass.
2. Find the login attempt in the Proxy | HTTP history tab. Your request number (that is, the # sign on the left-hand side) will be different from the one shown next. Select the message that captured your attempt to log in.
3. As the login attempt message...