Burp suite - ninja tricks!
@webhak
�Thomas Gøytil
Head of security @ Klaveness
Digital
Developer reformed to
security professional
Hacker, bug bounty hunter,
speaker, etc.
Love everything security:
hardware, so ware, radio-
hacking, lockpicking etc.
� Outline
Burp intro Macro
Autochrome Burp collaborator
Request highlighter Hackvertor
Hotkeys and repeater Param miner
General tips Autorize
Flow Where to learn more?
Intruder References
Meth0dman
Turbo intruder
�Burp suite
� Burp suite
Intercepting proxy created by Portswigger
Standard for testing web applications
Free, Professional and Enterprise version
OWASP Zed Attack Proxy (ZAP) is an open source
alternative
�Demo - Burp proxy with scope
� Autochrome
Downloads Chromium and adds different profiles
Profiles does not share cookies - one profile each
user
Default proxy localhost:8080
Disable checking of certificates
Sweet colored profiles!
Adds separate user agent for each profile
�� Autochrome - Installation
git clone [Link]
cd autochrome
ruby [Link]
� WARNING:
User-agent string may mess up some web
applications
Localhost is not proxied - use alias en /etc/hosts
file
�Demo: Plugin - Request highlighter
� Hotkeys
(Good) developers usually use hotkeys in their IDE
- You should start doing it in Burp
Ctrl+Shi +P - Proxy
Ctrl+Shi +R - Repeater
Ctrl+Shi +I - Intruder
Ctrl+R - Send this request to repeater
Ctrl+I - Send this request to intruder
Ctrl+- - Previous tab
Custom: Ctrl++ - Next tab
Custom: Ctrl+G - Repeater send request
�Repeater with Hotkey demo with
Auto-scroll to match when text changes
� General tips
Learn how to save session in Burp
For intruder stuff - use SecList
Some buttons are hard to find - know where the
buttons is ;)
Learn the advanced features - they save you a lot
of time
Use your cloud box as a SOCKS proxy
� Proxy
ssh -D 9995 user@cloud-box
�User options --> Connections
�Debugging burp - Flow plugin
� Intruder basics
Demo - basic numbers
Demo - scan defined insertion point
Demo - scan EVERY char
� Intruder plugins - Meth0dman
For every endpoint on this site: do one request for
each HTTP method !
�Turbo intruder - Going beyond intruder
Fast - custom HTTP stack
Scalable - flat memory usage and headless
support
Flexible - Scripts are written in Python. Custom
handling of malformed requests
Convenient - Filtering non-relevant results
On the other hand it's undeniably harder to use, and
the network stack isn't as reliable and battle-tested as
core Burp's.
[Link]
���� Standard wordlist
# regular wordlist
for line in open('/home/user/wordlist/a_wordlist.txt'):
[Link]([Link], [Link]())
� Observed words
# list of all words observed in traffic
for word in [Link]:
[Link]([Link], word)
� Infinietly brute-force
# infinitely-running bruteforce (a, b ... aaa, aab etc)
seed = 0
while True:
batch = []
seed = [Link](
seed,
5000,
batch
)
for word in batch:
[Link]([Link], word)
� Turbo intruder - resources
[Link]
embracing-the-billion-request-attack
Turbo Intruder: Abusing HTTP Misfeatures to
Accelerate Attacks
Cracking recaptcha turbo intruder style
�Macro basics and debugging
�Burp collaborator
� Collaborator XXE demo
XXE exfil of /app/[Link] with Burp collaborator
� Private collaborator
Set up your own collaborator to not share data with
Portswigger
� Collaborator everywhere
X-Forwarded-For
X-Wap-Profile
X-Real-Ip
Forwarded
etc....
[Link]
�Collaborator everywhere
�Tuning where collaborator is inserted
[Link]
extensions-for-tailored-pentesting
� Hackvertor
Awesome plugin....
... you just need to learn how to use it ;)
Tags support parameters
This plugin supports python code!
Demo with URLencode in XSS-reflected demo
�Param miner!
Guess GET parameters
Guess JSON body
Guess POST body
Guess headers
Guess cookies
$randomplz
Auto mine
�Param miner - Guess GET param
��Autorize
�� Where to learn more
Mastering Burp Suite Pro: 100% Hands-On -
Nicolas Gregoire (HiTB Amsterdam)
Advanced Burp suite (Bugcrowd university)
Portswigger - Burp testing methodologies
�?
� References
Autochrome
SecList
Cracking the lens
Adapting Burp extensions
HTTP Desync - request smuggling reborn
Turbo intruder - embracing the billion request
attack
Turbo intruder examples
Cracking recaptcha turbo intruder style
Pratical web cache poisoning
Autorize
