In the previous chapter " This infiltration artifact Burp Suite user guide, for you as a novice! In ", introduced Burp Suite installation, target module, proxy module, and crawling module. In this chapter, we will introduce other modules of Burp Suite and how to use them.
1. Scanning function
The scanning module is used to automatically detect vulnerabilities and is divided into active scanning and passive scanning. Burp Suite can scan a certain URL or the entire site.
If you only need to scan a single web page, we can perform "Do an active scan" on the intercepted request through Intercept, as shown in the following figure:
If you need to scan the entire site, we can crawl the site map through Spider first, then select the target to be scanned in the Site map of Target, right-click and select "Actively scan this host", the specific operation As shown below:
After clicking, the active scanning wizard will pop up, and we can choose to delete pages that do not need to be scanned to increase the scanning speed. Mainly include the following rules:
-
Remove duplicate items: Remove duplicate items
-
Remove items already scanned: Remove scanned items
-
Remove out-of-scope items: Remove items that are not in scope
-
Remove items with no parameters: Remove items with no parameters
-
Remove items with media responses: delete options with media responses
-
Remove items with the following extension: Remove items with the following extension
The details are shown in the figure below:
Clicking next will display the pages that need to be scanned:
Click OK and the active scan will start. During the scanning process, if the login form is scanned, Burp Suite will prompt you to enter your login information. You can choose to log in or give up.
In the Scanner module, there are five options, namely Issue activity, Scan queue, Live scanning, Issue definitions and Options.
Issue activity: Display the vulnerability information scanned.
Scan queue: Display scan tasks, you can see the task scan status, the number of problems found and other information.
Live scanning: You can see the current scanning mode and scanning range.
Issue definitions: Issue definitions, used to describe the scanned issues or vulnerabilities.
Options: Options, used to set Scanner, mainly includes five modules:
Attack Insertion points: Parameter scanning options, you can set URL, cookie and other parameters.
Active Scanning Engine: Active scanning settings, you can set the active scanning thread, timeout, and the maximum number of requested connections.
Active Scanning Optimization: Active scanning optimization, you can set the active scanning speed and accuracy.
Scan Issue: Scan issue settings, you can set the scan type and scan intensity for different issues.
Static Code Analysis: Set the scan type for static analysis of the executable code.
2. Intrusion function
The intrusion module uses the attack payload to attack the target based on the detected possible vulnerabilities. The principle of the intrusion module is to use local dictionaries and attack payload targets to attack based on the parameters or variables present in the access link.
The working principle of Intruder is to obtain different responses by modifying the request parameters in the intercepted request packet. In each request, Intruder usually carries one or more effective payloads, replays the attack at different locations, and analyzes the response to obtain the required information. Intruder can implement identifier enumeration, fuzz testing, SQL annotation, directory traversal, etc.
Next, we use Intruder to blast the DVWA login interface of the OWASP drone. For the dictionary, we use the dictionary created by Burp Suite. This demonstration is for experimentation only, please do not use it for other illegal operations. The specific implementation process is as follows:
Step 1: Send the intercepted DVWA login request to Intruder, as shown in the figure below:
Step 2: Configure Attack type to select the attack type, which is divided into four attack types:
Sniper: Crack the variables one by one
Battering ram: Crack the variables at the same time
Pitch fork: use a dictionary for each variable
Cluster bomb: Use a dictionary for each variable to crack the intersection
Here we choose Cluster bomb, as shown in the figure below:
Step 3: Clear the existing parameters and reconfigure the variables. We first click the Clear button to clear the existing parameters, and then reset the variables through the Add button, as shown in the following figure:
Step 4: Set up the dictionary. In the Payloads settings page, there are four areas:
Payload Sets: There are the following two options.
-
Payload set: configure for specified variables
-
Payload type: Common ones include Simple list (simple list), Numbers (number list), Dates (date list), Runtime file (read files during operation).
Payload Options: The default is Simple list. This field is different for different Payload types.
Payload Processing: Process each string of the dictionary, MD5 encryption, string interception, prefix, suffix and other operations can be performed.
Payload Encoding: URL transcoding for characters.
Here, we choose 2 for Payload set, Brute force for Payload type, and Payload Option settings as shown in the figure below:
Step 5: Set up the Option module. In this module, you can configure the request thread, request result set format, etc. In this experiment, we Option uses the default configuration, as shown in the following figure:
Step 6: After the configuration is complete, we scan by clicking Start attack, the process is shown in the following figure:
As long as you spend time waiting for Intruder to scan, you can finally get the user name and password for DVWA login.
3. Replay function
The replay module is used to implement request replay, and debug the request response by modifying the parameters. Repeater is an HTTP request editing tool, you can change the HTTP request at will for testing. Here we still modify the HTTP request package for logging in to DVWA through Repeater to view the modified response content, as shown in the following figure:
We modify the user name and password. After the modification is completed, click the go button to send a request to the target machine, and then check the response content, as shown in the following figure:
4. Sequencer function
The sequencer module is a tool for analyzing the random quality of data samples. It can be used to test the application's session token, whether the password reset token is predictable, etc. Through the data sample analysis of Sequencer, the risk of forgery of these key data can be well reduced. We still use the login page of DVWA for testing, as shown in the figure below:
Click Start live capture to start the analysis, the analysis process is shown in the figure below:
5. Expanded functions
The extension module is a very powerful feature of burpsuite, and it is also the most significant difference between it and other web security assessment systems. Through the expansion module, you can load self-developed or third-party modules to create a self-developed burpsuite function. Through the API access provided by burpsuite, modules in three languages, Java, Python, and Ruby, can be written in the past. We found the CO2 plug-in installation in the BApp Store, and then we can combine SQLmap to implement SQL injection. We will demonstrate this case later in the actual combat part.
6. Decoding function
The decoder module is used to convert URL, HTML, Base64, ASCII, hexadecimal, hash, etc., and supports multiple encoding and decoding operations. As shown below:
7. Alignment function
The comparison module is used to visualize the comparison of two different requests and responses to distinguish the effects of different parameters on the results. We use two request packets of the same DVWA main page to do a comparison, to demonstrate the function of Comparer for everyone. First send the request packet to the Comparer module, as shown in the following figure:
Then in the Comparer module, compare with Word or Bytes, as shown in the figure below:
8. Option function
Divided into Project/User Options, mainly for the global settings of the software. This can be set according to your needs. In general, you can use the default settings. We have finished introducing all modules of Burp Suite. In the next chapter, we will use Burp Suite to enter SQL injection.