Master Burp Suite Like A Pro In Just 1 Hour

Modern tutorials often resemble documentation, focusing on commands and buttons without explaining their purpose. This guide takes a different approach by walking through a typical web app penetration test using Burp Suite, demonstrating where each option fits in the process. Beginners will gain foundational knowledge of pen testing and how to use Burp effectively, while experienced users can learn alternative techniques.

To begin testing, the OAuth's Juice Shop is recommended as a secure platform. It can be set up using Docker or accessed via an online Heroku version for convenience. After setting it up, open Burp Community and navigate to the proxy tab ensuring intercept is off before launching its pre-configured Chromium browser to access your local instance of Juice Shop.

The initial step in web application testing involves reconnaissance, which is divided into two phases. The first phase focuses on understanding the application's purpose and functionality. The second phase, known as application mapping, entails exploring its structure to identify potential vulnerabilities or areas of interest.

The application mapping process is streamlined by analyzing a simple e-commerce platform with features like product browsing, reviews, and account creation. Using tools such as Burp alongside the browser helps track HTTP requests and responses effectively. For example, clicking on products reveals REST API calls specific to each item’s reviews; caching mechanisms are observed through 304 not modified responses. Unauthenticated users can interact with functionalities like submitting customer feedback via forms that include CAPTCHA challenges. However, vulnerabilities arise when CAPTCHAs provide answers in their response data—enabling potential automation of review submissions without proper authentication.

The reconnaissance phase involves testing the ability to replay and automate requests, such as forging author comments or ratings. By sending repeated requests through a repeater tool, it was possible to bypass CAPTCHA protections and create multiple feedback entries with manipulated data like high ratings or altered authorship. This demonstrates insufficient anti-automation measures in place for preventing unauthorized actions.

Sensitive User Information Exposure The application reveals sensitive user information in its responses, including usernames, email addresses, password hashes (using insecure MD5), roles, and tokens. This data is accessible for every image uploaded to the photo wall and allows user enumeration by exposing IDs of other users who have interacted with the platform. Such exposure poses significant security risks as it enables unauthorized access or exploitation of personal details.

Potential Vulnerabilities in Feedback API The feedback section displays submissions along with associated metadata like ratings and comments; some are anonymized while others reveal identifiable details such as user IDs. The system reflects submitted inputs without proper filtering mechanisms which could allow cross-site scripting attacks through malicious payloads injected into fields like comments or identifiers. Additionally, an FTP server linked from terms-of-service hints at further exploration opportunities for potential vulnerabilities within stored files.

Mapping the User Registration Process The user registration process involves multiple API requests, starting with fetching security questions via a GET request. Users provide an email, password, and answer to one of these questions during account creation. The system stores this data securely by encrypting answers using SHA-256 hashing and assigns a unique user ID along with default attributes like role and profile image. Highlighting specific actions in tools like Burp Suite helps track related requests for better organization during penetration testing.

Efficient Note-Taking During Penetration Testing Using highlights in Burp Suite simplifies tracking findings or areas requiring follow-up but is not ideal for long-term note storage due to file size limitations. External templates or notepads are recommended for detailed documentation as they allow easier access and sharing among team members without navigating large datasets within the tool itself.

JWT tokens, used in login processes, are base64 encoded and can be decoded to reveal sensitive information. In this case, the token contains user credentials like email and password hash (in MD5 format), which should never be exposed. Additionally, it includes details such as last login IP address, profile image link, multi-factor authentication secret key status of account activity along with creation timestamps; however concerningly lacks an expiration time making it valid indefinitely—a significant security risk.

After logging into a new user account, the process of adding an item to a basket is explored. The workflow begins with sending a GET request for an empty basket and proceeds with a POST request that adds apple juice (product ID 1) to this specific user's basket (basket ID 6). A successful response confirms the addition through product-to-basket mapping, providing details about both entities. Finally, another GET request verifies that the updated basket now contains apple juice under its respective IDs.

When encountering a numerical identifier at the end of an API endpoint, consider testing for Insecure Direct Object References (IDOR) by altering the number. For instance, changing 'basket ID 6' to '5' or '4' may reveal unauthorized access to other users’ data. This method can expose sensitive information like different basket contents associated with various user IDs.

Burp Intruder allows automating repetitive tasks like testing multiple inputs. Start by clearing any pre-added variables, then set the desired variable (e.g., id4) and choose 'Sniper' mode for single-variable manipulation. Configure payloads to test a range of numbers, such as basket IDs from 1 to 10 in increments of one. Disable unnecessary options before starting the attack; this ensures precise control over requests sent sequentially even when using slower community versions.

Efficient User ID Extraction with Burp Intruder Using advanced settings in Burp Intruder, user IDs associated with specific baskets can be efficiently extracted. By leveraging the 'grep extract' feature and defining custom expressions or simply highlighting desired data points like user IDs, one can automate this process. This method reveals which basket corresponds to each user's ID without manually inspecting individual responses.

Extracting Product Details via Automated Enumeration Burp Intruder allows for automated extraction of product details such as name, description, and price by setting up payloads targeting a range of product IDs. Using grep extract configurations on example responses simplifies capturing these attributes systematically across multiple products. This technique is invaluable for identifying gaps or patterns within datasets while streamlining repetitive tasks.

Logic flaws occur when developers assume users will strictly follow a predefined workflow, such as step-by-step processes presented through the user interface. By skipping or altering steps—like jumping from adding an item to checkout without intermediate actions—it’s possible to identify vulnerabilities. A typical purchase process involves adding items to a basket, modifying quantities via specific requests, entering address details for delivery options, providing payment information like credit cards, and finally approving the order summary. Each of these steps generates distinct API calls that can be analyzed for potential manipulation opportunities.

By manipulating the quantity parameter in a shopping basket, it's possible to exploit logic flaws. While increasing quantities works as expected, inputting a negative number like -50 results in an unexpected behavior: instead of owing money for items, the system credits back funds. This creates a scenario where users can proceed through checkout and pay using their wallet balance without actually spending real money.

A logic flaw in an application allows users to manipulate the system into paying them instead of charging. By submitting an order with negative credits, the final price becomes negative, resulting in financial gain rather than expense. Users are encouraged to explore and experiment further with this vulnerability.

Identifying Hidden Products Using Burp Tools To uncover a hidden product, the Christmas special, in an application where it is not listed among products or descriptions, tools like Burp's Intruder and Repeater are utilized. By sending requests to list all products using numerical payloads from 1 to 50 and analyzing responses for names or descriptions containing 'Christmas,' no results were found. The next step involved adding every possible product ID into the basket via automated attacks with Intruder until discovering that one unlisted item named "Christmas surprise" was successfully added.

Isolating Desired Product by Basket Manipulation After identifying the desired hidden product (product ID 10), unnecessary items in the basket needed removal while retaining only this specific item. Each item's unique mapping between its own ID and its corresponding basket entry required careful deletion of irrelevant entries within defined bounds using incremental automation through Intruder tool settings.

Finalizing Purchase Through Intercept Mode Adjustments With other items cleared out of the user's shopping cart except for their target object—'Christmas Surprise'—manual addition adjustments ensured proper inclusion before completing checkout processes effectively leveraging intercept mode functionality provided inside burpsuite environment ensuring seamless execution towards achieving intended goals efficiently without errors encountered during procedural steps outlined above

The process of ordering a Christmas surprise involves opening the basket, adding an address for one-day delivery, and using the wallet for payment. After confirming details on the confirmation page, placing the order completes it successfully.

During the application mapping phase, it's essential to organize findings effectively. In the proxy history tab of Burp Suite, highlighted items help track identified issues and endpoints for follow-up. A color-coding system can be used: red for confirmed issues or problematic endpoints, yellow for associated concerns, blue as a reminder to revisit later points of interest, and gray as visual cues marking accessed endpoints during scripting activities. Additionally, labeled tabs with stars indicate significant findings when using tools like Repeater.

Burp Suite can initially feel overwhelming for beginners, but it is a powerful tool for uncovering web vulnerabilities when paired with the right methodology. This guide provides hands-on insights into using Burp Suite effectively to enhance your pen testing skills. Beginners are encouraged to share their learning needs in the comments, while experts can contribute additional tips for newcomers.