The Power of Burp Suite

Dear readers,

Welcome in the first edition of 2020! We wanted to start this year with a kick and focus on a well known (and highly popular!) tool - Burp Suite. Whether you are a beginner or an advanced user, the articles inside have various entry level requirements, so you will definitely find something for yourself. We didn’t focus only on the community edition of Burp, there are also tutorials that present the Pro edition, or contain a comparison between two.

What’s inside? You will find an article about different attack scenarios with Burp Suite plugins, among them SQLiPy Sqlmap Integration, CO2, XSS Validator, and others. We will take a closer look at the Spider feature, which is now available only in Pro edition. If you are just starting your journey with Burp, we have a few articles that will present the most effective ways to setup and configure your lab. Each piece in this edition will show you different attacks, tricks, and tips which you can use for your Bug Bounty hunting or during your penetration testing.

What’s more, there is an amazing write-up about performing a phishing attack on Facebook and Google with Social Engineer Toolkit! You will see a little-known method to steal credentials! We also have something on the role of Threat Intelligence in Security Operation Centers. The author of the article, focused on the MITRE ATT&CK framework and how it is used and utilized by SOCs to understand sophisticated attacks through event correlations.

We hope that you will enjoy this edition, that the articles will help you with understanding Burp. Feel free to leave us a comment or send us a message! As always, special thanks to all the contributors, reviewers, and proofreaders involved in the process of creating of this issue.

Enjoy the reading,

Hakin9 Editorial Team

TABLE OF CONTENTS

A Jump-Start Guide on a Burp Suite Tool

V. Elamaran, M. Sundar Prakash Balaji

Burp Suite is a potent penetration testing tool. The PortSwigger security team developed this tool using Java. Web platforms can be scrutinized more effectively by using this tool. The prime functions of this tool are proxy and vulnerability scanning on the web.

The power of parameters, headers and cookies enumeration

Foued Dridi

Parameters enumeration is a pentest technique that may be fruitful. It has different approaches. One of the approach of this technique, consists of using the same parameter in a previous HTTP request in other requests. The second approach is to add a parameter, independently of the previous HTTP requests, and forward the request using Burp proxy. For example, when trying to access the application we are pentesting, we intercept the first HTTP request with Burp proxy, add the parameter "debug" with the value "true" and forward the request. This article will dive into this topic and present both perspective.

Threat Intelligence Role in SOC

Chirath DeAlwis

Use of threat intelligence in the SOC can vary according to the type of intelligence and the organizational environment. MITRE ATT&CK, that builds on the Cyber Kill Chain, is one such intelligence source that can be utilized by SOC to understand sophisticated attacks through event correlations.

Cybersecurity 101: Burp Suite Pro Basics

Dr. Anthony Caldwell

From reconnaissance to active attacks, BurpSuite has a proven track record as a powerful ally in the testing of applications. It has been the default intercept tool used in countless online tutorial videos and demonstrations in companies, and with good reason, “40,000 users in over 130 countries” (Portswigger, 2019). This article isn’t really for the more seasoned pen tester, this is for those who are attempting to demystify what all the fuss is about proxy tools and on the basic setups that the pen tester probably uses day to day. While every tester has their own favourites they use to carry out a pen test, this article will show you that with the basics in hand, your work can progress to the next level. 

Burp Suite Security Testing: Intruder Attack

Jan Kopia

In this article, the use of Burp Suite for security testing is presented as a known tool for penetration testing, ethical hacking and generic bug bounty-efforts to identify flaws in web applications. Using an example attack on a web application, the Intruder module of Burp Suite is used to hack into it. A special focus is put on the differences between the Burp Suite community edition and the commercial versions of this tool. 

Spider using Burp Suite 2.x Free Edition

Mukul Kantiwal

Burp Suite has always been a great friend in Web Application Security. Recently, they updated from version 1.7 to version 2.x where they introduced many features but removed one of the all time favourites, the “Spider” feature, from the Free Edition/Community edition. Now, this feature is available only with the Professional edition, which is a paid version. In order to spider with Burp Free Edition, you need to know what a proxy is and how it works. In this tutorial, we will make use of Mozilla Firefox, Burp Suite and Zap. By the end of this tutorial, readers will be able to spider the web application and get the results on Burp Suite, which is currently missing in the new Burp Suite version 2.x.

 Phishing attack on Facebook and Google with SET and Ngrok

Oussama AZRARA

One of the most common vectors in this kind of cyber-attack is targeting Facebook and Google accounts by sending a suspicious message or link that asks for personal information (such as an email, a phone number or a password). Attackers tend to create fake websites that are virtually identical to the legitimate ones. Once you enter your credentials on them, they will collect and take advantage of them. In this article, we will see a little-known method to steal credentials on Facebook and Google based on a famous hacking tool called SET (Social Engineering Toolkit) combined with the multiplatform tunneling Ngrok. 

Configure and setup your Burp Suite

Danny J. Rogers, CISSP

As security has evolved over the years, security teams have learned how to harden the outside of the network with the use of firewalls and Intrusion Prevention Systems (IPS). Some organizations have implemented Web Application Firewalls (WAF) and possibly Database Application Monitoring (DAM). These are good to have, and I would recommend them but a WAF is only a band aid for bad code. The best security practice is to move security closer to the developers, known as shifting left in security and this means security professionals need to learn how to test web applications both from Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Burp Suite is used for DAST testing. “DAST doesn’t require source code or binaries. It analyzes by executing the application.”

Attack Scenarios with Burp plugins

Hamdi Sevben

This capability of Burp allows the tester to use different extensions written by independent people that serve as an add-on to the Burp features. Burp Suite supports external components to be integrated into the tools suite to enhance its capabilities. These external components are called BApps. These work just like browser extensions. These can be viewed, modified, installed, or uninstalled in the Extender window. Some of them are supported on the community version, but some require the paid professional version. Even so, the Burp community offers many wonderful extensions. In this article we will take a look at various plugins and present the attack scenarios while using them.

Web attacks part 1: Discovering new recipes for advanced attacks

Joas Antonio, João Paulo de Andrade, Felipe Gomes, Thiago Vieira

In this article, our goal is not to present a recipe to make these attacks, but take you on a journey that will make you think outside the box. If you are reading this magazine, you have probably been faced with or encountered concepts and practice of some attacks, right? But do you know how to go further? First of all, we will strengthen some concepts. Even if they are concepts that a quick Google search can help, we aim to write for both Seniors and for the Script Kiddies.