Web application security testing would be extremely difficult without web proxies. It allows penetration testers to inspect, analyze and manipulate HTTP requests and responses, allowing their probes to spy, understand components and vulnerabilities. Two of the most popular tools out there for this category are Burp Suite and OWASP ZAP. From zero to hero this guide will take you from from zero to hero on these web security testing tools. Now are these the only tools? Now there is a model caido which is pretty new on the market and we will find out in the end how we can use each of them. So, before we get to some of the good stuff, let’s go over what an web proxy is and why it’s useful.
Understanding Web Proxies
A web proxy contacts our browser on behalf of a web server with requests, which become web requests, and return the appropriate HTML responses, acting as an intermediary web proxy. This functionality is crucial for security testing, enabling a tester to:
Wire interceptor for intercepting HTTP requests and responses.
Use the payloads to test for vulnerabilities.
Such attack patterns, such as brute force or fuzzing can be automated.
Here is the workflow of Burp Suite, the famous tool for bug bounty hunters and pen test to analyze and exploit vulnerabilities in a web app.
At the beginning there is the User/Tester (who uses a Web Browser) to interact with the target application. The Burp Proxy is an intercepting tool that intercepts all HTTP requests and responses inwards to the tester and outwards to the Target Web Server, and acts as the tool that makes the traffic visible and manipulable. From the Proxy, the captured traffic flows into different modules within Burp Suite:
1. Scanner: Detects common vulnerabilities as they are automatically scanning the intercepted traffic (e.g., SQL injection, cross site scripting (XSS), insecure configuration…), and provide highlighted suggestions (such as examples of commands) on how to achieve better use of it.
2. Intruder: Automated payload based attacks such as brute force, parameter fuzzing, injection testing are performed to find exploitable flaws.
3. Repeater: Manual creation, replay, of HTTP requests, in order to dive deeper into some specific vulnerabilities or test edge cases.
At last the requests crafted or modified by the tools are sent to the Target Web Server, and the responses are returned to the tools to perform continuous testing. Penetration testers can then interactively identify, analyse, and exploit these weaknesses in this iterative workflow, and have full control over the flow of traffic. This is because Burp Suite is so modular in its design that each of the tools in it plays well together, allowing security professionals to cover all their application security bases.
Mastering Burp Suite
I suppose the above title could be mis-leading, but the point of this blog is not to master burp-suite, but to get familiar with the interface and start to become comfortable with using this tool. That being said, Burp Suite is one of the most feature rich and popular web proxy for web application security testing, and therefore is used as a benchmark. The tool is made of multiple tabs around a specific purpose.
1. Proxy and HTTP Request Handling
Setting Up
Use Burp’s inbuilt browser to avoid configuring an external browser with a proxy.
You can always configure your existing browser to burp’s proxy settings and it’s time consuming and quite a bit of hassle, but if you still want to do it then refer to the following youtube video.
- To increase readability, go to User Options > Display and adjust the font size. This option is extremly helpful in taking screenshots and comes really handy while delivering an pentest report. I have set font to the following settings, but in your case you can set it to your heart’s desire.
Effective Interception
Toggle Interception: Decide between turning interception on or off. If you find forwarding traffic each time tedious and a huge burden, rely on the HTTP history under the “Proxy” tab to inspect past http requests.
Use the "HTTP History" to analyze requests without the interruption of constant interception.
In my case I find it pretty easy to rely on the http history tab, rather than turning intercept off and manually forwarding each traffic for each button or tab I click. In your case you might prefer the opposite, so it’s better you use burp suite for some days or weeks and find your personal preference.
Fun challenge to practice
Do try intro to burp from picoctf and see if you can bypass the OTP.
Challenge URL - https://play.picoctf.org/practice/challenge/419?category=1&page=1
2. Intruder
Burp’s brute forcing and fuzzing powerhouse is the Intruder tab.
Use Cases: Find directories on the list, check for weak passwords, search for vulnerabilities in form fields.
Configuration: Attack type can be chosen between Sniper, Cluster Bomb, Pitchfork, or Battering Ram.
Payloads: The built in Burp’s wordlists or importing custom wordlists.
Speed Tip: It’s slower. Feel free to use Caido or FFUF as they are are great tools for full fuzzing.
Configuration: Choosing the Right Attack Type in Burp Suite Intruder
On the Intruder tab of Burp Suite it is important to choose the correct attack type to optimize your brute forcing and fuzzing efforts. Burp Suite offers four distinct attack types, each suited to specific scenarios:
1. Sniper
- Description: The testing a single payload set sequentially and focuses on one input field at a time.
- Best Use Cases:
- That is, when testing vulnerability on man kind specific parameters (SQL injection, XSS, etc).
Context:
This can be done without knowing a particular language (with enough proof of concept or even fuzz testing).
- Determining the number of values for a single variable.
- Example: Sending payloads to a “username” field to try and discover valid usernames.
2. Battering Ram
- Description: Using the same payload to multiple positions simultaneously.
- Best Use Cases:
An example where we need it is when we have multiple fields that expect same input.
- Example of testing scenarios in which fields could interact with one another.
- Example: Testing login forms that supposedly have a specific response when the username and password fields pull their values.
3. Pitchfork
- Description: It allows multiple (payload) sets to be processed parallel (in such a fashion that one set is assigned to a given position).
- Best Use Cases:
However, this is useful when testing field combinations that depend on the interplay of the inputs.
- Simulating scenarios with interdpendent parameters that can’t be modeled separately.
- Example: Authenticating over username-password pair brute forcing.
4. Cluster Bomb
- Description: Is a combination of several payload sets, which test all possible combinations across multiple positions.
- Best Use Cases:
- In finding the generations of exhaustive permutation of inputs.
- It is suitable for high complexity scenarios such as, Multi field form validation.
- Example: Combining all possible inputs in a web form with three fields to test for hidden vulnerabilities.
Selecting an Attack Type Tips
If you need to test a single field (in particular, a precision tech attack), then use Sniper.
If the same payload would cause problems in related fields, opt for Battering Ram.
With Pitchfork you’ll be choosing inputs that match inputs across fields with no redundant combinations.
- If precision is not a priority Cluster Bomb it for some thorough testing of all permutations.
However, if you select the right attack type and make it suitable for the scenario, you can leverage your testing through Burp Suite Intruder to achieve maximum efficiency.
One thing to practice on is burp’s intruder, from picoCTF which has this CTF lab cookies for which we have to fuzz the cookie value, and you can check it out yourself to see if you get the flag.
Fun challenge for practice
Challenge URL - https://play.picoctf.org/practice/challenge/173?category=1&page=1
Rough walkthrough
Send the HTTP request you need to fuzz to the intruder tab, by simply pressing ctrl + I
Add the cookie numeric value to be burp’s intruder section using the symbol § (the section sign), so that we specify what we need to fuzz using intruder.
- Now let the payload options to default and provide an wordlist, in our case it’s a simple number wordlist from
0 to 25, and we start fuzzing, if we check on request length we got a value with shorter length, turns out it is the right value and we get out flag.
3. Repeater
Lastly we have Repeater which enables a user to send requests with changes and resend them on one click. Usually the HTTP request or the Intercept tab simply displays and lets you record HTTP request. We can come back or adjust the look of that HTTP request to make modifications This one here to make any change, simply press ctrl + R to pass the precise HTTP request to the repeater.
Use Cases: Evaluate preloaded modules and boundaries, verify results, and explore payloads of usage.
Workflow: Forward items from Proxy or HTTP history to Repeater for further testing
4. Additional Tabs
Additional tabs which Burp comes with are not used as often as proxy, intruder or even repeater tabs but these are worthy to know.
Scanner (Pro Version): Automated approach to the detection of vulnerabilities targeting systems.
Comparer: It is easier this way to compare requests and responses.
Decoder: Compress messages to make them obscure or expand them to make them clear..
Some Basic Tweaks to add on Burp Suite are :
- Enable dark mode for prolonged usage: This can be done under the menu which is User Options > Display > Themes.
This list can be refined by reading articles, books, blogs, and other sources to learn keyboard shortcuts to get some work done faster.
Some of the features/extension that can be used include: Retire.js, Active Scan++.
Some of the extensions that I personally use are:
- Retire JS
- Hackbar - https://github.com/d3vilbug/HackBar/releases/tag/1.0
- Authorize
Exploring OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is similar to Burp Suite but is a free of cost tool as part of the OWASP initiative. Similar to Burp, it possesses same features base, but the interface and using it is considered less convenient by many advanced testers.It pretty much has the same functionality as that of burp, but most people lean towards and are at ease when using burp suite’s interface.res many features with Burp, its interface and user experience are often considered less intuitive for seasoned testers.
It has got similar features to that of burp, but most people are biased and comfortable with burp suite's UI/UX. In my own use owasp zap is used in the following reasons or situations.
1. Spidering: Lists application directories and files in a way that is both easy to read and requires little memory. This feature has to be used for good content search during your research, if you need to find out more information on a specific topic.
2. Vulnerability Scanning: It does scanning of networks for free, something that is paid in Burp Suite.
Workflow Tips
When to Use ZAP
Steps to Perform These Actions shown in below image :
Right-Click on the Target:
- In the left panel choose the target of your choice from the “Sites” tree. Click on it to open the context menu right click on it.
Select “Attack” from the Context Menu:
Click on the “Attack” option to get the sub menu of possible attack modes.
Choose “Active Scan”:
To scan for vulnerabilities select the Active Scan. By sending malicious payloads, this will test the target for known security flaws.
Choose “AJAX Spider”:
- If the application uses JavaScript driven content select AJAX Spider for mapping of hidden or dynamic content.
Choose “Spider”:
In order to find all URLs for a traditional crawl to discover, select Spider to map the application’s structure.
Attack Options:
- Active Scan: This feature automatically scans for vulnerabilities, or respons to crafted requests, in order to find items such as SQL injection or XSS or CSRF. Invasive (can modify data, or disrupt the application) and active (interrupt tap is established during data transmission). It should be used on non production systems unless allowed.
- Forced Browse Site: It brute forces typical names (directories or files) to try and access hidden or unlinked resources.
- Forced Browse Directory (and Children): A more focused disturbing characteristic of ‘Forced Browse’, focused on a specific directory and then recursively digging into their contents.
- AJAX Spider: The tool is used to explore dynamic content of a web application that may not be accessible by traditional crawling, e.g. JavaScript driven elements.
- Spider: This is a classic web crawler that that discovers all the URLs and the links in the target application. It is commonly used as initial scanning before anything, i.e mapping the web app’s structure.
Importance of These Features:
These tools play a critical role in the web application security testing process:
Active Scan actively scans vulnerabilities and then determines where attackers can leverage weaknesses on your network.
- Spider and AJAX Spider detect the entire attack surface of the application and not missing a target point.
Forced Browse expands the scope of the assessment and finds hidden or unintended resources.
These features can help penetration testers to automate the repeated tasks like crawling, scanning and brute forcing, and perform vulnerability analysis and attack plan extra properly. The choice of tools depends on the application’s complexity as well as type of vulnerabilities being assessed and the risk that can be tolerated during the testing.
Beyond Burp Suite and ZAP: Tools for Fuzzing
For specific tasks like fuzzing, consider tools like:
Why Not Burp for Fuzzing?
Extended fuzzing operations are slow in this particular Burp Suite community edition. There are tools designed to be particularly effective under these conditions like FFUF.
Conclusion
Therefore, depending in core functionalities of Burp Suite as Proxy, Intruder as well as Repeater combined with OWASP ZAP in spidering and vulnerability scanning, you would be poised to deal with nearly every web application security incapacitate. For any fuzzy attack, it is always advisable to work with FFUF and for more complex tasks, Caido proves to be the best capturing every angle.
Begin practicing today and learn how to go through web proxies without having any difficulties in the near future!
