TryHackMe: Burp Suite — Summary (Part 1)

From TryHackMe — Burp Suite room

~~Part of TryHackMe Jr Penetration Tester Learning Path~~
Follow to join me in this journey!
Why TryHackMe?
Part 2: TryHackMe: Burp Suite — Summary (Part 2)
More about me.

Introduction

There are 7 functions discussed in this Burp Suite room:
1) Proxy
2) Repeater
3) Intruder
4) Decoder
5) Comparer
6) Sequencer
7) Extender

Proxy, Repeater and Intruder will be summarized in Part 1.
The remaining 4 functions will be summarized in Part 2.

Burp Suite: Proxy

From TryHackMe — Proxy

Proxy allows us to:

• Intercept a request made to the web server.
• Capture requests and responses between ourselves and our target.
• Manipulate or send requests to other tools before being allowed to the actual destination.
• Choose to forward or drop the request (typically after editing it).

To capture request, you will need to:

1. Configure a proxy server. In this room, FoxyProxy was used. If you are using your own browser, you may refer to this website for more information on how to set it up: https://infatica.io/blog/configure-foxyproxy/.
2. Make sure ‘Intercept is on’ is enabled. If it is disabled, the request will pass through the proxy without being stopped.

Proxy can also be used for:

• Scoping and targeting, which was demonstrated in this room.
• Testing Cross-Site Scripting (XSS), which was demonstrated in this room.

Burp Suite: Repeater

After capturing a request in the proxy, we can simply press Ctrl + R to send it to the Repeater.

Screenshot taken from TryHackMe Burp Suite room

Repeater allows us to:

• Craft and/or relay intercepted requests to a target.
• Use only 1 captured request to make multiple editing/resending.
• Use a clean GUI to write the payload and to view the proxy response.

Repeater is useful for:

• Input-valid vulnerabilities such as:
  → SQL Injection (SQLi), which was demonstrated in this room.
  → Cross-Site Scripting (XSS).

More information from Port Swigger regarding Burp Suite on XSS:
https://portswigger.net/support/using-burp-to-find-cross-site-scripting-issues

Burp Suite: Intruder

Intruder is Burp Suite’s in-built fuzzing tool. Usually, a request will be captured in Proxy before being passed to Intruder using the shortcut Ctrl + I.

Intruder allows us to:

• Use a captured request as a template to send many more requests with slightly altered values.
  → Capturing a login attempt request > Use a wordlist to brute force the username and password fields.
  → This functionality is similar to command-line tools (Wfuzz or Ffuf).

There are 4 different attack types:

1. Sniper: Uses one payload to try on EACH position ==>Number of requests is the number of words in the payload multiplied by the number of defined positions.
2. Battering ram: Uses one payload to try on EVERY position simultaneously ==> Number of requests is simply the number of words in the payload.
3. Pitchfork: Uses one payload set on one position. For example, in the case of 2 defined positions, 2 payloads will be used. First request will be FIRST entry from Payload one and two to Position one and two respectively. Second request will be SECOND entry from Payload one and two to Position one and two respectively, so on and so forth.
4. Cluster bomb: Uses the payloads to test all possible combinations.

Do not worry!
There are some graphical illustrations in the Intruder room, which will help you to understand these types of attacks better. If you have an account, I encourage you to check the room out: https://tryhackme.com/room/burpsuiteintruder.

There are 2 Intruder sub-tabs that you must know:

1. Positions: To configure the location in the request where we wish to insert our payloads.
2. Payloads: To select values to insert into each of the positions defined in the ‘Positions’ tab.
   → May choose to insert items from a simple wordlist as payload.
   → Insertion depends on the chosen attack type in the ‘Positions’ tab.
   → Payload types varies from simple wordlist to regexes.

Intruder is useful for:

• Automating customized attacks against web applications.
  → Fuzzing on URL, which was demonstrated in this room.
  → CSRF Token Bypass, which was demonstrated in this room.

Conclusion

In my own opinion, if you are planning to become a Penetration Tester, you must learn how to use Burp Suite and be familiarized with it, especially the three functions that were mentioned above. Spend some time to explore Burp Suite in your own lab environment. Trust me, it will be worth it.

If you have any questions, feedback or tips, let me know in the comment section!