TryHackMe: Burp Suite
Burp Suite Installation
- First, visit this link: https://portswigger.net/burp/communitydownload → Download the appropriate version of your OS → Install Java here: https://www.java.com/en/download/ as Burp Suite requires Java JRE to run.
- For BurpSuite to be able to read and intercept HTTPS data, we’ll have to install CA certificate → Go to http://localhost:8080 → Click on ‘CA Certificate’ in the top right to download and save the CA certificate → Go to your browser settings → Search for ‘Certificates’ → Click on ‘View Certificates’ → In the Authorities tab, click on ‘Import’ → Navigate to where you saved the CA certificate and click OK.
- Open Firefox and install FoxyProxy browser extension so that we can easily route traffic through it. Click on FoxyProxy → Click on ‘Options’ → Click ‘Add’ in the top left → Enter the following details: Title = “Burp” || Proxy Type = “HTTP” || Proxy IP Address = “127.0.0.1” || Port = “8080”.
Here’s a quick overview of each section covered:
Proxy — Allows us to tunnel traffic through Burp Suite for further analysis.
Under Proxy section, there are few tabs available:
- HTTP History: Burp Suite saves the history of requests sent through the proxy along with their varying details.
- Options: Here we can apply further fine-grained rules to define which requests we would like to intercept. This allows us to effectively leave intercept on permanently but at the same time it won’t disturb sites outside of our scope especially if we need to Google something in the same browser.
Target — Allows us to set the scope for our project and create a site map of the application that we are testing.
To add target to our scope → Navigate to “Target” tab → Find the url → Right click and select “Add to scope”.
To build site map → Turn on your browser’s proxy → Make sure to turn off the interception on Burp → Browse through the website → Sitemap will be created in Burp under Target || Site Map.
Repeater — Allows us to ‘repeat’ requests that have previously been made with or without modification.
In this TryHackMe exercise, we are asked to submit a zero star review for customers feedback and we can easily do that using repeater in Burp Suite:
- Go to “Customers Feedback” page → Fill up the form → Click “Submit”. (If you can’t see what the CAPTCHA question is, turn off your browser proxy and turn it on after.)
- Search for POST request for /api/feedbacks/ under “Proxy” section | “HTTP History” tab → Right click and select “Send to Repeater”.
- Under “Repeater” section → Search for “Rating” field → Change the value to 0.
Intruder —Allows us to perform attacks like SQL injection, credential stuffing and more.
Under Intruder, there are different attack types that we can use but the most popular attack type is Sniper, where it cycles one set of payloads (one wordlist) through our selected field.
- Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?
2. How about the attack type which allows us to use one payload set in every single position we’ve selected simultaneously?
3. Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations?
4. Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn?
In this TryHackMe exercise, we are using Intruder’s Sniper attack to see which SQLi injection payload could help us bypass the login authentication:
- Select the “Positions” tab → Click on “Clear” → Select the field that we want to brute force on, in this case email field → Click on “Add”.
- Select the “Payloads” tab → Go to “Payload Options” subsection → Click on “Load” to load this fuzzdb SQLi platform detection list.
- Under the same “Payloads” tab → Go to “Payload Encoding” section → Uncheck the tickbox as we don’t want any encoding to happen.
- Click “Start Attack”.