Practical Web Application Penetration Testing Series - Chapter 3a
Burpsuite Scanner Tutorial
We are gonna divide this chapter into 3 sections:
- A brief intro of burp scanner,configuration and installing add-ons and plugins to it and engaging it with explorer
- Keep going on pentesting http://testphp.acunetix.com/ with burp scanner in Kali
- Tutorial about using WAF Bypass plugins in Burpsuite for real world penetration testing. (Gray hat hackers)
1- Let's start Burpsuite in Kali Linux by going to the application menu in the top left of the screen.
When you run it, click "next" and then start burpsuite. You should see the main screen of burp suite.
My burp suite version is 1.7.03 and may look different from yours since I installed many plugins before, but I will explain everything that is needed here.
The first tab we want to configure is the proxy tab. Click on "proxy tab" and then click on "options":
Note: Burpsuite is one of those web scanners that can be used in 2 ways. One is as a separate, independent web scanner like acunetix or netsparker and the other is what makes it the best one for advanced penetration testers. It is the capability of using it as a web proxy tool. This means Burpsuite sits between the requests and responses made from browsers like chrome, Firefox, and the destination web server (taking the role of Man In The Middle). So, we can intercept every single request in detail and this is the power of Burpsuite.
Back to our config, this is the place where we set and prepare Burpsuite to act as a proxy. In proxy listener make sure that interface is set to 127.0.0.1:8080 and is checked. In Intercept client requests, make sure that Intercept requests based on the following rules is checked:
Scroll the mouse down and make sure that Intercept server responses is there and that the Intercept responses based on the following rules is checked.
There are many other settings in this tab, but we are not going to the details of them as they are out of our discussion. However, you can read the manual of Burpsuite (which I recommend).
Now go to spider tab, in the main tabs of burp suite, and the control sub tab in spider scope, check the "use suite scope[defined in target lab]"
Back to main tabs, go to the scanner tab, then options and scroll down to see Active Scanning Optimization. Click on the drop down menu in front of the Scan accuracy and select "Minimize false positive."
This option will make our vulnerability detection more accurate by retesting found issues more.
Now, go to the Extender tab, then click on "BApp store" sub tab .
In the list you can see many plugins available for Burpsuite. We will need to install a few of them. First click on "Bypass WAF" and in at the bottom of the right section click "install". Then we install a CO2 plugin. Now it is time to configure our bypass waf plugin. Go to the "Project Option" tab and click on "sessions":
Click "add", then in the Rule Description, provide a name like Bypass WAF:
Next, click "Add "in the Rule Action section, then select "Invoke a burp extension"
In the new window, select Bypass WAF and then select "ok".
Now click on the new rule you created. Then, select the Scope tab from top of the window.
In the Tools Scope section, check all the options. Under Url Scope, check "Use suite scope [Defined in target tab]"
Next, press "ok". Now we have installed the waf bypass plugin correctly.
We don’t need to configure the co2 plugin yet since we are going to configure and work with it later in the exploitation phase.
Now we want to engage our Burpsuite to Firefox. Open Firefox or IceWeasel in Kali and install "Proxy Selector addon" on it. This is optional and anyone can use any proxy switcher addon for Firefox (this is for fast switching our browser proxy) or manually configure the browser proxy. Either way, I use proxy selector.
Now click on the proxy selector and choose "Manage proxies"
Now click on "add", then configure it like the picture below and click "OK ":
That's all for now. If we set the proxy selector to Burpsuite and visit a website, it will catch the request and waits for our orders.
For testing, I send a request to http://testphp.acunetix.com/ and you can see my burp has the request:
We will start scanning this site with burpsuite in the next section.