BurpSuite Intro

What is BurpSuite?

A tool like Burp Suite is used as a proxy intercepting and modifying traffic between the browser and web application. It also can perform scanning, crawl websites, and has other tools built-in like intruder and repeater.

ZAP is another proxy with similar features and Open Source. A newer proxy that I tried out as well is Caido.

I'll demonstrate how to use Burp Suite's intruder and repeater features with examples from picoCTF and Port Swigger Academy.

Using Repeater

Using the built-in Burp browser I navigated to the challenge site. It presented a registration site which I just filled in and submitted. All the requests are being captured by Burp.

After registration a MFA prompt, I put some random value 0000 and submitted.

Access Denied, my one time password wasn't valid and I can't reach the /dashboard endpoint.

All the web traffic has been proxied through Burp so we can view the history of our messages. Let's replay the last POST message to the /dashboard endpoint with . The only parameter in the request is the otp with our POSTed value of 0000. What happens if we alter this?

Original POST Request in Burp

Resubmitting without the parameter bypasses the MFA and we have accessed the /dashboard endpoint revealing the flag.

Using Intruder

I'll use a Portswigger authentication brute-force lab to demonstrate intruder. We are provided credentials for the account wiener with password wiener. The goal is to log-in as the administrator Carlos.

Let's log in as wiener to understand how the log-in process works and to have some messages to work with in Burp. I can see we post a username and password to the /login endpoint. I thought this could be bruteforced simply but after two failed login attempts you must wait one minute.

Log-in under our account wiener
After 3 attempts you must wait one minute.

However if we log-in as wiener it will reset the password counter. I created the payload in intruder to bypass this protection. Use a Pitchfork attack type will let us use two different sets of payloads, one for the username and one for the password.

Positions for each paylod are highlighted in green
Username Payload List
Password Payload List

Now we can start the intruder attack and wait for the results. The 132nd message with a password of summer got a 302 Found response. This is our password.

302 Response when username is carlos and password is summer

All that's left to do is log-in as Carlos:

Success!

I really recommend PortSwigger Academy Labs as they provide a great foundation to learn about different classes of web application vulnerabilities and how they can be exploited using Burp (or any similar tool you prefer)

Resources

PreviousCommand Injection with DVWANextFormat String Vulnerability Primer

Last updated