How To Use Burp Suite – Web Penetration Testing (Part 2)

Author: Royce Davis Posted In Web Applications On: 2014/11/14 Comments: 4
How To Use Burp Suite - Web Penetration Testing (Part 2)

In our last Burp Suite Tutorial we introduced some of the useful features that Burp Suite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will continue to explore how to use Burp Suite including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!

How To Use Burp Suite – Validating Scanner Results

Its always a good idea to thoroughly validate the results of any automated scanning tool. Burp Suite provides everything you need to do this on the “Scanner/Results” tab. Click on a node in the left pane to see the identified vulnerabilities associated with that target. The right-hand lower pane displays the verbose Request/Response information pertaining to the specific vulnerability selected from the right-hand upper pane.

The “Advisory” tab contains information about the vulnerability including a high-level detail, description and proposed recommendation. The “Request” & “Response” tabs will display exactly what Burp Suite sent to the target application in order to check for the vulnerability as well as what was returned by the application. Take a look at the example below.

How To Use Burp Suite - Validating Scanner Results

Figure #1 – Validating Scanner Results

The request tab shows us which page generated the alert.

https://www.pentestgeek.com/wp-content/cache/minify/000000/NYtBDoAgDMA-JFsML5oEYShDYSbwez3goUl7qMV0P76OxU4xmUMl9ZBZlhVdpVHEtCFK3UQO8fxQXzE13Enc2EqfK_wNLKxwkTte.js

Just by requesting this page in a browser, or viewing the “Response” tab, We are able to validate that the email address allegedly disclosed was in fact present in the response. We can consider this issue to be validated and move on.

How To Use Burp Suite - Validating Scanner Results

Figure #2 – Validating Scanner Results

#ProTip Make sure to perform this step on each and every vulnerability identified by the scanner. All automated scanning tools produce false-positives due to the nature of the testing being done. Most companies are capable of buying tools and running them on their networks. Pentesters are hired specifically to identify and remove these false positives

How To Use Burp Suite – Exporting Scanner Reports

Once you have validated the scanner results you might want to generate some type of a report. There are two report options available from the “Scanner/Results” tab, HTML and XML. To generate a report right-click on a target from the left-hand display pane and select “Report selected issues”. This will present you with the following Dialog box.

How To Use Burp Suite - Exporting Scanner Reports

Figure #3 – Exporting Scanner Reports

Click through the Wizard and select which items you want in your report and which format. The HTML report can be opened up in a browser and then exported to a PDF format which can be useful to help communicate findings to your client. The XML report allows you to parse out specific sections of a report for more granular detail. If you generate an XML report, make sure you uncheck the Base64 encoder option to see full HTTP Request/Responses.

How To Use Burp Suite – Parsing XML Results

I’ve written a simple Ruby script to parse out data from the XML output generated from an automated Scan. The script utilizes the Nokogiri gem and outputs the results into a column delimitated CSV file which can be imported into Excel to produce a nice spreadsheet. If you have a basic understanding of parsing XML nodes using CSS selectors, you will have no trouble modifying the script to suite your specific needs.

Head over to the Git repository and clone the branch. Looking at the source code we can see where the parsing magic takes place.

def clean_finding(finding)
  output = []
  output << 'Web Application Findings'
  output << ''
  output << finding.css('severity').text
  output << 'Open'
  output << finding.css('host').text
  output << finding.css('path').text
  output << finding.css('issueDetail').text
  output << finding.css('name').text
  output << finding.css('issueBackground').text
  output << finding.css('remediationBackground').text
  response = finding.css('response').text
  if response.include?('Server:')
    output << response.split('Server: ')[1].split("\n")[0]
  end
  output
end

You can see that simply calling the .css method and passing (‘[VALUE YOU WANT]’).text as a paramater will allow you to scoop out whatever specific items you would like from the XML soup. Run the script with no arguments and you’ll see it takes an XML file and spits output to the screen.

[ # ] $ ./parse-burp.rb
Parse Burp Suite XML output into Tab delimited results
Example: ./parse-brup.rb > output.csv

[ # ] $

You can cat out the results into a file.csv if you like. The CSV file can then be imported into an Excel spreadsheet which looks like this.

How To Use Burp Suite - Parsing XML Results

Figure #4 – Parsing XML Results

How To Use Burp Suite – Saving a Burp session

In some cases it might be necessary to pause an assessment and come back later. You also might find yourself wanting to share your Burp Suite session with another consultant. Two eyes are often better then one after all. In these instances the easiest thing to do is to save a local copy of your session. Simply select “Save state” from the Burp menu at the top. This will create a flat file which you or another consultant can import into Burp Suite and see all of the captured traffic and test cases. This is an extremely useful feature.

If you have tried to do this in the past and noticed the size of the resulting file to be unnecessarily large (hundreds of MBs). It is possible you forgot to check the “Save in-scope items only” check-box.

How To Use Burp Suite - Saving a Burp session

Figure #5 – Saving a Burp session

If you setup your scope following the guidelines in Part 1 you shouldn’t have to worry about a massive sate file. The next page of the Wizard asks you which tools you would like to store the configuration of. I have found that having them all checked or all unchecked does not appear to affect the size of the file much if at all but feel free to play with these options and make up your own mind.

How To Use Burp Suite - Saving a Burp session

Figure #6 – Saving a Burp session

To restore a previously saved burp sate simply select “Restore state” from the Burp menu at the top. Select the file from your system, click “Open” and follow the instructions of the Wizard. Depending on the size of the state file it may take a moment to import everything but once finished you can continue your assessment or someone else’s for that mater as if you had never paused in the first place. Its pretty cool!

How To Use Burp Suite – Burp Extensions

Burp extensions are after-market additions written by other pentesters that can be easily installed and configured to add enhanced or additional features to Burp Suite. To demonstrate this process we’ll download and install the “Shellshock Burp Plugin” from the Accuvant LABS Github page. Browse to the following URL https://github.com/AccuvantLABS/burp-shellshock and click the “Download here!” link.

How To Use Burp Suite - Burp Extensions

Figure #7 – Click the Download here! link

Next click on the “Extender” tab within Burp Suite and click he “Add” button at the top-left corner. When the dialog box pops up select the Shell Shock .jar file you just downloaded and click Next.

How To Use Burp Suite - Burp Extensions

Figure #8 – Select the .jar file

If everything went well you should see a message stating “The extension loaded successfully” with no errors messages or output. Now the Extensions tab shows our “Shellshock Scanner” extension is loaded. We can see from the Details section that a new Scanner check has been added.

How To Use Burp Suite - Burp Extensions

Figure #9 – Burp Extension loaded successfuly

How To Use Burp Suite – End Of Part2

I hope this tutorial was useful to you. After reading both articles in this series you should be familiar with many of the critical features offered within the Burp Suite. Please take advantage of the comment section below to provide feedback/questions. Thanks for reading!

Share this article

facebooktwittergoogle_plusredditpinterestlinkedinmailfacebooktwittergoogle_plusredditpinterestlinkedinmail
4 Comments
  • the article was great and it helped me a lot

  • Great article, Royce!

  • waiting for part 3 =)

  • Too Too good…

    I actually added some of these steps to my guide at work. Good stuff….

    Now what about part three? proxy Nikto, W3AF, etc… through burp to collect all the traffic in Burp?

    Maybe also discussing the steps taken to restore states and why one is better than the other?

    Many! Many! Thanks Royce!

    If I get any of that done before you I’ll be happy to share!

    Cheers!
    @w0rm53r

  • Leave a Reply

    Your email address will not be published. Required fields are marked *


    Subscribe To Pentest Geek

    Follow Pentest Geek

    twitterrssyoutubetwitterrssyoutube

    Recent Posts

    Penetration Testing

    Categories

    Metasploit

    Archives

    Web Application Hacking

    css.php