How To Use Burp Suite – Web Penetration Testing (Part 2)
In our last Burp Suite Tutorial we introduced some of the useful features that Burp Suite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will continue to explore how to use Burp Suite including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!
How To Use Burp Suite – Validating Scanner Results
Its always a good idea to thoroughly validate the results of any automated scanning tool. Burp Suite provides everything you need to do this on the “Scanner/Results” tab. Click on a node in the left pane to see the identified vulnerabilities associated with that target. The right-hand lower pane displays the verbose Request/Response information pertaining to the specific vulnerability selected from the right-hand upper pane.
The “Advisory” tab contains information about the vulnerability including a high-level detail, description and proposed recommendation. The “Request” & “Response” tabs will display exactly what Burp Suite sent to the target application in order to check for the vulnerability as well as what was returned by the application. Take a look at the example below.
The request tab shows us which page generated the alert.
Just by requesting this page in a browser, or viewing the “Response” tab, We are able to validate that the email address allegedly disclosed was in fact present in the response. We can consider this issue to be validated and move on.
#ProTip Make sure to perform this step on each and every vulnerability identified by the scanner. All automated scanning tools produce false-positives due to the nature of the testing being done. Most companies are capable of buying tools and running them on their networks. Pentesters are hired specifically to identify and remove these false positives
How To Use Burp Suite – Exporting Scanner Reports
Once you have validated the scanner results you might want to generate some type of a report. There are two report options available from the “Scanner/Results” tab, HTML and XML. To generate a report right-click on a target from the left-hand display pane and select “Report selected issues”. This will present you with the following Dialog box.
Click through the Wizard and select which items you want in your report and which format. The HTML report can be opened up in a browser and then exported to a PDF format which can be useful to help communicate findings to your client. The XML report allows you to parse out specific sections of a report for more granular detail. If you generate an XML report, make sure you uncheck the Base64 encoder option to see full HTTP Request/Responses.
How To Use Burp Suite – Parsing XML Results
I’ve written a simple Ruby script to parse out data from the XML output generated from an automated Scan. The script utilizes the Nokogiri gem and outputs the results into a column delimitated CSV file which can be imported into Excel to produce a nice spreadsheet. If you have a basic understanding of parsing XML nodes using CSS selectors, you will have no trouble modifying the script to suite your specific needs.
Head over to the Git repository and clone the branch. Looking at the source code we can see where the parsing magic takes place.
def clean_finding(finding) output =  output << 'Web Application Findings' output << '' output << finding.css('severity').text output << 'Open' output << finding.css('host').text output << finding.css('path').text output << finding.css('issueDetail').text output << finding.css('name').text output << finding.css('issueBackground').text output << finding.css('remediationBackground').text response = finding.css('response').text if response.include?('Server:') output << response.split('Server: ').split("\n") end output end
You can see that simply calling the .css method and passing (‘[VALUE YOU WANT]’).text as a paramater will allow you to scoop out whatever specific items you would like from the XML soup. Run the script with no arguments and you’ll see it takes an XML file and spits output to the screen.
[ # ] $ ./parse-burp.rb
Parse Burp Suite XML output into Tab delimited results
Example: ./parse-brup.rb > output.csv
[ # ] $
You can cat out the results into a file.csv if you like. The CSV file can then be imported into an Excel spreadsheet which looks like this.
How To Use Burp Suite – Saving a Burp session
In some cases it might be necessary to pause an assessment and come back later. You also might find yourself wanting to share your Burp Suite session with another consultant. Two eyes are often better then one after all. In these instances the easiest thing to do is to save a local copy of your session. Simply select “Save state” from the Burp menu at the top. This will create a flat file which you or another consultant can import into Burp Suite and see all of the captured traffic and test cases. This is an extremely useful feature.
If you have tried to do this in the past and noticed the size of the resulting file to be unnecessarily large (hundreds of MBs). It is possible you forgot to check the “Save in-scope items only” check-box.
If you setup your scope following the guidelines in Part 1 you shouldn’t have to worry about a massive sate file. The next page of the Wizard asks you which tools you would like to store the configuration of. I have found that having them all checked or all unchecked does not appear to affect the size of the file much if at all but feel free to play with these options and make up your own mind.
To restore a previously saved burp sate simply select “Restore state” from the Burp menu at the top. Select the file from your system, click “Open” and follow the instructions of the Wizard. Depending on the size of the state file it may take a moment to import everything but once finished you can continue your assessment or someone else’s for that mater as if you had never paused in the first place. Its pretty cool!
How To Use Burp Suite – Burp Extensions
Burp extensions are after-market additions written by other pentesters that can be easily installed and configured to add enhanced or additional features to Burp Suite. To demonstrate this process we’ll download and install the “Shellshock Burp Plugin” from the Accuvant LABS Github page. Browse to the following URL https://github.com/AccuvantLABS/burp-shellshock and click the “Download here!” link.
Next click on the “Extender” tab within Burp Suite and click he “Add” button at the top-left corner. When the dialog box pops up select the Shell Shock .jar file you just downloaded and click Next.
If everything went well you should see a message stating “The extension loaded successfully” with no errors messages or output. Now the Extensions tab shows our “Shellshock Scanner” extension is loaded. We can see from the Details section that a new Scanner check has been added.
How To Use Burp Suite – End Of Part2
I hope this tutorial was useful to you. After reading both articles in this series you should be familiar with many of the critical features offered within the Burp Suite. Please take advantage of the comment section below to provide feedback/questions. Thanks for reading!
Share this article
Subscribe To Pentest Geek
Follow Pentest Geek
- How To Install Metasploit Framework Ubuntu 14.04
- How to Install Nmap From Source
- Another Lap Around Microsoft LAPS
- Credential Harvesting via MiTM – Burp Suite Tutorial
- SSL Certificate from letsencrypt.org – Setup Guide
- Definitions (3)
- Forensics and Incident Response (1)
- Information Gathering (3)
- Metasploit (6)
- Penetration Testing Tutorials (12)
- Phishing (8)
- Presentations (2)
- Tools (3)
- Web Applications (3)
- September 2016 (2)
- August 2016 (1)
- June 2016 (1)
- May 2016 (1)
- December 2014 (1)
- November 2014 (1)
- July 2014 (2)
- June 2014 (2)
- May 2014 (1)
- December 2013 (1)
- November 2013 (1)
- October 2013 (2)
- September 2013 (1)
- May 2013 (1)
- March 2013 (1)
- February 2013 (1)
- January 2013 (3)
- December 2012 (1)
- November 2012 (4)
- October 2012 (1)
- September 2012 (1)
- August 2012 (2)
- July 2012 (1)
- February 2012 (1)
- January 2012 (3)