This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label Burp. Show all posts
Showing posts with label Burp. Show all posts

Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

May 21, 2017  , , , , , , , , , ,  


A Burp extension to test applications for vulnerability to the Web Cache Deception attack.
Once the extension has been loaded, it can be accessed in the Target - Sitemap tab and right click on the resource that should be tested. A context sensitive menu item called "Airachnid Web Cache Test" will be shown and can be used to conduct testing. If the resource is vulnerable, an Issue is created detailing the vulnerability.
The context sensitive menu item is also available for requests in the Proxy - Http History tab.

Installation
  • Download the Airachnid.jar file.
  • In Burp Suite open Extender tab. In Extensions tab, click Add button.
  • Choose downloaded jar file -> Next.
  • Check installation for no error messages.

Vulnerability
In February 2017, security researcher Omer Gil unveiled a new attack vector dubbed “Web Cache Deception” (https://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html).
The Web Cache Deception attack could be devastating in consequences, but is very simple to execute:
  1. Attacker coerces victim to open a link on the valid application server containing the payload.
  2. Attacker opens newly cached page on the server using the same link, to see the exact same page as the victim.
** Of course, this attack only makes sense when the vulnerable resource available to the attacker returns sensitive data.
The attack depends on a very specific set of circumstances to make the application vulnerable: 1. The application only reads the first part of the URL to determine the resource to return.
If the victim requests:
https://www.example.com/my_profile
The application returns the victim profile page. The application uses only the first part of the URL to determine that the profile page should be returned. If the application receives a request for
https://www.example.com/my_profile_test
It would still return the profile page of the victim, disregarding the added text. The same applies for other URL like
https://www.example.com/my_profile/test
2. The application stack caches resources according to their file extensions, rather than by cache header values. If the application stack has been configured to cache image files. It will cache all resources with .jpg .png or .gif extensions. That means that e.g. the image at
https://www.example.com/images/dog.jpg
Would be retrieved from the application server the first time the image is requested. All subsequent requests for the image are retrieved from cache, responding with the same resource that was initially cached (for as long as the cache timeout is set).

Attack
These preconditions can be exploited for the Web Cache Deception attack in the following manner:

Step 1: An attacker entices the victim to open a maliciously crafted link:
  https://www.example.com/my_profile/test.jpg
  • The application ignores the 'test.jpg' part of the URL, the victim profile page is loaded.
  • The caching mechanism identifies the resource as an image, caching it.  

Step 2: The attacker sends a GET request for the cached page:
https://www.example.com/my_profile/test.jpg
  • The cached resource, which is in fact the victim profile page is returned to the attacker (and to anyone else requesting it).

Read More

BurpSentintel - GUI Burp Plugin to ease discovering of security holes in web applications

September 09, 2014  , , , , , , , ,  


A plugin for Burp Intercepting Proxy, to aid and ease the identification of vulnerabilities in web applications.

Searching for vulnerabilities in web applications can be a tedious task. Most of the time consists of inserting magic chars into parameters, and looking for suspicious output. Sentinel tries to automate parts of this laborous task. It's purpose is not to automatically scan for vulnerabilities (even if it can do it in certain cases), as there are better tools out there to do that (BURP scanner for example). So it's the only tool which sits in between manual hacking with BURP repeater, and automated scanning with BURP scanner.

To use it, just send a suspicious HTTP request from BURP proxy to Sentinel. Then the user is able to select certain attack patterns for selected parameters (say, XSS attacks for parameter "id"). Sentinel will issue several requests, with the attack patterns inserted. It will also help find suspicious behaviour and pattern in the accompaining HTTP responses (for example, identify decoded HTML magic chars).

Features

Big Features:
UI Features:

Read More

Burp Suite Professional v1.6 - The leading toolkit for web application security testing

April 15, 2014  , , , , , , , ,  


Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Changelog v1.6

Burp Suite Free Edition contains significant new features added since v1.5, including:
  • Support for WebSockets messages.
  • Support for PKCS#11 client SSL certificates contained in smart cards and physical tokens.
  • A new Extender tool, allowing dynamic loading and unloading of multiple extensions.
  • A new powerful extensibility API, enabling extensions to customize Burp’s behavior in much more powerful ways.
  • Support for extensions written in Python and Ruby.
  • A new BApp Store feature, allowing quick and easy installation of extensions written by other Burp users.
  • An option to resolve DNS queries over a configured SOCKS proxy, allowing access to TOR hidden services.
  • Generation of CSRF PoC attacks using a new cross-domain XHR technique.
  • New options for SSL configuration, to help work around common problems.
  • Optional unpacking of compressed request bodies in the Proxy.
  • Support for .NET DeflateStream compression.
  • New and improved types of Intruder payloads.
  • New Proxy interception rules.
  • New Proxy match/replace rules.
  • Improved layout options in the Repeater UI.
  • An SSL pass-through feature, to prevent Burp from breaking the SSL tunnel for specified domains.
  • Support for the Firefox Plug-n-hack extension.
  • An option to copy a selected request as a curl command.

Burp Suite Professional contains a number of bugfixes and tweaks, added since the last beta version, including:
  • An occasional bug causing misplaced highlights on payloads in Scanner issues has been fixed.
  • A bug in which restoring default settings for the Extender tool didn’t unload any currently running extensions has been fixed.
  • A display bug affecting the rendering of binary content (such as images) in the raw view of the HTTP message editor has been fixed.
  • A bug which prevented the automatic backup on exit feature from functioning in headless mode has been fixed.
  • In previous versions, Burp stored its preferences in separate locations for each major version. This caused persisted settings to be lost on upgrading to a new major version. This behavior has been modified, and from v1.6 onwards major versions will store their preferences in the same location. As a workaround to preserve settings from earlier releases, Pro users can launch the earlier release, save a state file containing their preferences, then launch the new release and load the state file.

Read More

[Burp Co2] A collection of enhancements for Portswigger's popuplar Burp Suite web penetration testing tool

February 26, 2014  , , , , ,  


Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.

See the Co2Modules wiki page for descriptions of each of the modules in Co2. 


Read More

[The Burp SessionAuth] Extension for Detection of Possible Privilege escalation vulnerabilities

August 13, 2013  , , , , ,  

Normally a web application should identify a logged in user by data which is stored on the server side in some kind of session storage. However, in web application audits someone can often observe that internal user identifiers are transmitted in HTTP requests as parameters or cookies. Applications which trust identity information provided by the client can be vulnerable to privilege escalation attacks. Finding all occurrences of identity data transmissions can be quite straining, especially if this information is sent in different parameters, among other information or only in particular requests.

The motivation behind the Burp SessionAuth extension was to support the web application auditor in finding such cases of privilege escalation vulnerabilities. The idea is, that the auditor provides some information, internal identifiers and strings which identify different users (e.g. his/her real name) or content. The extension performs the following tasks:

  • Monitoring of all requests for occurrences of the given identifiers. Such requests are typical candidates for privilege escalation vulnerabilities. Even if a web application doesn’t seems to be vulnerable in one part, it can still be vulnerable in other ones.
  • Preparing an Intruder configuration on request of the user and implementation of a Intruder payload generator which delivers the user identifiers.
  • Actively scan a suspicious request and try to determine vulnerabilities automatically by some heuristics.

Please be aware that this piece of software is still very experimental!

Read More

[Burp Suite] Free Edition v1.5

November 03, 2012  , , , , , , ,  

Burp Suite helps you secure your web applications by finding the vulnerabilities they contain.  Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.
Burp+Suite+Free+Edition+v1.5+released
Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
User Interface:
  • Burp's UI has been completely overhauled, to improve looks and usability:
  • Fonts are now available throughout the UI, with corresponding resizing of all UI elements (tables, dialogs, buttons, etc.).
  • There are configurable hotkeys for all common functions.
  • Intruder and Repeater now have smart tabs, which you can drag to reorder, and click to create, close or rename.
  • Tables are natively sortable everywhere, except where the row ordering is part of the options you are configuring.
  • Text fields now have context-aware auto-complete memory.
Burp now implements sslstrip-style functionality, allowing you to use non-SSL-capable tools against HTTPS applications, or to perform active MITM attacks against users who begin browsing using HTTP.

Read More
Subscribe to: Posts (Atom)