Security
Reader small image

You're reading from  Burp Suite Cookbook - Second Edition

Product typeBook
Published inOct 2023
PublisherPackt
ISBN-139781835081075
Edition2nd Edition
Tools
Burp Suite
Concepts
Penetration Testing
Right arrow
Author (1)
Dr. Sunny Wear
Dr. Sunny Wear
author image
Dr. Sunny Wear

Dr. Sunny Wear is a web security architect and penetration tester. She provides secure coding classes, creates software, and performs penetration testing on web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture, and security experience and holds a Doctor of Science in Cybersecurity. She is a content creator on Pluralsight, with three courses on Burp Suite. She is a published author, a developer of mobile apps such as Burp Tool Buddy, and a content creator on courses related to web security and penetration testing. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
Read more about Dr. Sunny Wear

Right arrow

Assessing Business Logic

This chapter covers the basics of business logic testing, including an explanation of some of the more common tests performed in this area. Web penetration testing involves key assessments of business logic to determine how well the design of an application performs integrity checks, especially within sequential application function steps, and we will be learning how to use Burp Suite to perform such tests.

In this chapter, we will cover the following recipes:

  • Testing business logic data validation
  • Unrestricted file upload—bypassing weak validation
  • Performing process-timing attacks
  • Testing for the circumvention of workflows
  • Uploading malicious files—polyglots

Technical requirements

To complete the recipes in this chapter, you will need the following:

  • OWASP Broken Web Applications (BWA)
  • OWASP Mutillidae link
  • OWASP WebGoat link
  • OWASP Damn Vulnerable Web Application (DVWA) link
  • Burp Proxy Community or Professional (https://portswigger.net/burp/)
  • Firefox browser using FoxyProxy add-on or Burp Suite browser

Testing business logic data validation

Business logic data validation errors occur due to a lack of server-side checks, especially in a sequence of events such as shopping cart checkouts. If design flaws such as thread issues are present, those flaws may allow an attacker to modify or change their shopping cart contents or prices prior to purchasing them, to lower the price paid.

Getting ready

Using the OWASP WebGoat application and Burp, we will exploit a business logic design flaw to purchase many large ticket items for a very cheap price.

How to do it...

  1. Ensure the owaspbwa VM is running. Select the OWASP WebGoat application from the initial landing page of the VM. The landing page will be configured to an IP address specific to your machine:
Figure 7.1 – VM landing page

Figure 7.1 – VM landing page

  1. After you’ve clicked the OWASP WebGoat link, you will be prompted for some login credentials. Use these credentials—username: guest; password...

Unrestricted file upload – bypassing weak validation

Many applications allow for files to be uploaded for various reasons. Business logic on the server side must include checking for acceptable files; this is known as whitelisting. If such checks are weak or only address one aspect of file attributes (for example, file extensions only), attackers can exploit these weaknesses and upload unexpected file types that may be executable on the server.

Getting ready

Using the DVWA application and Burp, we will exploit a business logic design flaw in the file upload page.

How to do it...

  1. Ensure the owaspbwa VM is running. Select DVWA from the initial landing page of the VM. The landing page will be configured to an IP address specific to your machine.
  2. On the login page, use these credentials—username: user; password: user.
  3. Select the DVWA Security option from the menu on the left. Change the default setting of low to medium and then click Submit:
...

Performing process-timing attacks

By monitoring the time an application takes to complete a task, it is possible for attackers to gather or infer information about how an application is coded. For example, a login process using a valid username receives a response quicker than the same login process given an invalid username. This delay in response time leaks information related to system processes. An attacker could use a response time to perform account enumeration and determine valid usernames based on the timing of the response.

Getting ready

For this recipe, you will need the common_pass.txt wordlist from wfuzz, available here:

https://github.com/xmendez/wfuzz

Here’s the path to this:

wordlist | others | common_pass.txt

Using OWASP Mutillidae II, we will determine whether the application provides information leakage based on the response time from forced logins.

Ensure Burp Suite is running, and also ensure that the owaspbwa VM is running and that Burp...

Testing for the circumvention of workflows

Shopping cart to payment gateway interactions must be tested by web application penetration testers to ensure the workflow cannot be performed out of sequence. A payment should never be made unless verification of the cart contents is checked on the server side first. In the event this check is missing, an attacker can change the price, quantity, or both, prior to the actual purchase.

Getting ready

Using the OWASP WebGoat application and Burp, we will exploit a business logic design flaw in which there is no server-side validation prior to a purchase.

How to do it...

  1. Ensure the owaspbwa VM is running. Select the OWASP WebGoat application from the initial landing page of the VM. The landing page will be configured to an IP address specific to your machine.
  2. After you’ve clicked the OWASP WebGoat link, you will be prompted for login credentials. Use these credentials—username: guest; password: guest.
  3. After...

Uploading malicious files – polyglots

Polyglot is a term defined as something that uses several languages. If we carry this concept into hacking, it means the creation of an attack vector by using different languages as execution points. For example, attackers can construct valid images and embed JavaScript. The placement of the JavaScript payload is usually in the comments section of an image. Once the image is loaded in a browser, the XSS content may execute, depending upon the strictness of the content type declared by the web server and the interpretation of the content type by the browser. In this recipe, we will use a polyglot to upload a webshell disguised as an image.

Getting ready

Using the OWASP WebGoat file upload functionality, we will write a small Java Server Pages (JSP) webshell and upload it to the application, disguised as an image.

We will use some popular source code for the JSP webshell and save it in a file called poly.jsp.

Ensure the owaspbwa...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 8 of 14
Next Chapter
You have been reading a chapter from
Burp Suite Cookbook - Second Edition
Published in: Oct 2023Publisher: PacktISBN-13: 9781835081075
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Dr. Sunny Wear

Dr. Sunny Wear is a web security architect and penetration tester. She provides secure coding classes, creates software, and performs penetration testing on web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture, and security experience and holds a Doctor of Science in Cybersecurity. She is a content creator on Pluralsight, with three courses on Burp Suite. She is a published author, a developer of mobile apps such as Burp Tool Buddy, and a content creator on courses related to web security and penetration testing. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
Read more about Dr. Sunny Wear

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages